cobaltstrike | 596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe
Size

4.6MB
MD5

b7d7c1547fb11f5b374e5f8571f7296f
SHA1

50277a7ce13d057ad0c584760f9d43d4632360f6
SHA256

596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89
SHA512

5c4752e42b698a821931bb04f255b3a24c83a8bb5af6523d3fb4f081770598d67506d913d5d6b4f9be65f99441b8253dd50aa857b6cb8918292ad5b7f471b913
SSDEEP

98304:ayjynjJ/JtdDMKJ/AmHmhuPzmeqjSpXqeRzlmRIv:ay49xXAOjHmhuPzcjSEetlmw

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

http://192.168.140.129:1111/rq9A

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 6 IoCs

pid	Process
464	596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe
464	596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe
464	596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe
464	596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe
464	596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe
464	596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002324c-187.dat	upx
behavioral2/files/0x000600000002324c-188.dat	upx
behavioral2/memory/464-191-0x00007FFD1CB00000-0x00007FFD1CEEC000-memory.dmp	upx
behavioral2/files/0x000700000002321b-194.dat	upx
behavioral2/files/0x000700000002321b-193.dat	upx
behavioral2/memory/464-196-0x00007FFD1D5A0000-0x00007FFD1D5C9000-memory.dmp	upx
behavioral2/files/0x000700000002321c-195.dat	upx
behavioral2/files/0x000700000002321c-197.dat	upx
behavioral2/memory/464-199-0x00007FFD1D580000-0x00007FFD1D591000-memory.dmp	upx
behavioral2/files/0x000600000002324a-198.dat	upx
behavioral2/files/0x000600000002324a-200.dat	upx
behavioral2/memory/464-201-0x00007FFD0E400000-0x00007FFD0E689000-memory.dmp	upx
behavioral2/memory/464-203-0x00007FFD1CB00000-0x00007FFD1CEEC000-memory.dmp	upx
behavioral2/memory/464-204-0x00007FFD1D5A0000-0x00007FFD1D5C9000-memory.dmp	upx
behavioral2/memory/464-205-0x00007FFD1D580000-0x00007FFD1D591000-memory.dmp	upx
behavioral2/memory/464-209-0x00007FFD0E400000-0x00007FFD0E689000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	464	596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 464	3164	596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe	81
PID 3164 wrote to memory of 464	3164	596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe	81

C:\Users\Admin\AppData\Local\Temp\596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe
"C:\Users\Admin\AppData\Local\Temp\596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe
  "C:\Users\Admin\AppData\Local\Temp\596fd4b24216276efaf4a9f21d4aea8c2cf75cdd48689eba58d6b9127d5afc89.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI31642\VCRUNTIME140.dll

Filesize
85KB

MD5
6e2b2ddb1bc783122018d99d38497298

SHA1
414dfc02289926416399fd986a303e32e812c595

SHA256
02fcb91909ed2ecc68b62bceaca7b8d8319e7d625e599756c170db631237da69

SHA512
3d2a9b62f4ad87b69a582cd97d3d7a1ae20a99561b65a8c20fbea8b83c1515541bde4d9f3f8b88c03f5fe4f956bc4533b5171e29fde89cc0265c99384eac2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\VCRUNTIME140.dll

Filesize
85KB

MD5
6e2b2ddb1bc783122018d99d38497298

SHA1
414dfc02289926416399fd986a303e32e812c595

SHA256
02fcb91909ed2ecc68b62bceaca7b8d8319e7d625e599756c170db631237da69

SHA512
3d2a9b62f4ad87b69a582cd97d3d7a1ae20a99561b65a8c20fbea8b83c1515541bde4d9f3f8b88c03f5fe4f956bc4533b5171e29fde89cc0265c99384eac2358

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\_ctypes.pyd

Filesize
51KB

MD5
b20753336eeb12543da835965a712e55

SHA1
7861ea214d85ad9f68d396b09cab09f5fff980e0

SHA256
7b88bc27df5520b558b007dca400ad9eb1b9266dda7d3608aceace8e6b0d0347

SHA512
5c00218c41f65e195a6a822c92f12a4ce673ade75465f188715cd7adfc3573ee2ae4ef408135a14d53a2b8735427f6fe4aa009caf474b4ecfd006e16faeb8e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\_ctypes.pyd

Filesize
51KB

MD5
b20753336eeb12543da835965a712e55

SHA1
7861ea214d85ad9f68d396b09cab09f5fff980e0

SHA256
7b88bc27df5520b558b007dca400ad9eb1b9266dda7d3608aceace8e6b0d0347

SHA512
5c00218c41f65e195a6a822c92f12a4ce673ade75465f188715cd7adfc3573ee2ae4ef408135a14d53a2b8735427f6fe4aa009caf474b4ecfd006e16faeb8e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\_hashlib.pyd

Filesize
18KB

MD5
86d7f50905b267f1a146c6978e33cfbc

SHA1
f366d8470f30f075c97a62d66548be2220cd757b

SHA256
3e11fdf01f42524baf5e7f1176490faa0a788c1b566ca71ee2934cd076f75963

SHA512
7aa2100d10fd1405d5116560e48a4a1ed6fa1945213fd8acbc5702731671399a3bd1c5bf013128ab08c432dace176a019e20a599c0f4083cf1b13b23e097a031

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\_hashlib.pyd

Filesize
18KB

MD5
86d7f50905b267f1a146c6978e33cfbc

SHA1
f366d8470f30f075c97a62d66548be2220cd757b

SHA256
3e11fdf01f42524baf5e7f1176490faa0a788c1b566ca71ee2934cd076f75963

SHA512
7aa2100d10fd1405d5116560e48a4a1ed6fa1945213fd8acbc5702731671399a3bd1c5bf013128ab08c432dace176a019e20a599c0f4083cf1b13b23e097a031

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\base_library.zip

Filesize
994KB

MD5
d0fb738eac579c43d036b17a07928e73

SHA1
14967396dc6983975a2b262355029f11688a0186

SHA256
2bf2219729adb15243bfb7bb47d6e326b2f9b2c3e16663b17e1fd1d99ca66bbd

SHA512
d92730db002fc42eb7b61409cbae7711e1078e0ba23a2266825fab70ff56e7f2eb75ff9960a187873f491f7d4ff6e7421d1123dde55cae6a7535b63c3604b5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\libcrypto-1_1-x64.dll

Filesize
739KB

MD5
7b26d0c8a0ddbd60e8af40d7253491a4

SHA1
19c8b3c3d8f9753144c25038a738aff5ad68f780

SHA256
71d4b880f1d6647784c7302d3e761400789c692b3b9e5293e7f0aaa31afaf29e

SHA512
3c68e6e117d0eb08b18d466512c6f2a30ade66f9b943941a976f0814b84ff24367e13da9e74854a65ada51a626039705a9fb63072efbfcc87934e22c033d39f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\libcrypto-1_1-x64.dll

Filesize
739KB

MD5
7b26d0c8a0ddbd60e8af40d7253491a4

SHA1
19c8b3c3d8f9753144c25038a738aff5ad68f780

SHA256
71d4b880f1d6647784c7302d3e761400789c692b3b9e5293e7f0aaa31afaf29e

SHA512
3c68e6e117d0eb08b18d466512c6f2a30ade66f9b943941a976f0814b84ff24367e13da9e74854a65ada51a626039705a9fb63072efbfcc87934e22c033d39f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\python37.dll

Filesize
1.2MB

MD5
86eb9f7ac2793d5fba740fef8c5388b4

SHA1
f7b037368b5d0f794f468318701cd152f88ec18f

SHA256
97b6c267a56d35163ff97acf984e0c677b306386895ffe1977dfb5088dda0cf0

SHA512
c8e172d9ef518d52341359ec018d22f40e49f71579aa71e5d4afa95bca0e7cf40132050222c7bc894497a97e02f7bc1e30ba567a2d27fef9bde242c72787a86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\python37.dll

Filesize
1.2MB

MD5
86eb9f7ac2793d5fba740fef8c5388b4

SHA1
f7b037368b5d0f794f468318701cd152f88ec18f

SHA256
97b6c267a56d35163ff97acf984e0c677b306386895ffe1977dfb5088dda0cf0

SHA512
c8e172d9ef518d52341359ec018d22f40e49f71579aa71e5d4afa95bca0e7cf40132050222c7bc894497a97e02f7bc1e30ba567a2d27fef9bde242c72787a86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
memory/464-191-0x00007FFD1CB00000-0x00007FFD1CEEC000-memory.dmp

Filesize
3.9MB

Download
memory/464-199-0x00007FFD1D580000-0x00007FFD1D591000-memory.dmp

Filesize
68KB

Download
memory/464-196-0x00007FFD1D5A0000-0x00007FFD1D5C9000-memory.dmp

Filesize
164KB

Download
memory/464-201-0x00007FFD0E400000-0x00007FFD0E689000-memory.dmp

Filesize
2.5MB

Download
memory/464-202-0x000001A422B90000-0x000001A422B91000-memory.dmp

Filesize
4KB

Download
memory/464-203-0x00007FFD1CB00000-0x00007FFD1CEEC000-memory.dmp

Filesize
3.9MB

Download
memory/464-204-0x00007FFD1D5A0000-0x00007FFD1D5C9000-memory.dmp

Filesize
164KB

Download
memory/464-205-0x00007FFD1D580000-0x00007FFD1D591000-memory.dmp

Filesize
68KB

Download
memory/464-209-0x00007FFD0E400000-0x00007FFD0E689000-memory.dmp

Filesize
2.5MB

Download