cobaltstrike | 3d8fd5a322e0d6e9b1a5ee3fd4b222a25becbc02374d6195448d57875d9e75d4

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 21:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d8fd5a322e0d6e9b1a5ee3fd4b222a25becbc02374d6195448d57875d9e75d4.exe
Size

8.1MB
MD5

d3d7854b7af7463be8a2e215311b3030
SHA1

dda970b52bf2b42eaf3037fd2580171c84b0b30c
SHA256

3d8fd5a322e0d6e9b1a5ee3fd4b222a25becbc02374d6195448d57875d9e75d4
SHA512

36693c51d427d957c8dc07d2ada7510d92b6bb9566108977d6341740c6997b6855d8b08f78c99fa62b6fe830d5ae05aa591d9ec7b82b6e8b5e04423e3c23f0dd
SSDEEP

196608:aPJXy/O1OEHKO/v78j8KQPl0qednVd6e8FouR6jCC:oJXQO1OEHKIv78joPUnblGdRCx

Score

10^/10

cobaltstrike backdoor pyinstaller trojan

Malware Config

Extracted

Family

cobaltstrike

http://121.40.66.171:85/djZ5

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0; MASP)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	3d8fd5a322e0d6e9b1a5ee3fd4b222a25becbc02374d6195448d57875d9e75d4.exe

Executes dropped EXE 2 IoCs

pid	Process
3908	winUpdate.exe
1044	winUpdate.exe

Loads dropped DLL 13 IoCs

pid	Process
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe
1044	winUpdate.exe

Detects Pyinstaller 4 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00090000000231c4-6.dat	pyinstaller
behavioral2/files/0x00090000000231c4-9.dat	pyinstaller
behavioral2/files/0x00090000000231c4-10.dat	pyinstaller
behavioral2/files/0x00090000000231c4-39.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3908	3056	3d8fd5a322e0d6e9b1a5ee3fd4b222a25becbc02374d6195448d57875d9e75d4.exe	87
PID 3056 wrote to memory of 3908	3056	3d8fd5a322e0d6e9b1a5ee3fd4b222a25becbc02374d6195448d57875d9e75d4.exe	87
PID 3908 wrote to memory of 1044	3908	winUpdate.exe	89
PID 3908 wrote to memory of 1044	3908	winUpdate.exe	89

C:\Users\Admin\AppData\Local\Temp\3d8fd5a322e0d6e9b1a5ee3fd4b222a25becbc02374d6195448d57875d9e75d4.exe
"C:\Users\Admin\AppData\Local\Temp\3d8fd5a322e0d6e9b1a5ee3fd4b222a25becbc02374d6195448d57875d9e75d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3056
- C:\windows\temp\winUpdate.exe
  "C:\windows\temp\winUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\windows\temp\winUpdate.exe
    "C:\windows\temp\winUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI39082\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_cffi_backend.cp38-win_amd64.pyd

Filesize
178KB

MD5
619d3a9aae2d8950e7c301961f9a690d

SHA1
45ad21bde1388fe90aa96b78ad145774b4fb0a41

SHA256
04912a0afce079849a46b2df70b43877d1c5f001d764e16ad0e6cac258050b7a

SHA512
69034d87545e72033f887bc63a2c85c2efc732ee5d7d6e7bd0ecede81e5c0e5ff6e7d0f881205e9872085bf61f332143e847ed9c301750e4fceb2e7dc0525923

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_cffi_backend.cp38-win_amd64.pyd

Filesize
178KB

MD5
619d3a9aae2d8950e7c301961f9a690d

SHA1
45ad21bde1388fe90aa96b78ad145774b4fb0a41

SHA256
04912a0afce079849a46b2df70b43877d1c5f001d764e16ad0e6cac258050b7a

SHA512
69034d87545e72033f887bc63a2c85c2efc732ee5d7d6e7bd0ecede81e5c0e5ff6e7d0f881205e9872085bf61f332143e847ed9c301750e4fceb2e7dc0525923

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_ctypes.pyd

Filesize
123KB

MD5
4d13a7b3ecc8c7dc96a0424c465d7251

SHA1
0c72f7259ac9108d956aede40b6fcdf3a3943cb5

SHA256
2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed

SHA512
68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_ctypes.pyd

Filesize
123KB

MD5
4d13a7b3ecc8c7dc96a0424c465d7251

SHA1
0c72f7259ac9108d956aede40b6fcdf3a3943cb5

SHA256
2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed

SHA512
68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_hashlib.pyd

Filesize
45KB

MD5
496cde3c381c8e33186354631dfad0f1

SHA1
cbdb280ecb54469fd1987b9eff666d519e20249f

SHA256
f9548e3b71764ac99efb988e4daac249e300eb629c58d2a341b753299180c679

SHA512
f7245eb24f2b6d8bc22f876d6abb90e77db46bf0e5ab367f2e02e4ca936c898a5a14d843235adc5502f6d74715da0b93d86222e8dec592ae41ab59d56432bf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_hashlib.pyd

Filesize
45KB

MD5
496cde3c381c8e33186354631dfad0f1

SHA1
cbdb280ecb54469fd1987b9eff666d519e20249f

SHA256
f9548e3b71764ac99efb988e4daac249e300eb629c58d2a341b753299180c679

SHA512
f7245eb24f2b6d8bc22f876d6abb90e77db46bf0e5ab367f2e02e4ca936c898a5a14d843235adc5502f6d74715da0b93d86222e8dec592ae41ab59d56432bf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_socket.pyd

Filesize
77KB

MD5
eb974aeda30d7478bb800bb4c5fbc0a2

SHA1
c5b7bc326bd003d42bcf620d657cac3f46f9d566

SHA256
1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016

SHA512
f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_socket.pyd

Filesize
77KB

MD5
eb974aeda30d7478bb800bb4c5fbc0a2

SHA1
c5b7bc326bd003d42bcf620d657cac3f46f9d566

SHA256
1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016

SHA512
f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\base_library.zip

Filesize
1006KB

MD5
9bedba3505f23eb63b726702065dbf7f

SHA1
84e12b5785dc9c1247407f117b8db2b4f4fc61ec

SHA256
1005646cddefe2c6979bcab609a66d2fc4371ae55f028563e5fa765c037ea013

SHA512
84ac0b10738e7263546bc91774ecf9722f87f6407dff8e017a6eb3b8e9c9faf88f226b14c93dd0fc1325acb85d98690dbc06d2380164cb14bede0334950263df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\bcrypt\_bcrypt.pyd

Filesize
294KB

MD5
03ef5e8da65667751e1fd3fa0c182d3e

SHA1
4608d1efca23143006c1338deda144a2f3bb8a16

SHA256
3d1c66bdcb4fa0b8e917895e1b4d62ee14260eaa1bd6fe908877c47585ec6127

SHA512
c094a3dfbd863726524c56dab2592b3513a3a8c445bcaac6cfb41a5ddec3079d9b1f849c6826c1cc4241ca8b0aa44e33d2502bb20856313966af31f480ba8811

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\bcrypt\_bcrypt.pyd

Filesize
294KB

MD5
03ef5e8da65667751e1fd3fa0c182d3e

SHA1
4608d1efca23143006c1338deda144a2f3bb8a16

SHA256
3d1c66bdcb4fa0b8e917895e1b4d62ee14260eaa1bd6fe908877c47585ec6127

SHA512
c094a3dfbd863726524c56dab2592b3513a3a8c445bcaac6cfb41a5ddec3079d9b1f849c6826c1cc4241ca8b0aa44e33d2502bb20856313966af31f480ba8811

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\cryptography\hazmat\bindings\_openssl.pyd

Filesize
2.9MB

MD5
4c0ad2eb9d030a088d00e90d2c57cbe9

SHA1
83710a36227ce0a277094c902f15a8aa365cec18

SHA256
dec59340c5854502551980c0ff1e013897d68be237e7c38ba9ee80c96d3ef7cd

SHA512
018e7236f9fe76ef124ff0b65d8832c47480bd31b40f435163566706cafaa326b5b234024c08afe80262b87c00310dc6bfa175a36c9f9d0d9a77040998f72f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\cryptography\hazmat\bindings\_openssl.pyd

Filesize
2.9MB

MD5
4c0ad2eb9d030a088d00e90d2c57cbe9

SHA1
83710a36227ce0a277094c902f15a8aa365cec18

SHA256
dec59340c5854502551980c0ff1e013897d68be237e7c38ba9ee80c96d3ef7cd

SHA512
018e7236f9fe76ef124ff0b65d8832c47480bd31b40f435163566706cafaa326b5b234024c08afe80262b87c00310dc6bfa175a36c9f9d0d9a77040998f72f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\cryptography\hazmat\bindings\_rust.pyd

Filesize
1.8MB

MD5
4da297b15026197ab45cb5eadd60d2df

SHA1
dac6196e00a505f79156975866c7ca9389ac07ee

SHA256
fdc01f1c3eb583f060c8cc2be5753da86b55c5672174ba2ee9876e1bbcd54856

SHA512
c3cc8ba8fead48a6d58bb8e35e9f2c656c2c3433e1bd8cd4eb8726e9e9644345bdd2599a95b82111cff6d9d74c48bc6db7e91594dd5bc92d865a104ececc2aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\cryptography\hazmat\bindings\_rust.pyd

Filesize
1.8MB

MD5
4da297b15026197ab45cb5eadd60d2df

SHA1
dac6196e00a505f79156975866c7ca9389ac07ee

SHA256
fdc01f1c3eb583f060c8cc2be5753da86b55c5672174ba2ee9876e1bbcd54856

SHA512
c3cc8ba8fead48a6d58bb8e35e9f2c656c2c3433e1bd8cd4eb8726e9e9644345bdd2599a95b82111cff6d9d74c48bc6db7e91594dd5bc92d865a104ececc2aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libcrypto-1_1.dll

Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libcrypto-1_1.dll

Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\python3.DLL

Filesize
57KB

MD5
6c3e8a99ec9f235075a349b6bae9f5c5

SHA1
82233e99b5ace28889671b8ce0ab7e88ef1aee1f

SHA256
5039f5b1e44f14a6f3939e17eeda56818ca0cecacfdf978f903a349abbcea23b

SHA512
c37716f63f70e68ef875a6dbeb668d9289b921ed530aa59429e7e3321ac45a507ceec1f2ef5af7840052bec76dc1b638e277b04328b4aa51ac1fb4aaffee9554

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\python3.dll

Filesize
57KB

MD5
6c3e8a99ec9f235075a349b6bae9f5c5

SHA1
82233e99b5ace28889671b8ce0ab7e88ef1aee1f

SHA256
5039f5b1e44f14a6f3939e17eeda56818ca0cecacfdf978f903a349abbcea23b

SHA512
c37716f63f70e68ef875a6dbeb668d9289b921ed530aa59429e7e3321ac45a507ceec1f2ef5af7840052bec76dc1b638e277b04328b4aa51ac1fb4aaffee9554

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\python38.dll

Filesize
4.0MB

MD5
3cd1e87aeb3d0037d52c8e51030e1084

SHA1
49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af

SHA256
13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8

SHA512
497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\python38.dll

Filesize
4.0MB

MD5
3cd1e87aeb3d0037d52c8e51030e1084

SHA1
49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af

SHA256
13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8

SHA512
497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\select.pyd

Filesize
26KB

MD5
08b499ae297c5579ba05ea87c31aff5b

SHA1
4a1a9f1bf41c284e9c5a822f7d018f8edc461422

SHA256
940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281

SHA512
ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\select.pyd

Filesize
26KB

MD5
08b499ae297c5579ba05ea87c31aff5b

SHA1
4a1a9f1bf41c284e9c5a822f7d018f8edc461422

SHA256
940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281

SHA512
ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9

Download Submit
C:\Windows\Temp\winUpdate.exe

Filesize
7.7MB

MD5
d9ebda63b28abea69f595e9b24206f1e

SHA1
86d5258e9e18260d6f271c6b7881dbbbae2c09d3

SHA256
c803e6a1ed2937f5d0f173bd7da2d45b53697f55c38fa65cf592d9d5ce1f46a7

SHA512
707b0d4aa6928bae705a03aceb548e2aebe98926e0326167d249b403ee20c97746a3db29ba6a58df0bee14f26aa9bfa0877731bddbf699d5136791ff65e87591

Download Submit
C:\Windows\Temp\winUpdate.exe

Filesize
7.7MB

MD5
d9ebda63b28abea69f595e9b24206f1e

SHA1
86d5258e9e18260d6f271c6b7881dbbbae2c09d3

SHA256
c803e6a1ed2937f5d0f173bd7da2d45b53697f55c38fa65cf592d9d5ce1f46a7

SHA512
707b0d4aa6928bae705a03aceb548e2aebe98926e0326167d249b403ee20c97746a3db29ba6a58df0bee14f26aa9bfa0877731bddbf699d5136791ff65e87591

Download Submit
C:\Windows\Temp\winUpdate.exe

Filesize
7.7MB

MD5
d9ebda63b28abea69f595e9b24206f1e

SHA1
86d5258e9e18260d6f271c6b7881dbbbae2c09d3

SHA256
c803e6a1ed2937f5d0f173bd7da2d45b53697f55c38fa65cf592d9d5ce1f46a7

SHA512
707b0d4aa6928bae705a03aceb548e2aebe98926e0326167d249b403ee20c97746a3db29ba6a58df0bee14f26aa9bfa0877731bddbf699d5136791ff65e87591

Download Submit
C:\windows\temp\winUpdate.exe

Filesize
7.7MB

MD5
d9ebda63b28abea69f595e9b24206f1e

SHA1
86d5258e9e18260d6f271c6b7881dbbbae2c09d3

SHA256
c803e6a1ed2937f5d0f173bd7da2d45b53697f55c38fa65cf592d9d5ce1f46a7

SHA512
707b0d4aa6928bae705a03aceb548e2aebe98926e0326167d249b403ee20c97746a3db29ba6a58df0bee14f26aa9bfa0877731bddbf699d5136791ff65e87591

Download Submit
memory/1044-67-0x000001D26E6B0000-0x000001D26E6B1000-memory.dmp

Filesize
4KB

Download