cobaltstrike | 1ac1951c91a9dcc4db5c468a033a6dfa052fba60eb9a79ab3adb4a33b31e335e

Analysis

max time kernel
110s
max time network
126s
platform
windows10_x64
resource
win10-en-20211208
submitted
15-12-2021 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp/934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
Size

6.8MB
MD5

569e38187f70271f61965efda2f37b7d
SHA1

9a4ec4f85ae1489e38fb1855761c9b23010788fb
SHA256

1ac1951c91a9dcc4db5c468a033a6dfa052fba60eb9a79ab3adb4a33b31e335e
SHA512

04a7d5cac5d6e99fa4a0908b11586f22b825f212445d9bd770cea0767491e413d4a298f9529483311e21596f1d5865bb2fb12086bd027746ad6247ed25470c10

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://103.239.103.17:8080/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 7 IoCs

Processes:

934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe

pid	process
1832	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
1832	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
1832	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
1832	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
1832	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
1832	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
1832	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1168 1832 WerFault.exe 934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe

pid	pid_target	process	target process
1168	1832	WerFault.exe	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe
1168	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1168 WerFault.exe
Token: SeBackupPrivilege 1168 WerFault.exe
Token: SeDebugPrivilege 1168 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1168	WerFault.exe
Token: SeBackupPrivilege	1168	WerFault.exe
Token: SeDebugPrivilege	1168	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe

description	pid	process	target process
PID 2664 wrote to memory of 1832	2664	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
PID 2664 wrote to memory of 1832	2664	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
PID 2664 wrote to memory of 1832	2664	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe	934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe

C:\Users\Admin\AppData\Local\Temp\tmp\934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\tmp\934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\934465db-23cb-4c1e-9dcf-953621e3d3a0_bypassav.exe"
2⤵
- Loads dropped DLL
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 532
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI26642\VCRUNTIME140.dll
MD5
2ebf45da71bd8ef910a7ece7e4647173

SHA1
4ecc9c2d4abe2180d345f72c65758ef4791d6f06

SHA256
cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b

SHA512
a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26642\_ctypes.pyd
MD5
6264e928d931bd665febeda1d1b15117

SHA1
f656513a17237543de115a5864a49e71e7a6049a

SHA256
a12fc926903b095c7cde1c020b2519428845f485ff5964c296667246b2e0f262

SHA512
b4e1cdf8b12ca026e3d330037eb570cf055e95e8d96e5700cf752191b5b1b468cff3a5317cbdfc54e71e1ab1e75674f15f7df246d75d3a29b47ecb373226166d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26642\_socket.pyd
MD5
8110278fc119b04e482a97995027c1d3

SHA1
82bcea4de26235f2d546dce4f2fb86cdd178069a

SHA256
97b02ee9818260d0fa01170bde0b51382698e5c02e88c596b9622eb49979e4bc

SHA512
b74a9ce74b8ef144a9276fde7c34feabacc04b5c4b18c99881b68dcce42f3cd87c92917f1bb7929b8c65bc1202f2eb76702beb4823f91627e97b8030cd5a8441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26642\base_library.zip
MD5
b7bcec4117ceda57d79b6c657c35e3f7

SHA1
613b8e85707ec10d4e219f6863d3e428cbe2886f

SHA256
2711d1dbe42970d977ef572ebf78e96a4637df451bd3f50b4cdee61c05b0130f

SHA512
df217adee859d59c1be51c865b4b4699c63e5c36bd3a2e3e9097e97677057fa57d7677353936440da148f29a00b44f1b17187a6bcaed760a8ed8e13141f1434e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26642\libffi-7.dll
MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26642\python38.dll
MD5
15dc83636ae9a81d7655b96c5e35ceb9

SHA1
d1d24acbde8cbae61a023200a457b152f2f41959

SHA256
2ff297c95ec95f584edde4e1f852aa4aa7976ca659380a86551cbaa20b20a33a

SHA512
bc145b0db0e9ed08f37603ee0a5fab50e2168c6ed43f75b22b2b03f853aa2c019ca85bf877079e38e5b616688cc641ed81e2421ab2f3940ac826e188a1aa1225

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26642\select.pyd
MD5
6dc8ed72e3326832cb98f5a9423fb588

SHA1
362e413efa2a38a6d62fdae889048eda580913d3

SHA256
5b7e7cbf0602885c081ac8c0e12d5d21110effab5963b00d58ed5566e084addb

SHA512
2634fc94deb4ef035723e07032ae6b9ab5e83e8bcaba9fd19b3aec5dea6039a6137913b31f54fa4ef76c8dc21c23dea6c520176d1a28d0821dd2c6b8b8475a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26642\ucrtbase.dll
MD5
440c3f24736e2dfc8a730488e33c3894

SHA1
b10e6f4fd8cc52feb97650ced0f5ccedad815767

SHA256
de819026c1dd3318b5f912dceae589a74e0b560e282e13053a685666e518e8d9

SHA512
8cfcc1a8e481859c21d493dbd3ec13a2cd412410ef04bd3e9cc369cc0ede218e95984240c6ab479a3c24f1a22a6c8158283ed03f5a99e1e1a7ba21d95820c79c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26642\VCRUNTIME140.dll
MD5
2ebf45da71bd8ef910a7ece7e4647173

SHA1
4ecc9c2d4abe2180d345f72c65758ef4791d6f06

SHA256
cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b

SHA512
a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26642\_ctypes.pyd
MD5
6264e928d931bd665febeda1d1b15117

SHA1
f656513a17237543de115a5864a49e71e7a6049a

SHA256
a12fc926903b095c7cde1c020b2519428845f485ff5964c296667246b2e0f262

SHA512
b4e1cdf8b12ca026e3d330037eb570cf055e95e8d96e5700cf752191b5b1b468cff3a5317cbdfc54e71e1ab1e75674f15f7df246d75d3a29b47ecb373226166d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26642\_socket.pyd
MD5
8110278fc119b04e482a97995027c1d3

SHA1
82bcea4de26235f2d546dce4f2fb86cdd178069a

SHA256
97b02ee9818260d0fa01170bde0b51382698e5c02e88c596b9622eb49979e4bc

SHA512
b74a9ce74b8ef144a9276fde7c34feabacc04b5c4b18c99881b68dcce42f3cd87c92917f1bb7929b8c65bc1202f2eb76702beb4823f91627e97b8030cd5a8441

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26642\libffi-7.dll
MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26642\python38.dll
MD5
15dc83636ae9a81d7655b96c5e35ceb9

SHA1
d1d24acbde8cbae61a023200a457b152f2f41959

SHA256
2ff297c95ec95f584edde4e1f852aa4aa7976ca659380a86551cbaa20b20a33a

SHA512
bc145b0db0e9ed08f37603ee0a5fab50e2168c6ed43f75b22b2b03f853aa2c019ca85bf877079e38e5b616688cc641ed81e2421ab2f3940ac826e188a1aa1225

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26642\select.pyd
MD5
6dc8ed72e3326832cb98f5a9423fb588

SHA1
362e413efa2a38a6d62fdae889048eda580913d3

SHA256
5b7e7cbf0602885c081ac8c0e12d5d21110effab5963b00d58ed5566e084addb

SHA512
2634fc94deb4ef035723e07032ae6b9ab5e83e8bcaba9fd19b3aec5dea6039a6137913b31f54fa4ef76c8dc21c23dea6c520176d1a28d0821dd2c6b8b8475a65

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI26642\ucrtbase.dll
MD5
440c3f24736e2dfc8a730488e33c3894

SHA1
b10e6f4fd8cc52feb97650ced0f5ccedad815767

SHA256
de819026c1dd3318b5f912dceae589a74e0b560e282e13053a685666e518e8d9

SHA512
8cfcc1a8e481859c21d493dbd3ec13a2cd412410ef04bd3e9cc369cc0ede218e95984240c6ab479a3c24f1a22a6c8158283ed03f5a99e1e1a7ba21d95820c79c

Download Submit
memory/1832-115-0x0000000000000000-mapping.dmp

Download
memory/1832-131-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download