cobaltstrike | d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-07-2022 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
Size

5.0MB
MD5

32400e7fd0ed98be8dca035611cc1792
SHA1

634174959969eb7660250a7732d5d5fddbf39f0d
SHA256

d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817
SHA512

8014ed8a4eeeb49fe432836f68e852b1cd34c06e9e4acee9603af58d9fd64de26ddbbcbca62e575968b5aeb7e92ed868c9399a99cc4ea5f33cc81eb1533398e3

Score

10^/10

cobaltstrike 0 backdoor suricata trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata

Loads dropped DLL 13 IoCs

Processes:

d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe

pid	process
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe

description pid process

Token: 35 2748 d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe

description	pid	process
Token: 35	2748	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe

description	pid	process	target process
PID 4712 wrote to memory of 2748	4712	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
PID 4712 wrote to memory of 2748	4712	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe	d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe

C:\Users\Admin\AppData\Local\Temp\d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
"C:\Users\Admin\AppData\Local\Temp\d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Users\Admin\AppData\Local\Temp\d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe
"C:\Users\Admin\AppData\Local\Temp\d9e963c0f84f253b9d9bca968153a823fb1f4a749e707e4f49ec48b1c6da2817.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI47122\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_bz2.pyd
Filesize
87KB

MD5
dbe4148e566f853bdf8ee8faaf5184a0

SHA1
d374dbd751e5cd1893d2f54d19303b7521aea3df

SHA256
a7f59f60b84bb49ff4b9a6b4beda6dc33148de902492a097103a044c471f41e0

SHA512
5576f32e463912979cc617e805f59385d26663170d9e6f490e30180a4936fbd1fb608d060770f40403e10c83b9172f81667d7298d69d834a9f818517542c6fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_bz2.pyd
Filesize
87KB

MD5
dbe4148e566f853bdf8ee8faaf5184a0

SHA1
d374dbd751e5cd1893d2f54d19303b7521aea3df

SHA256
a7f59f60b84bb49ff4b9a6b4beda6dc33148de902492a097103a044c471f41e0

SHA512
5576f32e463912979cc617e805f59385d26663170d9e6f490e30180a4936fbd1fb608d060770f40403e10c83b9172f81667d7298d69d834a9f818517542c6fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_ctypes.pyd
Filesize
129KB

MD5
c33c65f70d34aa900e903d7129de24a8

SHA1
d4e3f15593ce4e331a851678aad0971e26cfc523

SHA256
e4380415eecc99ed387c30fccbe36687c3b3aca1c2d2336cc51705c658229a2e

SHA512
272b1d915061d8da1ab3edd3703d23a5340a1673c46235b6501c978712e2673df632ddbe7e822988c92604106372d8680f074166230b97adf4cc78708efca38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_ctypes.pyd
Filesize
129KB

MD5
c33c65f70d34aa900e903d7129de24a8

SHA1
d4e3f15593ce4e331a851678aad0971e26cfc523

SHA256
e4380415eecc99ed387c30fccbe36687c3b3aca1c2d2336cc51705c658229a2e

SHA512
272b1d915061d8da1ab3edd3703d23a5340a1673c46235b6501c978712e2673df632ddbe7e822988c92604106372d8680f074166230b97adf4cc78708efca38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_hashlib.pyd
Filesize
38KB

MD5
4fae65aac546648d4ea085ca8f9d4772

SHA1
db5ad4047ef200560265ce4c3d62a77ee8566b3a

SHA256
b67ce2bb6ab1882e4171c8b823bebe4ee7210018ffcec62936a1f75cb9cad97d

SHA512
8198cead53a2dc4f077cf678e93d5d89324bb8c950d32a24ec7a4f4f0c31dceab1930aa81e53fdba1af181938008aca669cd29ba959e581928030c32491d46d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_hashlib.pyd
Filesize
38KB

MD5
4fae65aac546648d4ea085ca8f9d4772

SHA1
db5ad4047ef200560265ce4c3d62a77ee8566b3a

SHA256
b67ce2bb6ab1882e4171c8b823bebe4ee7210018ffcec62936a1f75cb9cad97d

SHA512
8198cead53a2dc4f077cf678e93d5d89324bb8c950d32a24ec7a4f4f0c31dceab1930aa81e53fdba1af181938008aca669cd29ba959e581928030c32491d46d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_lzma.pyd
Filesize
251KB

MD5
974cd774adf72baef351ed2f2c2e0d2b

SHA1
796958082b68b64399fd68d445cbcca8409d0c91

SHA256
799ec9924a1eb4d1b9906e2759062dd3864af9e8a71d07303591dbcb9cd7fb4e

SHA512
947249e68d1567c3c06a1dc4407a287e45c1b535981935cc1265dd6fcb7f8853c7f9d4ca3f85a18bdf472451b639f83c812a268258f7f64d74b41a00f2391876

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_lzma.pyd
Filesize
251KB

MD5
974cd774adf72baef351ed2f2c2e0d2b

SHA1
796958082b68b64399fd68d445cbcca8409d0c91

SHA256
799ec9924a1eb4d1b9906e2759062dd3864af9e8a71d07303591dbcb9cd7fb4e

SHA512
947249e68d1567c3c06a1dc4407a287e45c1b535981935cc1265dd6fcb7f8853c7f9d4ca3f85a18bdf472451b639f83c812a268258f7f64d74b41a00f2391876

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_queue.pyd
Filesize
27KB

MD5
ef0919f8297277c2f6730753a53fdf57

SHA1
1819fbb29296f7a6567942db8e50923d73732bcf

SHA256
1e40c9a90d54f7ccf1d645f27ed09e9068d9188f8e3c0fcab8c7c622d4062b77

SHA512
5214aaa7bfc5bdeb9d17e27ecca5000280336590ebae140d2176eeaaf31777fcc9b4de3a15143af43fc93e8ea26f2a58cc39ff200778596b5f4d282194343453

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_queue.pyd
Filesize
27KB

MD5
ef0919f8297277c2f6730753a53fdf57

SHA1
1819fbb29296f7a6567942db8e50923d73732bcf

SHA256
1e40c9a90d54f7ccf1d645f27ed09e9068d9188f8e3c0fcab8c7c622d4062b77

SHA512
5214aaa7bfc5bdeb9d17e27ecca5000280336590ebae140d2176eeaaf31777fcc9b4de3a15143af43fc93e8ea26f2a58cc39ff200778596b5f4d282194343453

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_socket.pyd
Filesize
74KB

MD5
0f476bd38eb1d6a79b16c73f48caec17

SHA1
52184c66c24f3bc477685c78b52a691d6e17b3e6

SHA256
09fc679658d08e680db0dc5f0cc733b3459249b8b3135abcc403305edbf6a10d

SHA512
e218bb21ab846cd869ba17f0a521d09a8359578dc3014d873edca6a2040120d12f755ef02ea4203e7f5cc9127f68d15c975770b5250363da06c3bd74fc675d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_socket.pyd
Filesize
74KB

MD5
0f476bd38eb1d6a79b16c73f48caec17

SHA1
52184c66c24f3bc477685c78b52a691d6e17b3e6

SHA256
09fc679658d08e680db0dc5f0cc733b3459249b8b3135abcc403305edbf6a10d

SHA512
e218bb21ab846cd869ba17f0a521d09a8359578dc3014d873edca6a2040120d12f755ef02ea4203e7f5cc9127f68d15c975770b5250363da06c3bd74fc675d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_ssl.pyd
Filesize
120KB

MD5
eb3c2ff3543f6ace1ac31ac144059806

SHA1
cb1dc6aa93b784a51c666e6929beb8642cce0f82

SHA256
f58c8a11166077e128d159acd98ad98f74278f89d517cc07a49b53676b999ad3

SHA512
99f41d129d237c4ff82a5256138c7c357ced5a64f2ddd378f13f0ab71eec41f2f67573c8ef09759f2843a5c5507e5fd5ec062c6ccfb5b2898421aa88c926721d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\_ssl.pyd
Filesize
120KB

MD5
eb3c2ff3543f6ace1ac31ac144059806

SHA1
cb1dc6aa93b784a51c666e6929beb8642cce0f82

SHA256
f58c8a11166077e128d159acd98ad98f74278f89d517cc07a49b53676b999ad3

SHA512
99f41d129d237c4ff82a5256138c7c357ced5a64f2ddd378f13f0ab71eec41f2f67573c8ef09759f2843a5c5507e5fd5ec062c6ccfb5b2898421aa88c926721d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\base_library.zip
Filesize
775KB

MD5
7cf7c92b0f5641d1c316a6cf00ef9a98

SHA1
2992d5ff48d5bcc14f2539e23f63d1fa37f8e888

SHA256
b66e5abd6983bba3dabbfa92d4b50cc6245291b069387b5e9f86d6856344a7e5

SHA512
28e1bdfc8dec2f8eb4f9cd75f95d89135a2e83d44ed0379737218562274a4cc198a2985dd72064d1c454c0ffba9c798dbc51d6d6b31193e89a46ebcf99620c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\libcrypto-1_1-x64.dll
Filesize
2.4MB

MD5
8acf7c9fd65ed2ff7c5b4c8d4a12a0b2

SHA1
747319e93621acb9126990f49567faa72a344463

SHA256
cd7186f01edebc906f09694af0e4dd732b6d80fabc92814ac0ad7951b8c0d7a6

SHA512
b6c4fcb04850b558b549662d55c952915e91b00e205d7f782edb61f65a0d492cc3b1e08762a3304ccb1bd2e17fa9e00f57ccab1f8fce17e3c1cecb061994846b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\libcrypto-1_1-x64.dll
Filesize
2.4MB

MD5
8acf7c9fd65ed2ff7c5b4c8d4a12a0b2

SHA1
747319e93621acb9126990f49567faa72a344463

SHA256
cd7186f01edebc906f09694af0e4dd732b6d80fabc92814ac0ad7951b8c0d7a6

SHA512
b6c4fcb04850b558b549662d55c952915e91b00e205d7f782edb61f65a0d492cc3b1e08762a3304ccb1bd2e17fa9e00f57ccab1f8fce17e3c1cecb061994846b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\libssl-1_1-x64.dll
Filesize
514KB

MD5
9783d27a3b09bfcf7aa9f50d43cc9024

SHA1
35f290d30bdf64f5bf9ddcd5cf47beb5a45d1c11

SHA256
33dd512032b6bed1f7292a419abd1b8760fba84d7a43f66c7112fac6deba4b6e

SHA512
b30fd974a47f97f3108a12b424e5c03c862257303afaa08a1638a98b6add00f57541ff981d2a20b2457007e05dea766204476a757c02095dd2c7fd707a63a3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\libssl-1_1-x64.dll
Filesize
514KB

MD5
9783d27a3b09bfcf7aa9f50d43cc9024

SHA1
35f290d30bdf64f5bf9ddcd5cf47beb5a45d1c11

SHA256
33dd512032b6bed1f7292a419abd1b8760fba84d7a43f66c7112fac6deba4b6e

SHA512
b30fd974a47f97f3108a12b424e5c03c862257303afaa08a1638a98b6add00f57541ff981d2a20b2457007e05dea766204476a757c02095dd2c7fd707a63a3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\python37.dll
Filesize
3.6MB

MD5
22546a966149e4f545e00d0c0c294a53

SHA1
3d51c13be6cd7f115934bfa9ef8a3ddd3f571949

SHA256
b01884bced504e81edb83da4c0e6c3098d87c1512d60bb85e88ecd1a937ed2a0

SHA512
1a62a837b42e6ecb149d034826929a9d818571ac7b830b380899bdcf3b72307025d2f47b7d6013cab2725ccbdc1af9ad4b733be75dfe030ecd674d7927b90eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\python37.dll
Filesize
3.6MB

MD5
22546a966149e4f545e00d0c0c294a53

SHA1
3d51c13be6cd7f115934bfa9ef8a3ddd3f571949

SHA256
b01884bced504e81edb83da4c0e6c3098d87c1512d60bb85e88ecd1a937ed2a0

SHA512
1a62a837b42e6ecb149d034826929a9d818571ac7b830b380899bdcf3b72307025d2f47b7d6013cab2725ccbdc1af9ad4b733be75dfe030ecd674d7927b90eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\select.pyd
Filesize
26KB

MD5
590a8782bfaab2425672f366cc78a070

SHA1
b4535b05b91e72e10c28f59bd042dc174ea71759

SHA256
0e537f93a92150483966435e8a102014014cf38c7edb7f7703db3b253108951d

SHA512
c1d39dbbf35400423142fb656287b11a309f4fc3f3931a5daf0040c81658c1835103aea540bda75c88c57f739cbd9dc90221659958fde6ca81010a9f5e945ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\select.pyd
Filesize
26KB

MD5
590a8782bfaab2425672f366cc78a070

SHA1
b4535b05b91e72e10c28f59bd042dc174ea71759

SHA256
0e537f93a92150483966435e8a102014014cf38c7edb7f7703db3b253108951d

SHA512
c1d39dbbf35400423142fb656287b11a309f4fc3f3931a5daf0040c81658c1835103aea540bda75c88c57f739cbd9dc90221659958fde6ca81010a9f5e945ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\unicodedata.pyd
Filesize
1.0MB

MD5
c5fdc3ccd042bd4e291a83be2eb288c0

SHA1
3f5d48a902a2ab5981f70e1deceaa72c2f4758f8

SHA256
a6593c09fdaf1a29ca5d6a69188020dfdabd65fa61b26003bd6e38e4ba148b03

SHA512
0a24bf0189108a08240c25a7facdc3b9c789aafb6e6e224927f001ca3dc430663db811ceb6426d63e15d47515dc8d04b3589021623c16f45bd8abce53cfcdce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47122\unicodedata.pyd
Filesize
1.0MB

MD5
c5fdc3ccd042bd4e291a83be2eb288c0

SHA1
3f5d48a902a2ab5981f70e1deceaa72c2f4758f8

SHA256
a6593c09fdaf1a29ca5d6a69188020dfdabd65fa61b26003bd6e38e4ba148b03

SHA512
0a24bf0189108a08240c25a7facdc3b9c789aafb6e6e224927f001ca3dc430663db811ceb6426d63e15d47515dc8d04b3589021623c16f45bd8abce53cfcdce4

Download Submit
memory/2748-130-0x0000000000000000-mapping.dmp

Download
memory/2748-158-0x0000023CDDF80000-0x0000023CDE380000-memory.dmp

Filesize
4.0MB

Download
memory/2748-159-0x0000023CDE380000-0x0000023CDE3CE000-memory.dmp

Filesize
312KB

Download
memory/2748-160-0x0000023CDE380000-0x0000023CDE3CE000-memory.dmp

Filesize
312KB

Download