cobaltstrike | 8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe
Size

5.6MB
MD5

f10cfe3dbb63e07c9b8cff968cfc73e8
SHA1

4995e8e297a7f446f236dde678a5febaf06618e2
SHA256

8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729
SHA512

2bd3ae19dff68b8b0aabd508a2fd9d90dd40ff1452ae60f071580c3361d48b12a52e98a89f0eaba9e430b87d7dc0503af896308d5f505503c253ef9d98f528e3
SSDEEP

98304:x38ZUfsqjMy8pzoLLJ3TbwaVvrZE0I8Gsmr+qK9QRdJOFFMFa+JsHL/jZYiUWLYT:x34QjMy89onJ5hrZEThbJMFj+WPZYiZC

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://1.116.127.12:9999/m4Lp

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MASP)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 5 IoCs

pid	Process
1888	8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe
1888	8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe
1888	8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe
1888	8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe
1888	8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	1888	8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1888	4832	8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe	88
PID 4832 wrote to memory of 1888	4832	8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe	88

C:\Users\Admin\AppData\Local\Temp\8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe
"C:\Users\Admin\AppData\Local\Temp\8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe
  "C:\Users\Admin\AppData\Local\Temp\8a2a797fa66a63d17fac6e0b76ad9f03f4702f6d4748aa22dd1e6e2f78a03729.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48322\VCRUNTIME140.dll

Filesize
83KB

MD5
0c583614eb8ffb4c8c2d9e9880220f1d

SHA1
0b7fca03a971a0d3b0776698b51f62bca5043e4d

SHA256
6cadb4fef773c23b511acc8b715a084815c6e41dd8c694bc70090a97b3b03fb9

SHA512
79bbf50e38e358e492f24fe0923824d02f4b831336dae9572540af1ae7df162457d08de13e720f180309d537667bc1b108bdd782af84356562cca44d3e9e3b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\VCRUNTIME140.dll

Filesize
83KB

MD5
0c583614eb8ffb4c8c2d9e9880220f1d

SHA1
0b7fca03a971a0d3b0776698b51f62bca5043e4d

SHA256
6cadb4fef773c23b511acc8b715a084815c6e41dd8c694bc70090a97b3b03fb9

SHA512
79bbf50e38e358e492f24fe0923824d02f4b831336dae9572540af1ae7df162457d08de13e720f180309d537667bc1b108bdd782af84356562cca44d3e9e3b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_ctypes.pyd

Filesize
131KB

MD5
bbf539c8cbd17225a8d596e037695fb6

SHA1
015b8903e8e83363c56c628d22cdd4c1466b0c4a

SHA256
ad503c075de4a19058d9232e4151f97e60d4cea76fe8dd0d5ac8b4a73074a603

SHA512
0533b0def1f6b516018de090ef11c4a04442a038f21c6d509d7f556cd764aaab16b58448b0afe7e32330dec594ac86f3ca091adcea531e664b33e228cbeb4ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\_ctypes.pyd

Filesize
131KB

MD5
bbf539c8cbd17225a8d596e037695fb6

SHA1
015b8903e8e83363c56c628d22cdd4c1466b0c4a

SHA256
ad503c075de4a19058d9232e4151f97e60d4cea76fe8dd0d5ac8b4a73074a603

SHA512
0533b0def1f6b516018de090ef11c4a04442a038f21c6d509d7f556cd764aaab16b58448b0afe7e32330dec594ac86f3ca091adcea531e664b33e228cbeb4ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\base_library.zip

Filesize
1000KB

MD5
3a2164a9bcaaffa5e716ca3eecb7bb6b

SHA1
20070472e67f1f0879b35f2d91516d69c671c95b

SHA256
b19c7e741f650ab179f5daa650844670e5bef71daa8dabac48183dd92de033d9

SHA512
b3aa0fc8255ead86b916213933b673d80dc33b8fb32dea8ff177f6b19d8705cd15975ddcbde3ab7427d940da67ee505dd95d65662aa2a8e73cbbecafe33ffcc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\python37.dll

Filesize
3.6MB

MD5
d8a6dff4f79e66c2b05c3528b902f6fc

SHA1
62989fccc089f70cc3994a3352dfb222e8a07023

SHA256
b6166f6072f795c2bec5421cc3c762f0731d1aeb4b08c06f75e7d119e1256f72

SHA512
f3e819f57114ba2f05db64deb353d0af79cda0943887ce1fa669ecb7204ec5bae263f9cd5cbebc7ab73b8418cb3c9a3badfc6a377ff9dbc4a48e588f4d461359

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\python37.dll

Filesize
3.6MB

MD5
d8a6dff4f79e66c2b05c3528b902f6fc

SHA1
62989fccc089f70cc3994a3352dfb222e8a07023

SHA256
b6166f6072f795c2bec5421cc3c762f0731d1aeb4b08c06f75e7d119e1256f72

SHA512
f3e819f57114ba2f05db64deb353d0af79cda0943887ce1fa669ecb7204ec5bae263f9cd5cbebc7ab73b8418cb3c9a3badfc6a377ff9dbc4a48e588f4d461359

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\tinyaes.cp37-win_amd64.pyd

Filesize
32KB

MD5
af7fff77c4e4fd2365b8315c4f5f7193

SHA1
cf070ad539c543e5a02ada7f48cb48c9c9af0e40

SHA256
e8d645671929b9b63288ef1668725a3e91da6c548904ad42e6f13a2fe46cd1cc

SHA512
0dbc9c703ebfafb9d6bfe4793f7ffa366c573846e8f1e1383e9d03812fd64a6ebb0e8af01f34ad956b14a6222e18c617672eabe2f3265d31851d2c53fedc8402

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\tinyaes.cp37-win_amd64.pyd

Filesize
32KB

MD5
af7fff77c4e4fd2365b8315c4f5f7193

SHA1
cf070ad539c543e5a02ada7f48cb48c9c9af0e40

SHA256
e8d645671929b9b63288ef1668725a3e91da6c548904ad42e6f13a2fe46cd1cc

SHA512
0dbc9c703ebfafb9d6bfe4793f7ffa366c573846e8f1e1383e9d03812fd64a6ebb0e8af01f34ad956b14a6222e18c617672eabe2f3265d31851d2c53fedc8402

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48322\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
memory/1888-64-0x0000028B76F80000-0x0000028B76F81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads