cobaltstrike | f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac

Analysis

max time kernel
133s
max time network
142s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02-11-2023 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe
Size

4.5MB
MD5

d593344cc80bf68277c95617b3230c71
SHA1

c985f61db0f30810a9e8f4b0bdd730e8157fafb0
SHA256

f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac
SHA512

388a3396e2854297b37fdc37215bc9f2794e5d1e2cf37e41c4a985a1b148c5a4f824967cfab8ed90c76a85b4a553e76340b9403ff5f716404bed397bbd458b2f
SSDEEP

98304:Qb89HblvdIWXe+q2WWmQFnh+oFAZTAxidupkxk/w6S0f+:QbQ7dd9e+q2WWmQlh+ZZREEkRSV

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://192.168.249.138:23333/Pl6k

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0; MDDCJS)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 3 IoCs

pid	Process
2656	f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe
2656	f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe
2656	f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	2656	f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2656	2004	f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe	29
PID 2004 wrote to memory of 2656	2004	f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe	29
PID 2004 wrote to memory of 2656	2004	f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe	29

C:\Users\Admin\AppData\Local\Temp\f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe
"C:\Users\Admin\AppData\Local\Temp\f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe
  "C:\Users\Admin\AppData\Local\Temp\f119dd43f0f873bfe0c3f2912e89038dc399f4e0b523c04ff8b833a75463d6ac.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI20042\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_ctypes.pyd

Filesize
130KB

MD5
9e18aca18e4ece1c187f8c0cd12a5c8f

SHA1
a8ba36a9eea969d722a9ae90139d4d59f643f951

SHA256
3351627469ea8965b08bafc9de18d1d890479357df6bc8917f7218535e02f211

SHA512
237b0ef23d0a91014581b94f5c7696da1ab3c1c3a51f6ffe10787c65dc4f5a90d1760e4088afc9acc27bae7f159a32fa3e7a9b15daba5950751932683e9373b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\base_library.zip

Filesize
996KB

MD5
13ebd688881ed66a91242b89137fa376

SHA1
d20ad0e47a71f1471a5f1dcd181be901c9673704

SHA256
48bbb95686314c56791345f176c7830d8f53c0fc40ed6b2b0685b63203e1c4af

SHA512
9a33466e930d554dd88e4c935b2882db278eca14dc2d438d2583e7a333a0dd093e9c5d06ea3e62f54865393386d8f425323ef0ba19842cf9fae5f72b075b3e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\python37.dll

Filesize
3.6MB

MD5
d558d4db5a6bd29a8b60b8aa46e5329a

SHA1
a5036009de7165b1b4721263eae4b240ee689095

SHA256
1cfdd40a9107d89310e4e3b6df5f25f26944b312e61638d014f1b1a8050ccc07

SHA512
5590fbd6c9c81293b21e9da9d35d5177f03ba3d247771e4abef3420420d9024f3a775796d73becd5aeb469df648d3105a016693c6b8f68e8c61399212439eebf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20042\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20042\_ctypes.pyd

Filesize
130KB

MD5
9e18aca18e4ece1c187f8c0cd12a5c8f

SHA1
a8ba36a9eea969d722a9ae90139d4d59f643f951

SHA256
3351627469ea8965b08bafc9de18d1d890479357df6bc8917f7218535e02f211

SHA512
237b0ef23d0a91014581b94f5c7696da1ab3c1c3a51f6ffe10787c65dc4f5a90d1760e4088afc9acc27bae7f159a32fa3e7a9b15daba5950751932683e9373b3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20042\python37.dll

Filesize
3.6MB

MD5
d558d4db5a6bd29a8b60b8aa46e5329a

SHA1
a5036009de7165b1b4721263eae4b240ee689095

SHA256
1cfdd40a9107d89310e4e3b6df5f25f26944b312e61638d014f1b1a8050ccc07

SHA512
5590fbd6c9c81293b21e9da9d35d5177f03ba3d247771e4abef3420420d9024f3a775796d73becd5aeb469df648d3105a016693c6b8f68e8c61399212439eebf

Download Submit
memory/2656-25-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads