Analysis Overview
SHA256
db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67
Threat Level: Known bad
The file db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-09-22 06:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-22 06:47
Reported
2023-09-22 06:50
Platform
win10v2004-20230915-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Cobaltstrike
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67.exe
"C:\Users\Admin\AppData\Local\Temp\db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tesupdates.buzz | udp |
| US | 172.67.157.117:443 | tesupdates.buzz | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 172.67.157.117:443 | tesupdates.buzz | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 172.67.157.117:443 | tesupdates.buzz | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 172.67.157.117:443 | tesupdates.buzz | tcp |
| US | 172.67.157.117:443 | tesupdates.buzz | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 172.67.157.117:443 | tesupdates.buzz | tcp |
| US | 172.67.157.117:443 | tesupdates.buzz | tcp |
| US | 8.8.8.8:53 | 194.98.74.40.in-addr.arpa | udp |
| US | 172.67.157.117:443 | tesupdates.buzz | tcp |
Files
memory/4364-0-0x00007FF81E9F0000-0x00007FF81EBE5000-memory.dmp
memory/4364-3-0x000002BD78710000-0x000002BD78711000-memory.dmp
memory/4364-2-0x000002BD78710000-0x000002BD78711000-memory.dmp
memory/4364-1-0x00007FF81D200000-0x00007FF81D2BE000-memory.dmp
memory/4364-5-0x000002BD7A2D0000-0x000002BD7A6D0000-memory.dmp
memory/4364-4-0x000002BD7A6D0000-0x000002BD7A756000-memory.dmp
memory/4364-6-0x000002BD7A6D0000-0x000002BD7A756000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-22 06:47
Reported
2023-09-22 06:50
Platform
win7-20230831-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Cobaltstrike
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67.exe
"C:\Users\Admin\AppData\Local\Temp\db3933de41cba008e3734a5481c09a2f3cb74ef2f80caf4887ea28e955b16d67.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tesupdates.buzz | udp |
| US | 104.21.74.110:443 | tesupdates.buzz | tcp |
| US | 104.21.74.110:443 | tesupdates.buzz | tcp |
| US | 104.21.74.110:443 | tesupdates.buzz | tcp |
| US | 104.21.74.110:443 | tesupdates.buzz | tcp |
| US | 104.21.74.110:443 | tesupdates.buzz | tcp |
| US | 104.21.74.110:443 | tesupdates.buzz | tcp |
| US | 104.21.74.110:443 | tesupdates.buzz | tcp |
Files
memory/2984-1-0x0000000077320000-0x00000000774C9000-memory.dmp
memory/2984-3-0x0000000077100000-0x000000007721F000-memory.dmp
memory/2984-4-0x0000000047DA0000-0x0000000047DA1000-memory.dmp
memory/2984-6-0x0000000047DA0000-0x0000000047DA1000-memory.dmp
memory/2984-7-0x00000000484C0000-0x0000000048546000-memory.dmp
memory/2984-8-0x00000000499B0000-0x0000000049DB0000-memory.dmp
memory/2984-9-0x00000000484C0000-0x0000000048546000-memory.dmp
memory/2984-10-0x0000000077320000-0x00000000774C9000-memory.dmp
memory/2984-11-0x0000000077100000-0x000000007721F000-memory.dmp
memory/2984-12-0x00000000499B0000-0x0000000049DB0000-memory.dmp