Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe
Resource
win10v2004-20240226-en
General
-
Target
7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe
-
Size
11.4MB
-
MD5
11e447ed88e8332795993110710b2ff7
-
SHA1
fae4af78e2bb99b1a510d629963b4c551607741a
-
SHA256
7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8
-
SHA512
fb8b4243245eb8baaa6022eb479069de8061725d340f63bf06ca4736a15103042446759121ac60ea78b6a563ab4bd28cd88a0730d4c09a85722c84c1f7337ce1
-
SSDEEP
196608:Jua9H1n4YZUIeeGVJsv6tWKFdu9CY+7f:xyVVJsv6tWKFdu9Cx
Malware Config
Extracted
cobaltstrike
http://154.204.178.211:8031/HuNR
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2036 2236 WerFault.exe 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exepid process 2236 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exepid process 2236 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exedescription pid process target process PID 2236 wrote to memory of 2036 2236 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe WerFault.exe PID 2236 wrote to memory of 2036 2236 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe WerFault.exe PID 2236 wrote to memory of 2036 2236 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe WerFault.exe PID 2236 wrote to memory of 2036 2236 7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe"C:\Users\Admin\AppData\Local\Temp\7a4be8ca81b7f58ae705491c6774bf641eac488944cc37f313be5e0801999bd8.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 3442⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2236-0-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB