cobaltstrike | 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
Size

2.6MB
MD5

146bbdff9871cfc484839ed59b994a2f
SHA1

ff44b337bd1ee4439f7d5330d426b1e510113351
SHA256

92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82
SHA512

faf3ab3ec5ef9a4f43299937060764940a8f1b6c01309bfda52942dfd9ae9c45e909ed67b0cdbeee8f3c8c9cd88f9d34557427e9c2359dca06c37fe95b565d31
SSDEEP

49152:uB7HRCcJmv2aLv6xXV1/+/P3bhu2elmHPOcFl1Co/QeJe1MxtIP44V/ySQ0:W7+2gv6v1ihGcHPFi6pPGh

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://116.204.24.189:8888/MqQN

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

artifact.exe

pid process

2648 artifact.exe
Loads dropped DLL 2 IoCs

Processes:

92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe

pid process

2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2600 AcroRd32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2600 AcroRd32.exe
2600 AcroRd32.exe
2600 AcroRd32.exe

pid	process
2648	artifact.exe

pid	process
2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe

pid	process
2600	AcroRd32.exe

pid	process
2600	AcroRd32.exe
2600	AcroRd32.exe
2600	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe

description	pid	process	target process
PID 2368 wrote to memory of 2648	2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	artifact.exe
PID 2368 wrote to memory of 2648	2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	artifact.exe
PID 2368 wrote to memory of 2648	2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	artifact.exe
PID 2368 wrote to memory of 2648	2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	artifact.exe
PID 2368 wrote to memory of 2600	2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	AcroRd32.exe
PID 2368 wrote to memory of 2600	2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	AcroRd32.exe
PID 2368 wrote to memory of 2600	2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	AcroRd32.exe
PID 2368 wrote to memory of 2600	2368	92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
"C:\Users\Admin\AppData\Local\Temp\92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\Temp\artifact.exe
"C:\Windows\Temp\artifact.exe"
2⤵
- Executes dropped EXE
PID:2648

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\Temp\健身房管理系统的设计与实现_孙梦成.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
410cd779ebc93144f915d7f1d6ac99e1

SHA1
7eb999b1f1f55ffb78be73c1aad79f6c4421d8b1

SHA256
47858c0e73eab9550ae9bedc37f27eea90bbd1a34e60f65b2be1a37a22d64d25

SHA512
ce4bd10c90239fb16cb2dae575d382fa0c44d165399894fd062f7f9ce3e0fe4ccf142e95f43d9f7fd34df5301dbd57521664826ffa2774fe9b5a3334d17d5831

Download Submit
C:\Windows\Temp\artifact.exe
Filesize
19KB

MD5
baf284515fd1e008de905653576ba26a

SHA1
6c8ab2c8be44d39d84ab1a6d9a5bdc0079ba96f1

SHA256
ea4f06ccea1219dc39299afeb22eea3a2e2cbf8ca13b4d22bbcf3e5dde91d780

SHA512
74e1a31698488439978a3f06487634626a4a581532cf4db58af9a87a08cc4824d2e8a08e2fb023637b4ff65dfdbad6acab69cc78786e18c4d7e3d413dd5ffd6b

Download Submit
C:\Windows\Temp\健身房管理系统的设计与实现_孙梦成.pdf
Filesize
2.3MB

MD5
b4d255b6390bf346e1ba34d9f4f609c4

SHA1
1ea8820f614ac72386f2fe30139ddefe75507033

SHA256
a6fa60973c1045048b5e2e906f18ec40dfe4183302afb74bfbab7450e1d80306

SHA512
fbf6e97bbecdb263066f481a20257e0900d36d0d76ef96e5f56b95771839c27456d2aa9a57da74811ea67433f27ddabce2fa51e6567e2488f0bbf2c969309fec

Download Submit
memory/2600-14-0x0000000004030000-0x00000000040A6000-memory.dmp

Filesize
472KB

Download
memory/2648-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2648-32-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download