Overview

overview

10

Static

static

8

插件升级.exe

windows7_x64

8

插件升级.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3c67ab82720d3b7d1436b386b7240c9dcccf595137850ceab3135370038f83e6.rar

  • Size

    4.7MB

  • Sample

    201112-vh8wx53p8x

  • MD5

    16ad9d9f563bc5f3a4e6feef496035a8

  • SHA1

    6b2037d73b7afcd9869a86b282783a483df7f100

  • SHA256

    3c67ab82720d3b7d1436b386b7240c9dcccf595137850ceab3135370038f83e6

  • SHA512

    4229f290351e947cfdd6bba0c0303c8d4cb757bd40d6ca3a42897d5394a66b0c473e536c02b8859ccd8506075240cf2ed986aea0a93d5c0d2497781af8c43b20

Score
10/10
cobaltstrikebackdoorpersistencetrojanupx

Malware Config

Targets

    • Target

      插件升级.exe

    • Size

      148KB

    • MD5

      76da6b8def232c26d12c0d7510d395cf

    • SHA1

      7bc2bdb08a9ef794d5ab454e43e31f003f953b91

    • SHA256

      1ad6475af8ddde5f8b1be0ace9c7bc9db6edf5ed37f47bc0056e68e53d17227a

    • SHA512

      1de410712646b7f3ed2e07db834a62467ce7e54e5816e635c6e0102997448bf0364871fd17d28d2aa926abf8d06f26ebab5b7957d61ebd8a11b2a2083fa084e0

    Score
    10/10
    persistenceupxcobaltstrikebackdoortrojan

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks