Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-03-2023 05:21
Static task
static1
Behavioral task
behavioral1
Sample
cs_backdoor.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cs_backdoor.exe
Resource
win10v2004-20230220-en
General
-
Target
cs_backdoor.exe
-
Size
518KB
-
MD5
b62632529fdaa96f4be1e50eeeaf069c
-
SHA1
d1b770fa53e204d6ce4b28c51cc5be4e6ff5d92f
-
SHA256
8d8a7798ebf211ce6bd8a50f606aea0003350566832ade952b3dac9bd8c2b9d5
-
SHA512
397f3a2ec44943d7ca35d5841fe46910cac0ad2648e0ee128cab8260d33187087b45a1489b9ea21f52cb96127fceac6e62b503d08bbdf189bba1eab9687d9b18
-
SSDEEP
12288:R0mDAUEXTjWv/1Bu5Nvv7fqr9opXP9UIQzaTobm:fDgXTyvuPbfgapXP9UIc
Malware Config
Extracted
cobaltstrike
305419896
http://106.12.222.162:8099/blog/
-
access_type
512
-
dns_idle
1.34744072e+08
-
host
106.12.222.162,/blog/
-
http_header1
AAAAEAAAABdIb3N0OiB3d3cuYWxpeXVuLWNzLmNvbQAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAhkNvb2tpZTogTWljcm9zb2Z0QXBwbGljYXRpb25zVGVsZW1ldHJ5RGV2aWNlSWQ9OTVjMThkOC00ZGNlOTg1NDtDbGllbnRJZD0xQzBGNkM1RDkxMEY5O01TUEF1dGg9M0VrQWpES2pJO3hpZD03MzBiZjc7d2xhNDI9WkcweU16QTJLakVzAAAABwAAAAAAAAANAAAABgAAAAhYLVByYWdtYQAAAAkAAAAOcGF0aD0vY2FsZW5kYXIAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAAEAAAABdIb3N0OiB3d3cuYWxpeXVuLWNzLmNvbQAAAAoAAAALQWNjZXB0OiAqLyoAAAAHAAAAAQAAAA0AAAAEAAAABwAAAAAAAAANAAAAAgAAAAZ3bGE0Mj0AAAACAAAAC3hpZD03MzBiZjc7AAAAAgAAABJNU1BBdXRoPTNFa0FqREtqSTsAAAACAAAAF0NsaWVudElkPTFDMEY2QzVEOTEwRjk7AAAAAgAAADhNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0OwAAAAYAAAAGQ29va2llAAAAAAAAAAAAAA==
-
http_method1
POST
-
http_method2
POST
-
jitter
5120
-
maxdns
235
-
polling_time
30000
-
port_number
8099
-
sc_process32
%windir%\syswow64\gpupdate.exe
-
sc_process64
%windir%\sysnative\gpupdate.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5h13I0LHtntwGyfMQ50mwgeQNRoMziUbFacTBFXE6o0aMf2upaKU1zl/ud3VRodQjFZxWn2uqOUp+027mQoZ25IxVFtNU21cf1gMJO4j2vcXVAaTTYPh3NXVJ/LHMyI7f8tgsuXztYUVLsWrLG5VO/UfGom/os0SDAFcwWJzkrwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.448416512e+09
-
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/BLOG/
-
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
-
watermark
305419896
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/924-54-0x000007FEFAD20000-0x000007FEFADCC000-memory.dmpFilesize
688KB
-
memory/924-55-0x000007FEFAD20000-0x000007FEFADCC000-memory.dmpFilesize
688KB
-
memory/924-56-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/924-57-0x000007FEFAD20000-0x000007FEFADCC000-memory.dmpFilesize
688KB
-
memory/924-62-0x000007FEFAD20000-0x000007FEFADCC000-memory.dmpFilesize
688KB
-
memory/924-64-0x000007FEFAD20000-0x000007FEFADCC000-memory.dmpFilesize
688KB