Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
3CobaltStri...nal.7z
windows7-x64
3CobaltStri...nal.7z
windows10-2004-x64
3CobaltStri...nt.cmd
windows7-x64
1CobaltStri...nt.cmd
windows10-2004-x64
1CobaltStri...nt.jar
windows7-x64
1CobaltStri...nt.jar
windows10-2004-x64
1CobaltStri...ok.jar
windows7-x64
1CobaltStri...ok.jar
windows10-2004-x64
1CobaltStri...mon.sh
windows7-x64
3CobaltStri...mon.sh
windows10-2004-x64
3Analysis
-
max time kernel
1197s -
max time network
890s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16/05/2023, 10:58
Static task
static1
Behavioral task
behavioral1
Sample
CobaltStrike48-pwn3rzs-cyberarsenal.7z
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
CobaltStrike48-pwn3rzs-cyberarsenal.7z
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Client/cobaltstrike-client.cmd
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Client/cobaltstrike-client.cmd
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Client/cobaltstrike-client.jar
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Client/cobaltstrike-client.jar
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Client/uHook.jar
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Client/uHook.jar
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Server/source-common.sh
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Server/source-common.sh
Resource
win10v2004-20230220-en
General
-
Target
CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Server/source-common.sh
-
Size
904B
-
MD5
3008006d127284387b827208cdeb408d
-
SHA1
71e4a933db1eba354e5e5877fd7fee4cc36e00c7
-
SHA256
be08c1ebe5a776b5b76b4b4d878c2324bf0d6171c62dcbf8ce1fd49e4ad60770
-
SHA512
188501e1a209c315fdd0d8227410d827bb8f3568d3485a412172fbac9c576b8d897f07ee3d97010027235965756dfdf914dad561448643d5a0317639b1cd4646
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\sh_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.sh rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\sh_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\sh_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 976 AcroRd32.exe 976 AcroRd32.exe 976 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1520 wrote to memory of 696 1520 cmd.exe 28 PID 1520 wrote to memory of 696 1520 cmd.exe 28 PID 1520 wrote to memory of 696 1520 cmd.exe 28 PID 696 wrote to memory of 976 696 rundll32.exe 29 PID 696 wrote to memory of 976 696 rundll32.exe 29 PID 696 wrote to memory of 976 696 rundll32.exe 29 PID 696 wrote to memory of 976 696 rundll32.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\CobaltStrike48-pwn3rzs-cyberarsenal_ucare\Server\source-common.sh1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CobaltStrike48-pwn3rzs-cyberarsenal_ucare\Server\source-common.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CobaltStrike48-pwn3rzs-cyberarsenal_ucare\Server\source-common.sh"3⤵
- Suspicious use of SetWindowsHookEx
PID:976
-
-