Overview

overview

10

Static

static

7

infected20...1).chm

windows7-x64

1

infected20...1).chm

windows10-2004-x64

7

infected20...df.exe

windows7-x64

7

infected20...df.exe

windows10-2004-x64

7

infected20...�1.exe

windows7-x64

1

infected20...�1.exe

windows10-2004-x64

1

infected20...ls.exe

windows7-x64

7

infected20...ls.exe

windows10-2004-x64

7

infected20...fo.exe

windows7-x64

7

infected20...fo.exe

windows10-2004-x64

7

infected20...od.exe

windows7-x64

7

infected20...od.exe

windows10-2004-x64

7

infected20...25.exe

windows7-x64

7

infected20...25.exe

windows10-2004-x64

7

infected20...��.exe

windows7-x64

1

infected20...��.exe

windows10-2004-x64

1

infected20...nd.exe

windows7-x64

1

infected20...nd.exe

windows10-2004-x64

1

infected20...eg.exe

windows7-x64

10

infected20...eg.exe

windows10-2004-x64

10

infected20...#r.exe

windows7-x64

7

infected20...#r.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    25/04/2023, 15:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    infected2023042501/Downloads/深圳智园总部饭堂吃出小蟑螂食品安全事件图片证据jpeg.exe

  • Size

    32KB

  • MD5

    f17e58072430527e007ba8aabe74796f

  • SHA1

    e89edcdcc56796636261e3016be4a4ce4b6b2626

  • SHA256

    1af4c64c986d0bf5bd447614e312be9c2f802879f13a09f6b95f5a7d675d8231

  • SHA512

    f2ca0153d330d93ff4e1c1efaeee55c680bfffb562e0f38df318ba99043b515d8d4114bc311e588dcd3cf854b984cda816b87997eab639d0360bfd8ac67c8776

  • SSDEEP

    768:zsiqOLGC30C0FHMKV+WeY4FFYMWOX8eW:bG7sKMWiF/wx

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://vip.oppo.cn.cdn.dnsv1.com.cn:443/js/jquery-3.4.1.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Host: vip.oppo.cn

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\infected2023042501\Downloads\深圳智园总部饭堂吃出小蟑螂食品安全事件图片证据jpeg.exe
    "C:\Users\Admin\AppData\Local\Temp\infected2023042501\Downloads\深圳智园总部饭堂吃出小蟑螂食品安全事件图片证据jpeg.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\System32\resmon.exe
      "C:\Windows\System32\resmon.exe"
      2⤵
        PID:1216

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1216-54-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1216-55-0x0000000000060000-0x0000000000061000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1216-73-0x0000000002CE0000-0x0000000002E36000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1216-74-0x00000000026F0000-0x0000000002775000-memory.dmp

      Filesize

      532KB

      Download

    • memory/1216-75-0x0000000002CE0000-0x0000000002E36000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1216-76-0x00000000026F0000-0x0000000002775000-memory.dmp

      Filesize

      532KB

      Download