Overview

overview

10

Static

static

40e85653ab...52.exe

windows7_x64

10

40e85653ab...52.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    12-11-2020 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40e85653abe687ddfd95b67a5f5dd452.exe

  • Size

    403KB

  • MD5

    40e85653abe687ddfd95b67a5f5dd452

  • SHA1

    76eccc09ca37441e3f2b85e1bdeedaf33d434f1e

  • SHA256

    5d788fe9005c1db5c67e38ec338c023856c8d71f20e137020fbc292e216d3997

  • SHA512

    78641bfcf5d56f657a4d758807077563b8a80ed1fa6bdbfac65454b2a721474ef3813e189ac1c2a0091cc79bf3ed44252e31f8216598db4cb2c0503171b4be57

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://Uw0soheevahjahsaifae.glowtrow.fun:443/image/

http://bah1tuquaizia9eu3Ume.glowtrow.site:443/created/

http://seudaize6io3Go0quahC.cleans.space:443/static/
Attributes
  • access_type

    0

  • beacon_type

    0

  • create_remote_thread

    0

  • day

    0

  • dns_idle

    0

  • dns_sleep

    0

  • host

  • http_header1

  • http_header2

  • http_method1

  • http_method2

  • injection_process

  • jitter

    0

  • maxdns

    0

  • month

    0

  • pipe_name

  • polling_time

    0

  • port_number

    0

  • proxy_password

  • proxy_server

  • proxy_username

  • sc_process32

  • sc_process64

  • state_machine

  • unknown1

    0

  • unknown2

  • unknown3

    0

  • unknown4

    0

  • unknown5

    0

  • uri

  • user_agent

  • year

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40e85653abe687ddfd95b67a5f5dd452.exe
    "C:\Users\Admin\AppData\Local\Temp\40e85653abe687ddfd95b67a5f5dd452.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\system32\mstsc.exe
      C:\Windows\system32\mstsc.exe
      2⤵
        PID:1776
      • C:\Windows\system32\cmd.exe
        cmd.exe /C timeout 120 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\40e85653abe687ddfd95b67a5f5dd452.exe"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\system32\timeout.exe
          timeout 120
          3⤵
          • Delays execution with timeout.exe
          PID:240

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/240-6-0x0000000000000000-mapping.dmp

      Download

    • memory/1716-4-0x0000000000000000-mapping.dmp

      Download

    • memory/1776-0-0x0000000000060000-0x00000000000A0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1776-1-0x0000000000060000-0x00000000000A0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1776-3-0x0000000000060000-mapping.dmp

      Download

    • memory/1776-5-0x0000000001C90000-0x0000000001E9F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1776-8-0x0000000001C90000-0x0000000001E9F000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1932-7-0x000007FEF6850000-0x000007FEF6ACA000-memory.dmp

      Filesize

      2.5MB

      Download