cobaltstrike | 060a0c1bd4fecd9c726cbdf9af12f10fec6bb8b97ca749d327d869c23f12060e

Resubmissions

12/06/2023, 09:11

230612-k55d1sbb69 10

20/05/2023, 13:13

230520-qghg8scd63 10

Analysis

max time kernel
147s
max time network
159s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

899KB
MD5

e067b5d5b7de061f034961aa9197f768
SHA1

c84c08c2a6b6c8d63a3e054ea9a48132ad0fa1c1
SHA256

060a0c1bd4fecd9c726cbdf9af12f10fec6bb8b97ca749d327d869c23f12060e
SHA512

92a0267f628df609a2f4a20ceeb2be0b67c7908c3e49741bbd5bd3becfb85e25492f4397fd505a34412774b8193ff49b6d7ae169048e9d84f20a701981ba399e
SSDEEP

12288:A6xc065bTLeJirMdeLicTZDE3saM+CadLJ6RBKVJEBTUuwjlcV6G:bq06t3nrag1qsathguV6kRcM

Score

10^/10

cobaltstrike metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://92.63.196.46:17899/ZoCP

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 472	1488	tmp.exe	27

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27
PID 1488 wrote to memory of 472	1488	tmp.exe	27

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/472-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-75-0x0000000000DE0000-0x0000000000E26000-memory.dmp

Filesize
280KB

Download
memory/472-74-0x0000000003A00000-0x0000000003E00000-memory.dmp

Filesize
4.0MB

Download
memory/472-72-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/472-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-70-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-62-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/472-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1488-54-0x0000000000B30000-0x0000000000C18000-memory.dmp

Filesize
928KB

Download
memory/1488-55-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/1488-58-0x0000000002170000-0x00000000021AC000-memory.dmp

Filesize
240KB

Download
memory/1488-57-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/1488-56-0x00000000004E0000-0x00000000004F4000-memory.dmp

Filesize
80KB

Download