cobaltstrike | c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b

Analysis

max time kernel
47s
max time network
20s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
Size

5.2MB
MD5

00a7a0b8639276c3235e6cff2d89f0c9
SHA1

7a90d70928681a626f89d27b08691e949f2d4631
SHA256

c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b
SHA512

7190f244570295031f1640551a1ed6f2b43420a23a67a3e3c1776fc5b2adb683da85848191554389d1afd731ab2dd973ea44fce6600a58f599189cd8e2a04765

Score

10^/10

cobaltstrike xmrig backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
day
0
dns_idle
0
dns_sleep
0
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
0
maxdns
255
month
0
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
256
unknown5
0
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Cobalt Strike reflective loader 19 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00040000000130fe-0.dat	cobalt_reflective_dll
behavioral1/files/0x00040000000130fe-2.dat	cobalt_reflective_dll
behavioral1/files/0x00040000000130ff-3.dat	cobalt_reflective_dll
behavioral1/files/0x00040000000130ff-5.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000013102-6.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000013102-8.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013103-9.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013104-12.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013103-11.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013104-14.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013105-15.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013105-17.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013106-18.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013106-20.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013108-21.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000013108-25.dat	cobalt_reflective_dll
behavioral1/files/0x000300000001310a-23.dat	cobalt_reflective_dll
behavioral1/files/0x000300000001310a-26.dat	cobalt_reflective_dll
behavioral1/files/0x000300000001310b-27.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 9 IoCs

pid	Process
2008	WkKdvsc.exe
1364	FHDCXPe.exe
2036	JPSKfTO.exe
1988	fyyUQIs.exe
1984	lDcuepA.exe
652	OpYwlsR.exe
528	oXgzGmu.exe
912	yWBqRlD.exe
556	XWPMQia.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00040000000130fe-0.dat	upx
behavioral1/files/0x00040000000130fe-2.dat	upx
behavioral1/files/0x00040000000130ff-3.dat	upx
behavioral1/files/0x00040000000130ff-5.dat	upx
behavioral1/files/0x0005000000013102-6.dat	upx
behavioral1/files/0x0005000000013102-8.dat	upx
behavioral1/files/0x0003000000013103-9.dat	upx
behavioral1/files/0x0003000000013104-12.dat	upx
behavioral1/files/0x0003000000013103-11.dat	upx
behavioral1/files/0x0003000000013104-14.dat	upx
behavioral1/files/0x0003000000013105-15.dat	upx
behavioral1/files/0x0003000000013105-17.dat	upx
behavioral1/files/0x0003000000013106-18.dat	upx
behavioral1/files/0x0003000000013106-20.dat	upx
behavioral1/files/0x0003000000013108-21.dat	upx
behavioral1/files/0x0003000000013108-25.dat	upx
behavioral1/files/0x000300000001310a-23.dat	upx
behavioral1/files/0x000300000001310a-26.dat	upx
behavioral1/files/0x000300000001310b-27.dat	upx

Loads dropped DLL 10 IoCs

pid	Process
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe

JavaScript code in executable 19 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130fe-0.dat	js
behavioral1/files/0x00040000000130fe-2.dat	js
behavioral1/files/0x00040000000130ff-3.dat	js
behavioral1/files/0x00040000000130ff-5.dat	js
behavioral1/files/0x0005000000013102-6.dat	js
behavioral1/files/0x0005000000013102-8.dat	js
behavioral1/files/0x0003000000013103-9.dat	js
behavioral1/files/0x0003000000013104-12.dat	js
behavioral1/files/0x0003000000013103-11.dat	js
behavioral1/files/0x0003000000013104-14.dat	js
behavioral1/files/0x0003000000013105-15.dat	js
behavioral1/files/0x0003000000013105-17.dat	js
behavioral1/files/0x0003000000013106-18.dat	js
behavioral1/files/0x0003000000013106-20.dat	js
behavioral1/files/0x0003000000013108-21.dat	js
behavioral1/files/0x0003000000013108-25.dat	js
behavioral1/files/0x000300000001310a-23.dat	js
behavioral1/files/0x000300000001310a-26.dat	js
behavioral1/files/0x000300000001310b-27.dat	js

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System\fyyUQIs.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\lDcuepA.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\OpYwlsR.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\oXgzGmu.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\QxECfYt.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\WkKdvsc.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\FHDCXPe.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\JPSKfTO.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\yWBqRlD.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\XWPMQia.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2008	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	27
PID 1320 wrote to memory of 2008	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	27
PID 1320 wrote to memory of 2008	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	27
PID 1320 wrote to memory of 1364	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	28
PID 1320 wrote to memory of 1364	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	28
PID 1320 wrote to memory of 1364	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	28
PID 1320 wrote to memory of 2036	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	29
PID 1320 wrote to memory of 2036	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	29
PID 1320 wrote to memory of 2036	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	29
PID 1320 wrote to memory of 1988	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	30
PID 1320 wrote to memory of 1988	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	30
PID 1320 wrote to memory of 1988	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	30
PID 1320 wrote to memory of 1984	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	31
PID 1320 wrote to memory of 1984	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	31
PID 1320 wrote to memory of 1984	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	31
PID 1320 wrote to memory of 652	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	32
PID 1320 wrote to memory of 652	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	32
PID 1320 wrote to memory of 652	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	32
PID 1320 wrote to memory of 528	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	33
PID 1320 wrote to memory of 528	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	33
PID 1320 wrote to memory of 528	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	33
PID 1320 wrote to memory of 912	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	34
PID 1320 wrote to memory of 912	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	34
PID 1320 wrote to memory of 912	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	34
PID 1320 wrote to memory of 556	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	35
PID 1320 wrote to memory of 556	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	35
PID 1320 wrote to memory of 556	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	35
PID 1320 wrote to memory of 1104	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	36
PID 1320 wrote to memory of 1104	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	36
PID 1320 wrote to memory of 1104	1320	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	36

C:\Users\Admin\AppData\Local\Temp\c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
"C:\Users\Admin\AppData\Local\Temp\c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\System\WkKdvsc.exe
  C:\Windows\System\WkKdvsc.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\FHDCXPe.exe
  C:\Windows\System\FHDCXPe.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\JPSKfTO.exe
  C:\Windows\System\JPSKfTO.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\fyyUQIs.exe
  C:\Windows\System\fyyUQIs.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\lDcuepA.exe
  C:\Windows\System\lDcuepA.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\OpYwlsR.exe
  C:\Windows\System\OpYwlsR.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\oXgzGmu.exe
  C:\Windows\System\oXgzGmu.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\yWBqRlD.exe
  C:\Windows\System\yWBqRlD.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\XWPMQia.exe
  C:\Windows\System\XWPMQia.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\QxECfYt.exe
  C:\Windows\System\QxECfYt.exe
  2⤵
  PID:1104

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads