cobaltstrike | c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30

Analysis

max time kernel
422s
max time network
428s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P2.dll
Size

121KB
MD5

cc69a31a067b62dda5f2076f8ee335e1
SHA1

7efb9b1f96810c195ad7976f86c8051c16faac8a
SHA256

c528e31aad8e88e0997d48c74b58014a02848dd897c5b17e8c806163992acd30
SHA512

21a61c4554240dc047a24d0dda263ff4ff4b9c307c1e7be850077240d9464cbab7af8dfafdc5bf191f570f77745360aef32a1d0b0862c05ae0e9e9d835ad0e2e
SSDEEP

3072:vNvdT8s5z+zW+EwiHdozduv2aureni7UygKmUXhkejTs59oY:vTv58Whw02duv2Ki7UqdTTQoY

Score

10^/10

cobaltstrike backdoor spyware stealer trojan

Malware Config

Extracted

Family

cobaltstrike

http://clouditsoft.com:8008/static-directory/mg.jpg

Attributes

user_agent
Host: clouditsoft.com Connection: close Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Linux; Android 7.0; Pixel C Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.execmd.exe

description	pid	Process	procid_target
PID 3316 wrote to memory of 4252	3316	cmd.exe	117
PID 3316 wrote to memory of 4252	3316	cmd.exe	117
PID 3968 wrote to memory of 2352	3968	cmd.exe	127
PID 3968 wrote to memory of 2352	3968	cmd.exe	127

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\P2.dll
1⤵
PID:4444

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\system32\rundll32.exe
  rundll32 C:\Users\Admin\AppData\Local\Temp\P2.dll,DllRegisterServer
  2⤵
  PID:4252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:1380

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\system32\rundll32.exe
  rundll32 P2.dll,DllRegisterServer
  2⤵
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4444-0-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download