Overview

overview

10

Static

static

1ddaa29d9a...8a.exe

windows7-x64

3

1ddaa29d9a...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe

  • Size

    754KB

  • MD5

    6e0d26d4cf0dcd22d93916130cadd233

  • SHA1

    483af7efbe0e8c4ae80bad7c2ab03b7dbca0b434

  • SHA256

    1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a

  • SHA512

    8e8d49f09c3af5e0ccac1b47fb22e7575bceb7004f83ffd900c07bca198cbc2c9ef1bf5891830a0a7e746fb01b25dd128705f54d7c81944d432f312324b9f3bc

  • SSDEEP

    12288:IQ77VbXViKvXMiDRVnEbH3J8cbvqvhtfFC15eYxz4z35jAznDMqyeQubPjs3i+LG:IY75dMF42

Score
10/10
cobaltstrike1359593325backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://172.18.12.65:443/IE9CompatViewList.xml

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    172.18.12.65,/IE9CompatViewList.xml

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD49+men5LazOiHMMcfoeq+95wwX1485eIMu4JZqgOE54RLZAGZTOzVOFezyb0oebLL9BDqRO4v8m876eGEjDp6IHLunfexk0a+SAeMYr9LJX+LRhgoNia9j1/iGt0eMzgcHGYA5P357qKHshUMNTXCK6VYp8q0+Yo++Am2ABaoaQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)

  • watermark

    1359593325

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe
    "C:\Users\Admin\AppData\Local\Temp\1ddaa29d9abfb09a4923ae9b71a645b016d9c8b8f60c6294b2d487059a06758a.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1868-132-0x00000000005D0000-0x0000000000692000-memory.dmp
    Filesize

    776KB

    Download
  • memory/1868-133-0x0000000005740000-0x0000000005D68000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1868-134-0x0000000005440000-0x000000000545A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1868-135-0x00000000054A0000-0x00000000054D6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1868-136-0x00000000063F0000-0x0000000006A6A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1868-137-0x0000000005580000-0x0000000005616000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1868-138-0x0000000005510000-0x0000000005532000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1868-139-0x0000000005690000-0x00000000056F6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1868-140-0x0000000006A70000-0x0000000007014000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1868-141-0x0000000005640000-0x000000000565E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1868-142-0x0000000005DC0000-0x0000000005E0A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/1868-143-0x00000000062E0000-0x0000000006346000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1868-144-0x0000000006380000-0x00000000063A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1868-145-0x0000000008800000-0x0000000008833000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1868-146-0x0000000008840000-0x000000000887D000-memory.dmp
    Filesize

    244KB

    Download