cobaltstrike | 7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
Size

3.6MB
MD5

72cf43e4c7af5cab216c40461fff80f5
SHA1

bd0a07df283d22301e4152bbd09f657fc8cc7238
SHA256

7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463
SHA512

6a8f8d96fbb68372dbad3f4a3f4adb7b3c513d2fb12fef739f55a2743cfaf4c4388672dcb4e9fe9acf2644fe2369ab8ac1791d42bf839b5c5f78589798e55fe1
SSDEEP

98304:vMWFK+EW84cufR5N15QhU5pyl/fuYdGGtxFZKUWXI0J:vrA4cufR5v5QhmGuVaxFZKUWY0

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://101.35.173.226:10890/V1hn

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MDDCJS)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 4 IoCs

Processes:

7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe

pid	process
284	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
284	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
284	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
284	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe

description	pid	process	target process
PID 2944 wrote to memory of 284	2944	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
PID 2944 wrote to memory of 284	2944	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
PID 2944 wrote to memory of 284	2944	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe	7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe

C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"
2⤵
- Loads dropped DLL
PID:284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29442\MSVCR90.dll
Filesize
629KB

MD5
552cf56353af11ce8e0d10ee12fdcd85

SHA1
6ab062b709f851a9576685fe0410ff9f1a4af670

SHA256
e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012

SHA512
122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29442\exec.exe.manifest
Filesize
1012B

MD5
d555b8701399d1321224301eb1406b28

SHA1
23bb3e011e5292be289b5c34c2eaa212369d0118

SHA256
5ba176b93e8e4a59f8867e14776d635c7bf924f262f7187febdc53334a5e6694

SHA512
325ffc64a500c5470656a9f745c9a3d712c3ad7f92b1f153f26e67b5c05f3da4bf57b1ce618ffbdf91de69258ddf2b4645d09293f6232ca53926ab7bd8491234

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29442\python27.dll
Filesize
3.2MB

MD5
4815ee7d57479791d7bf6bbdcff1649b

SHA1
3645bc481e0c8c76a7d74342d196e9f55c762637

SHA256
60e9cfbb62bbae5164ddb73082370900a435ef591222caaa0b352b8eaa26600e

SHA512
7d131238d176854d61fa13750d0a47aa03d84b3a1f51cfdd1f0e5033efbec7984fa88decf8b7a2ffb9c96eb545fc492bfd57ffaaa97e9e2b6b637834fbceae6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_ctypes.pyd
Filesize
119KB

MD5
3935ef74c5f36eda2b9f156d467bc1f6

SHA1
2a40c66a8d364640f3f1fb97641c516661912191

SHA256
ae04c9ca90c317a2ab9a4a95e795ef6677adeb7151c58bea3e31371dc9607518

SHA512
eefe08daa387fd95dea34c00c551c4fb2bddbca87ee38ef7172b3442814b17343bf86d392455e383c7e2ca2dbedb1df635cefd89c59070d1052c1d5524669668

Download Submit
memory/284-19-0x0000000001ED0000-0x0000000001F73000-memory.dmp

Filesize
652KB

Download
memory/284-20-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/284-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download