Analysis
-
max time kernel
92s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 22:25
Static task
static1
Behavioral task
behavioral1
Sample
fee53401177b72bfcf5ccdad590fe5f194b25e4e77ba9e95e6d26fcc4c996e40.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fee53401177b72bfcf5ccdad590fe5f194b25e4e77ba9e95e6d26fcc4c996e40.exe
Resource
win10v2004-20240508-en
General
-
Target
fee53401177b72bfcf5ccdad590fe5f194b25e4e77ba9e95e6d26fcc4c996e40.exe
-
Size
3.9MB
-
MD5
e26e9b23b2ea96a9d90c1147bf734d6e
-
SHA1
7e9012c720af638ef89492fd40d04d616389a6cc
-
SHA256
fee53401177b72bfcf5ccdad590fe5f194b25e4e77ba9e95e6d26fcc4c996e40
-
SHA512
a1ae541c767e82139fa6f271cfcaf2ff6098786fd940a2c0c2d6b17121351d35d84bbc27a5d3894856b6245b168e81d87023abf9c974bca90e392d9b3d11f9f3
-
SSDEEP
49152:5zxiTbnyz0xvZF8NRd7tQJnGh83usTCj4H2:uyzMF8q
Malware Config
Extracted
cobaltstrike
http://120.194.219.29:80/eKcJ
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; LBBROWSER)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
fee53401177b72bfcf5ccdad590fe5f194b25e4e77ba9e95e6d26fcc4c996e40.exedescription pid process target process PID 2976 wrote to memory of 1908 2976 fee53401177b72bfcf5ccdad590fe5f194b25e4e77ba9e95e6d26fcc4c996e40.exe notepad.exe PID 2976 wrote to memory of 1908 2976 fee53401177b72bfcf5ccdad590fe5f194b25e4e77ba9e95e6d26fcc4c996e40.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee53401177b72bfcf5ccdad590fe5f194b25e4e77ba9e95e6d26fcc4c996e40.exe"C:\Users\Admin\AppData\Local\Temp\fee53401177b72bfcf5ccdad590fe5f194b25e4e77ba9e95e6d26fcc4c996e40.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\notepad.exeC:\Windows\System32\notepad.exe2⤵