Overview

overview

10

Static

static

Performanc...w.html

windows7_x64

10

Performanc...w.html

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-01-2022 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PerformanceReview.html

  • Size

    1.1MB

  • MD5

    08287096d731608c6d79e58d5ec6db23

  • SHA1

    a9e51f4649739bf75740fc9f755563cbe3780bfa

  • SHA256

    1eca90b11008621f5ce811ec2af5df1bf277162ddcbb217302d36e8fab4b313e

  • SHA512

    30cd4b79f95cfceb3556f7251ba7ff04037dc17b3c5a2cd15db22dc5103de3ee59924e48c51558f9585ffe96f7ff6f5b947e65d525b4ccea9c268c7a7b8ec8c1

Score
10/10
cobaltstrike2026047692backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

2026047692

C2

http://www.stackpath.com:443/gp/aj/private/reviewsGallery/get-application-resources

http://stackpath.com:443/en-us/p/book-2/8MCPZJJCC98C

http://tracking.boostbank.com:443/v1/buckets/default/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw/records

http://www.bankalsharq.com:443/api2/json/access/ticket
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    www.stackpath.com,/gp/aj/private/reviewsGallery/get-application-resources,stackpath.com,/en-us/p/book-2/8MCPZJJCC98C,tracking.boostbank.com,/v1/buckets/default/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw/records,www.bankalsharq.com,/api2/json/access/ticket

  • http_header1

    AAAACgAAAJBBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsaW1hZ2UvYXZpZixpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2VkL3Y9YjM7cT0wLjkAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAHAAAAAAAAAAgAAAAPAAAAAwAAAAIAAAAtZGlzcGxheS1jdWx0dXJlPWVuO2NoZWNrPXRydWU7bGJjcz0wO3Nlc3MtaWQ9AAAAAQAAACA7U0lEQ0M9QU4wLU5SWTRDSkdLOU9sQWU7VG1tdjQ9QwAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAJBBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2VkL3Y9YjM7cT0wLjkAAAAKAAAAH0FjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkAAAAKAAAAIkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIAAAAHAAAAAAAAAA8AAAANAAAAAgAAAARzZXMtAAAABQAAAAJwcQAAAAcAAAABAAAACAAAAA8AAAANAAAAAgAAACl7ImxvY2FsZSI6ImVuIiwiY2hhbm5lbCI6InByb2QiLCJhZGRvbiI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    23040

  • polling_time

    15000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\WerFault -a

  • sc_process64

    %windir%\sysnative\WerFault -a

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9Ardq2bQHj9fPwtDjldcNQ1sHFEhpeHV6Oli9QHCc5hlE4zse5KwiLv5ufpdRxLzTeYZpr8jcvY6eNRKgukGpCUaeScNBjCU0e+yVZgr0IyCdbtUxeR0VWYcKA34vp42AVPaimH7ioVKXk8KJSb22eNbkGTZa/iokb4xD/NdWsQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.0086976e+09

  • unknown2

    AAAABAAAAAEAAAADAAAAAgAAAFQAAAADAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /v1/stats

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    2026047692

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1436
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\PerformanceReview.html
        2⤵
        • Modifies Internet Explorer Phishing Filter
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1192
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\PerformanceReview-v20220101.hta"
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:964
      • C:\Windows\SysWOW64\WerFault.exe
        "C:\Windows\System32\WerFault.exe"
        2⤵
          PID:1076

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        9440b73e47a4f891eb51c68b0cf45982

        SHA1

        950cdc876ffe4f507e7798dfa3854ae5b63b4381

        SHA256

        18f396ea1e08a2c7e8a05b9c93d908b932c468ff52ef3c4109ee0dfca12537d7

        SHA512

        f42aea2e37b290cf8f020903b969a371612476e41d30cf1b7b2d4947980d7736b058124e50b88f8071824b46474845c9137fc7f9136af30e2db0b88312a87cec

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        e9d5e1f07facf04a7ce3569dfa7ec952

        SHA1

        7d158b31b39c1a15ce05fab8228f27f2d9360511

        SHA256

        1c13e2d22103bd940f42203670d7d9fa2de2efbd0201b65c23c9926fc51524e6

        SHA512

        62065f11bbee68dd49ae5a758ed9200b002d04c5ea2afb06a9264427350a7a6247bb701549edcbde834396c549819c3b6dc089f79805569c5640d37b3249fdd2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5JBUC0KQ.txt
        MD5

        739d466bf18487a19b4249a0849c9511

        SHA1

        87d5ebe8ddea586a297107025f5fc3ed65ff8e67

        SHA256

        f28b0b4d1c1498f190e4dd5c9c80d58a9faba9586e4c0e1caefe40c09021d017

        SHA512

        9e3e085c07124f6a5a69c71bf374ce474985cc5ecb8d9f5db406d8f3c2df172bf84dd9ce1bac88e09dcf07e31130dc79af18a4f264f91b76a8d90c436c8e20e4

        Download Submit
      • C:\Users\Admin\Downloads\PerformanceReview-v20220101.hta.qgur3w1.partial
        MD5

        160b7d982e3526a09e202f0d61b3fdfa

        SHA1

        73db938ca6749ce32e7b64e18d80551876e2d291

        SHA256

        f38bd16013de4b9da3603b2425173db9bcc1865f381351b2ba62fdeeb6d5af00

        SHA512

        d51c9f2bf74b9551f088ec3830c385001012f37ef76fc5e33335374ad1832fc486cc4341d9f89e6233e7a197b97c6b49cf0744191dae2706188d03206b5a2b69

        Download Submit
      • memory/576-55-0x0000000004E70000-0x0000000004E71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/964-64-0x0000000004D92000-0x0000000004D93000-memory.dmp
        Filesize

        4KB

        Download
      • memory/964-57-0x0000000000000000-mapping.dmp
        Download
      • memory/964-58-0x0000000004D90000-0x0000000004D91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1076-60-0x0000000000080000-0x00000000000B5000-memory.dmp
        Filesize

        212KB

        Download
      • memory/1076-63-0x0000000075F21000-0x0000000075F23000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1076-62-0x0000000000340000-0x00000000003BE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/1076-59-0x0000000000080000-0x00000000000B5000-memory.dmp
        Filesize

        212KB

        Download
      • memory/1076-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1192-54-0x0000000000000000-mapping.dmp
        Download