Overview

overview

10

Static

static

40e85653ab...52.exe

windows7_x64

10

40e85653ab...52.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-11-2020 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40e85653abe687ddfd95b67a5f5dd452.exe

  • Size

    403KB

  • MD5

    40e85653abe687ddfd95b67a5f5dd452

  • SHA1

    76eccc09ca37441e3f2b85e1bdeedaf33d434f1e

  • SHA256

    5d788fe9005c1db5c67e38ec338c023856c8d71f20e137020fbc292e216d3997

  • SHA512

    78641bfcf5d56f657a4d758807077563b8a80ed1fa6bdbfac65454b2a721474ef3813e189ac1c2a0091cc79bf3ed44252e31f8216598db4cb2c0503171b4be57

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://Uw0soheevahjahsaifae.glowtrow.fun:443/image/

http://bah1tuquaizia9eu3Ume.glowtrow.site:443/created/

http://seudaize6io3Go0quahC.cleans.space:443/static/
Attributes
  • access_type

    0

  • beacon_type

    0

  • create_remote_thread

    0

  • day

    0

  • dns_idle

    0

  • dns_sleep

    0

  • host

  • http_header1

  • http_header2

  • http_method1

  • http_method2

  • injection_process

  • jitter

    0

  • maxdns

    0

  • month

    0

  • pipe_name

  • polling_time

    0

  • port_number

    0

  • proxy_password

  • proxy_server

  • proxy_username

  • sc_process32

  • sc_process64

  • state_machine

  • unknown1

    0

  • unknown2

  • unknown3

    0

  • unknown4

    0

  • unknown5

    0

  • uri

  • user_agent

  • year

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40e85653abe687ddfd95b67a5f5dd452.exe
    "C:\Users\Admin\AppData\Local\Temp\40e85653abe687ddfd95b67a5f5dd452.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\system32\mstsc.exe
      C:\Windows\system32\mstsc.exe
      2⤵
        PID:1840
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /C timeout 120 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\40e85653abe687ddfd95b67a5f5dd452.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\system32\timeout.exe
          timeout 120
          3⤵
          • Delays execution with timeout.exe
          PID:3120

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1840-0-0x000001A091D00000-0x000001A091D40000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1840-2-0x000001A091D00000-mapping.dmp
      Download
    • memory/1840-5-0x000001A093730000-0x000001A09393F000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/1840-6-0x000001A093730000-0x000001A09393F000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/2360-3-0x0000000000000000-mapping.dmp
      Download
    • memory/3120-4-0x0000000000000000-mapping.dmp
      Download