Overview

overview

10

Static

static

051243b7e0...in.exe

windows7_x64

10

051243b7e0...in.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    28-07-2021 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe

  • Size

    7.1MB

  • MD5

    ab75f4edb052dbb0ec99f5f8308c8202

  • SHA1

    7f885b74a03bafc5a8349837d140214f75023d78

  • SHA256

    051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d

  • SHA512

    6b0fb6c41e396f939d7aac04753b330eb6625f6098178c17ba96ed23d3a3c10b829c5cc4451d4c4acb5ca714672ca75beeeeca8d2af3e59d7ef8595091c2ddf5

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://8.136.4.131:6666/NsLP

Attributes
  • user_agent

    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BTRS125526)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Windows\Temp\Direct_Load.exe
      "C:\Windows\Temp\Direct_Load.exe"
      2⤵
      • Executes dropped EXE
      PID:5020
    • C:\Windows\Temp\OTC一键注入.exe
      "C:\Windows\Temp\OTC一键注入.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3188

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\Direct_Load.exe
    MD5

    64131969fa7c039b317f9f260d43bf3d

    SHA1

    3b24e2aa82396358276893a737699d136c86518b

    SHA256

    c45e91937f36e717646e49e62373b84c39dd19d7f71523022f4dc35be5a105de

    SHA512

    80d61653621df996cd19b9e025d66d2405ca60f0adebe9e84d17d5bd62c256f0f15206560329365ad323229e9038cc28731009f06c9a7276a71d87547678ed5d

    Download Submit
  • C:\Windows\Temp\Direct_Load.exe
    MD5

    64131969fa7c039b317f9f260d43bf3d

    SHA1

    3b24e2aa82396358276893a737699d136c86518b

    SHA256

    c45e91937f36e717646e49e62373b84c39dd19d7f71523022f4dc35be5a105de

    SHA512

    80d61653621df996cd19b9e025d66d2405ca60f0adebe9e84d17d5bd62c256f0f15206560329365ad323229e9038cc28731009f06c9a7276a71d87547678ed5d

    Download Submit
  • C:\Windows\Temp\OTC一键注入.exe
    MD5

    e4f305848ef7b3d9e7d5d7c1cb392cd8

    SHA1

    88ce266d727b847dc3bb17b940da21330dd98aa1

    SHA256

    aff5fde32f9e5da9c85be058dc1c8a28e86d7b6984235833034b5b0975454315

    SHA512

    e682ec9ab263c64c197c2950d12842f4597d50db24b3839ba7bc348af96a3a0659fc6006add40cc34cdd295f67f36924673ba84b855ca1ea890669920d182e8e

    Download Submit
  • C:\Windows\Temp\OTC一键注入.exe
    MD5

    e4f305848ef7b3d9e7d5d7c1cb392cd8

    SHA1

    88ce266d727b847dc3bb17b940da21330dd98aa1

    SHA256

    aff5fde32f9e5da9c85be058dc1c8a28e86d7b6984235833034b5b0975454315

    SHA512

    e682ec9ab263c64c197c2950d12842f4597d50db24b3839ba7bc348af96a3a0659fc6006add40cc34cdd295f67f36924673ba84b855ca1ea890669920d182e8e

    Download Submit
  • memory/3188-119-0x0000000000000000-mapping.dmp
    Download
  • memory/5020-116-0x0000000000000000-mapping.dmp
    Download
  • memory/5020-122-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download