Overview

overview

10

Static

static

3

2bc78e0d14...2d.exe

windows7-x64

10

2bc78e0d14...2d.exe

windows10-2004-x64

10

4922d2660f...c5.exe

windows7-x64

10

4922d2660f...c5.exe

windows10-2004-x64

1

4e14f58935...61.exe

windows7-x64

10

4e14f58935...61.exe

windows10-2004-x64

1

64b9d76ec0...52.exe

windows7-x64

10

64b9d76ec0...52.exe

windows10-2004-x64

3

79f68c9a2d...ee.exe

windows7-x64

7

79f68c9a2d...ee.exe

windows10-2004-x64

7

c984a9446b...d3.exe

windows7-x64

10

c984a9446b...d3.exe

windows10-2004-x64

3

d69dc8e0a1...67.exe

windows7-x64

10

d69dc8e0a1...67.exe

windows10-2004-x64

10

dff2cf2793...3f.exe

windows7-x64

10

dff2cf2793...3f.exe

windows10-2004-x64

1

e542080348...18.exe

windows7-x64

10

e542080348...18.exe

windows10-2004-x64

10

f96c9a2487...e6.exe

windows7-x64

10

f96c9a2487...e6.exe

windows10-2004-x64

3

fe2da521d1...ff.exe

windows7-x64

10

fe2da521d1...ff.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2023 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bc78e0d14294e35e680b1a6d530adb0cdd04090e1f2bda2f7a4571b8265162d.exe

  • Size

    148KB

  • MD5

    5962e66c82fcd853fbfe2c6e8fdf3058

  • SHA1

    74c6b0b42ba3d888b630d7f42c6924aecc40a9d4

  • SHA256

    2bc78e0d14294e35e680b1a6d530adb0cdd04090e1f2bda2f7a4571b8265162d

  • SHA512

    08965e5b3a5737d6eb9754b48c12cbf8ad9cba5195d87e14304a386f4a463acb00ac8d0dd1467307f8dfa6a962beff59697d815ba1d7b577fe257a280d4698eb

  • SSDEEP

    3072:kyqybyIkfZmxLCokgxcE4VFWGAGP4gqSBmQ:Yyu6LC9gxAVFWU4gXL

Score
10/10
cobaltstrike391144938backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://45.77.45.243:80/MHYo

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LEN2)

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://45.77.45.243:80/__utm.gif

Attributes
  • access_type

    512

  • host

    45.77.45.243,/__utm.gif

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD1MdX3ZRB269oOFHhcS9y7/4ze8AhFcGBKcU1oxKJmsPnFb0veqfUoNBE0uJCpJOzoKyNvngcJuz76aRb0Hvwag2mIXrX5f/3UB3P2WZFtxVHOhYgXLVPd8VlQD9eAPPUEceDRBN2lvYJGuakGOOCQTzb21ErU1bl10tHS2cFATwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET4.0C)

  • watermark

    391144938

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bc78e0d14294e35e680b1a6d530adb0cdd04090e1f2bda2f7a4571b8265162d.exe
    "C:\Users\Admin\AppData\Local\Temp\2bc78e0d14294e35e680b1a6d530adb0cdd04090e1f2bda2f7a4571b8265162d.exe"
    1⤵
    • Suspicious use of NtCreateThreadExHideFromDebugger
    PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2668-133-0x0000000000020000-0x0000000000021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2668-134-0x0000000000020000-0x0000000000021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2668-135-0x00000000006A0000-0x00000000006A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2668-136-0x00000000037D0000-0x0000000003BD0000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/2668-137-0x00000000009D0000-0x0000000000A22000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2668-138-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download