Overview

overview

10

Static

static

1

12493ec6b5...ba.exe

windows7-x64

10

12493ec6b5...ba.exe

windows10-2004-x64

10

9e7d06f01a...47.exe

windows7-x64

10

9e7d06f01a...47.exe

windows10-2004-x64

10

c5b25a24f7...om.exe

windows7-x64

1

c5b25a24f7...om.exe

windows10-2004-x64

1

ce8bface0c...aa.exe

windows7-x64

10

ce8bface0c...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    24-03-2023 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce8bface0c9e56ab96d4bc06b76083aa.exe

  • Size

    2.7MB

  • MD5

    ce8bface0c9e56ab96d4bc06b76083aa

  • SHA1

    67a648847de158f40ac710dfb90a17d2ff49b9a6

  • SHA256

    635eec28f0b72fb0b6a1542766ec4773559579e37dd7949fa41f57e386c3adfd

  • SHA512

    57a141fd8fff049dad91458d84755a909bb90ccd8c879ce1928897acada96cc06d5c6e63c6a936c8ac9314734acf4b6d28404f67beb0263c883215eb620dc1f9

  • SSDEEP

    49152:hRkjGFXsl3Pza68rb/T3vO90d7HjmAFd4A64nsfJjAKhH4+stNms6zo0qYgNCUOG:Ol3PbstNms6zoSGppTOZ

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://192.168.20.15:801/9Ekt

Attributes
  • user_agent

    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce8bface0c9e56ab96d4bc06b76083aa.exe
    "C:\Users\Admin\AppData\Local\Temp\ce8bface0c9e56ab96d4bc06b76083aa.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\system32\cmd.exe
      cmd " /c " C:\Users\Public\202303141145服务器报备.xls
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
        3⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of SetWindowsHookEx
        PID:752
    • C:\Users\Public\artifact.exe
      C:\Users\Public\artifact.exe
      2⤵
      • Executes dropped EXE
      PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\202303141145服务器报备.xls
    Filesize

    22KB

    MD5

    42c5a8424fba34b4156ffb3d46b2842e

    SHA1

    b9fe363d1c4ef205d1600094834c14f47cdb224b

    SHA256

    c68995eee773f8a9056e827ba8cc5105a500695568fee7076766dfd0d5ce6a43

    SHA512

    a533423272399892bce2c4c2e165bedcaab250a73c3dff7d9742e27039dc9492b6e5d1c77561a9f80a3bc491696a5bab7ba256701ddf540c289e58c2a7ba68ab

    Download Submit
  • C:\Users\Public\artifact.exe
    Filesize

    17KB

    MD5

    73b99609558c5b59b5a8a1c1b395ac86

    SHA1

    ed7cf719433928bf68664644e57047f2ca817978

    SHA256

    ce10ad6ad10f8bab57fca84288487a0da754f63946bece5bea01cb36d83b7779

    SHA512

    d1d2830ff1521a4c14f7357dd41be44b6c4d8fd8bd56582108d0d4583cf73ed1e5a667446929e1e44889e45e592cb5f4128b1b68010aca74f71a7db422a53c01

    Download Submit
  • \Users\Public\artifact.exe
    Filesize

    17KB

    MD5

    73b99609558c5b59b5a8a1c1b395ac86

    SHA1

    ed7cf719433928bf68664644e57047f2ca817978

    SHA256

    ce10ad6ad10f8bab57fca84288487a0da754f63946bece5bea01cb36d83b7779

    SHA512

    d1d2830ff1521a4c14f7357dd41be44b6c4d8fd8bd56582108d0d4583cf73ed1e5a667446929e1e44889e45e592cb5f4128b1b68010aca74f71a7db422a53c01

    Download Submit
  • \Users\Public\artifact.exe
    Filesize

    17KB

    MD5

    73b99609558c5b59b5a8a1c1b395ac86

    SHA1

    ed7cf719433928bf68664644e57047f2ca817978

    SHA256

    ce10ad6ad10f8bab57fca84288487a0da754f63946bece5bea01cb36d83b7779

    SHA512

    d1d2830ff1521a4c14f7357dd41be44b6c4d8fd8bd56582108d0d4583cf73ed1e5a667446929e1e44889e45e592cb5f4128b1b68010aca74f71a7db422a53c01

    Download Submit
  • memory/752-70-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1076-69-0x0000000000020000-0x0000000000021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-81-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download