Overview

overview

10

Static

static

3

10e68f3e6c...07.exe

windows7-x64

1

10e68f3e6c...07.exe

windows10-2004-x64

10

Resubmissions

11-01-2024 14:51

240111-r8jp2safg8 10

18-12-2023 13:56

231218-q8n44acdg8 10

Analysis

  • max time kernel
    1560s
  • max time network
    1170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10e68f3e6c73161a1bba85ef9bada0cd79e25382ea8f8635bec4aa51bfe6c707.exe

  • Size

    13KB

  • MD5

    99516071d8f3e78e51200948bf377c4c

  • SHA1

    59fe505b24bdfa54ee6e4188ed8b88af9a42eb86

  • SHA256

    10e68f3e6c73161a1bba85ef9bada0cd79e25382ea8f8635bec4aa51bfe6c707

  • SHA512

    4fa7de0e3ceef3231405da70f234b140120568ba5b116f04848cd2f0452213baa05638db8efacf74c8f8b65db7c974e6a49aff34449d7007049921ee93119678

  • SSDEEP

    192:iWuo0OdEZbue7hTthpz5/y9eO5tfwcKExzp:xEwkhZFfN+zp

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://mail.googlesmail.xyz:2096/home/indexs

Attributes
  • user_agent

    Host: mail.googlesmail.xyz Accept: */* Accept-Encoding: gzip, deflate Content-Type: text/html User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10e68f3e6c73161a1bba85ef9bada0cd79e25382ea8f8635bec4aa51bfe6c707.exe
    "C:\Users\Admin\AppData\Local\Temp\10e68f3e6c73161a1bba85ef9bada0cd79e25382ea8f8635bec4aa51bfe6c707.exe"
    1⤵
      PID:2360
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
      1⤵
        PID:3936
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3264

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2360-0-0x0000027C81A60000-0x0000027C81A61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2360-2-0x0000027C83700000-0x0000027C83B00000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3264-20-0x000001976F440000-0x000001976F450000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3264-40-0x00000197778F0000-0x00000197778F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3264-39-0x00000197777E0000-0x00000197777E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3264-38-0x00000197777E0000-0x00000197777E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3264-36-0x00000197777B0000-0x00000197777B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3264-4-0x000001976F340000-0x000001976F350000-memory.dmp

        Filesize

        64KB

        Download