Overview

overview

10

Static

static

3

2627e62ef9...61.exe

windows7-x64

10

2627e62ef9...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2023 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2627e62ef99a8e19dd991eed8d15deb085b5e778487a928090ad13bd45069061.exe

  • Size

    2.3MB

  • MD5

    69f3fda64fbbbaebde912ed49ee44ce7

  • SHA1

    0303932a9c3688cbb34352981e07ff11ccb0c4cd

  • SHA256

    2627e62ef99a8e19dd991eed8d15deb085b5e778487a928090ad13bd45069061

  • SHA512

    652e227bdce3e6d26d40782190b50bb0dbd33d79c898750feb2622c09309d5909fcf806cdbb63dad6cb7d74b12a2a2653c6b955fba5e8b2f0d761bd756c5b479

  • SSDEEP

    12288:XN9LWJU0w0B/M+jwjD8B5Gh4lwpuvfaZoOMNaDbtiXhvGHLK7QujFJq6kNiEenaU:z0B/M+0MNOMNaDbuGKmNS8ez9RHvLe

Score
10/10
cobaltstrike0100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://192.168.85.150:802/ga.js

Attributes
  • access_type

    512

  • host

    192.168.85.150,/ga.js

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    802

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyJWRHvQ7zGxRZmXCP6K2fD+5YRc97e8mA+baf2IOzfBB1NU5iviAinQ0HJiDqvfA63f4rA4rLxTYS8Eyf/knmt7dtEooliJC/Nx2EebHb3+aOaOqEY76oSWO/vmIzbGNqhaXQ0fo/c8Wn0hS4f0HufciRjPmoPETK+wJTDKWQUQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSMSE)

  • watermark

    100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2627e62ef99a8e19dd991eed8d15deb085b5e778487a928090ad13bd45069061.exe
    "C:\Users\Admin\AppData\Local\Temp\2627e62ef99a8e19dd991eed8d15deb085b5e778487a928090ad13bd45069061.exe"
    1⤵
      PID:2284
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:3332
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4792

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
        Filesize

        16KB

        MD5

        7afc9e5c7f62d81bded3dd253ea09b7b

        SHA1

        42e77937fc52e52727caa8a84d780a59eb777365

        SHA256

        7b9e617f1eb7c272d5777a2cde67a5a1174535a0d2d8e409db5c7581098a77d5

        SHA512

        b605e5cfa5ec84db075208b32ff393b1b381ab4ad783c3ca1fa7157deea6bd217fb52039acf353b0c2bb38cae44c8be298387f4213075538b77c9d221895aea9

        Download Submit
      • memory/2284-0-0x000001CB1AF70000-0x000001CB1AFB2000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2284-1-0x000001CB1AFC0000-0x000001CB1B00F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/2284-2-0x000001CB1AFC0000-0x000001CB1B00F000-memory.dmp
        Filesize

        316KB

        Download
      • memory/4792-42-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-45-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-36-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-37-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-38-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-39-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-40-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-41-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-19-0x000001A367D70000-0x000001A367D80000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4792-43-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-44-0x000001A370380000-0x000001A370381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-35-0x000001A370360000-0x000001A370361000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-46-0x000001A36FFB0000-0x000001A36FFB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-47-0x000001A36FFA0000-0x000001A36FFA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-49-0x000001A36FFB0000-0x000001A36FFB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-52-0x000001A36FFA0000-0x000001A36FFA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-55-0x000001A36FEE0000-0x000001A36FEE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-3-0x000001A367C70000-0x000001A367C80000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4792-67-0x000001A3700E0000-0x000001A3700E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-69-0x000001A3700F0000-0x000001A3700F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-70-0x000001A3700F0000-0x000001A3700F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4792-71-0x000001A370200000-0x000001A370201000-memory.dmp
        Filesize

        4KB

        Download