Overview

overview

10

Static

static

服务器�...��.exe

windows7-x64

10

服务器�...��.exe

windows10-2004-x64

10

服务器�...��.exe

windows7-x64

10

服务器�...��.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-09-2022 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    服务器采购配置单列表.exe

  • Size

    725KB

  • MD5

    ff21732afcff0761880966cb73498f37

  • SHA1

    1dabd85046019672c83aa27e962a8e723460f67a

  • SHA256

    ed8b2627ba8a708b78f5dc8da4fe73aecc030482cbbbe73cb8e89e36475be70e

  • SHA512

    6e343f1950b0a19ae08efcd1d0711d01615e9874f262a845ec6e47a5323a6b75c7ad99e770bf3fd7a2773096a540e8ec842c63703dba8c25f422bfd8178baf5b

  • SSDEEP

    12288:WXsy4wauAlLKUj6jTo+s7AMC1WBvEG6rgc39okWh+XCEz/ZkiWVN62l78LZ6pwKd:EayCFYh+FjDc8dFEUlVZ

Score
10/10
cobaltstrike666666backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666666

C2

http://open.th1sworld.ga:443/jquery-3.3.1.min.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    open.th1sworld.ga,/jquery-3.3.1.min.js

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAXSG9zdDogb3Blbi50aDFzd29ybGQuZ2EAAAAKAAAAI1JlZmVyZXI6IGh0dHBzOi8vb3Blbi50aDFzd29ybGQuZ2EvAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAAMAAAACAAAACV9fY2ZkdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAXSG9zdDogb3Blbi50aDFzd29ybGQuZ2EAAAAKAAAAI1JlZmVyZXI6IGh0dHBzOi8vb3Blbi50aDFzd29ybGQuZ2EvAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAAMAAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    45000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyuDnaczPLBZEHfKiN3TGpwWK1FHrBVAsFbLKMYJW87Gbp7TFql1RiVaSCwSwW74QgvPgjj21ILLmuFv0iba4cf1Fb9XS8nWThYCtJZSha1I/BE8bXZ2BtCIk3YKb8pkNR3MAbKX45HCmccM9vyBeZfWEc8E4CMTINHyPJevtSFwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.184478976e+09

  • unknown2

    AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /jquery-3.3.2.min.js

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

  • watermark

    666666

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
      • C:\Windows\System32\calc.exe
        "C:\Windows\System32\calc.exe"
        2⤵
        • Modifies data under HKEY_USERS
        PID:1588
    • C:\Users\Admin\AppData\Local\Temp\服务器采购配置单列表.exe
      "C:\Users\Admin\AppData\Local\Temp\服务器采购配置单列表.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3960

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1588-133-0x000001F96F5B0000-0x000001F96F5F1000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1588-132-0x00007FF7951814C0-mapping.dmp
      Download
    • memory/1588-134-0x000001F96F600000-0x000001F96FA72000-memory.dmp
      Filesize

      4.4MB

      Download
    • memory/1588-135-0x000001F96F600000-0x000001F96FA72000-memory.dmp
      Filesize

      4.4MB

      Download