cobaltstrike | c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30

Analysis

max time kernel
605s
max time network
618s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P2.dll
Size

121KB
MD5

cc69a31a067b62dda5f2076f8ee335e1
SHA1

7efb9b1f96810c195ad7976f86c8051c16faac8a
SHA256

c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30
SHA512

21a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e
SSDEEP

3072:vNvdT8s5z+zW+EwiHdozduv2aureni7UygKmUXhkejTs59oY:vTv58Whw02duv2Ki7UqdTTQoY

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://clouditsoft.com:8008/static-directory/mg.jpg

Attributes

user_agent
Host: clouditsoft.com Connection: close Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

2028 rundll32.exe
2028 rundll32.exe
2028 rundll32.exe
2028 rundll32.exe

pid	process
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe
2028	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1796 wrote to memory of 2028	1796	cmd.exe	rundll32.exe
PID 1796 wrote to memory of 2028	1796	cmd.exe	rundll32.exe
PID 1796 wrote to memory of 2028	1796	cmd.exe	rundll32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\P2.dll
1⤵
PID:2840

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1080

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\rundll32.exe
rundll32 C:\ProgramData\P2.dll,DllRegisterServer
2⤵
- Loads dropped DLL
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\P2.dll
Filesize
121KB

MD5
cc69a31a067b62dda5f2076f8ee335e1

SHA1
7efb9b1f96810c195ad7976f86c8051c16faac8a

SHA256
c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30

SHA512
21a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e

Download Submit
\ProgramData\P2.dll
Filesize
121KB

MD5
cc69a31a067b62dda5f2076f8ee335e1

SHA1
7efb9b1f96810c195ad7976f86c8051c16faac8a

SHA256
c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30

SHA512
21a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e

Download Submit
\ProgramData\P2.dll
Filesize
121KB

MD5
cc69a31a067b62dda5f2076f8ee335e1

SHA1
7efb9b1f96810c195ad7976f86c8051c16faac8a

SHA256
c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30

SHA512
21a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e

Download Submit
\ProgramData\P2.dll
Filesize
121KB

MD5
cc69a31a067b62dda5f2076f8ee335e1

SHA1
7efb9b1f96810c195ad7976f86c8051c16faac8a

SHA256
c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30

SHA512
21a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e

Download Submit
\ProgramData\P2.dll
Filesize
121KB

MD5
cc69a31a067b62dda5f2076f8ee335e1

SHA1
7efb9b1f96810c195ad7976f86c8051c16faac8a

SHA256
c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30

SHA512
21a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e

Download Submit
memory/2840-0-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download