Overview

overview

10

Static

static

3

9fdd41b38c...79.exe

windows7-x64

10

9fdd41b38c...79.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9fdd41b38c01811abd562209dcb3b8aaa26e52fe755fbbc728a365004ebe4579.exe

  • Size

    4.9MB

  • MD5

    9ef45db8399100bf7a230db03a600e7d

  • SHA1

    42f164a6a9b0e29dc094b92b5893ca9fc3086f34

  • SHA256

    9fdd41b38c01811abd562209dcb3b8aaa26e52fe755fbbc728a365004ebe4579

  • SHA512

    82525a8806060937a70253da970169cdeed55778f7370fc12196097d034e4cd1fc06439d1cc0dc00cee3f5d0fec6211df4b8d71563f6dbced869bc3dbc0a60a2

  • SSDEEP

    49152:NHVoUqmRmrb/TPvO90dL3BmAFd4A64nsfJdV3IrG6z8KM0w1UzBGuxZ5g54Iuidc:NV1Z9WpLIm1

Score
10/10
cobaltstrike987654321backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://8.141.13.130:8002/system/role/list

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    8.141.13.130,/system/role/list

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAARQ29ubmVjdGlvbjogQ2xvc2UAAAAKAAAAHkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbgAAAAcAAAAAAAAAAwAAAAgAAAACAAAAB3VhX2lkcz0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAARQ29ubmVjdGlvbjogQ2xvc2UAAAAKAAAAHkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vanNvbgAAAAcAAAAAAAAACAAAAA0AAAAFAAAACERlcHROYW1lAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    3000

  • port_number

    8002

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiA0RKeE5JiVCBoRmm2AgFlFg4s/RvxXdzuuKtMHAgq8czj+JHuTQ+M0m00EhKDVJkFXFiha2Iv6XFYhFxRkPe5ZK0fCBvSgfvMFpXqLA595J1UL6Hs9uZ+eo7UGEuEWus6qRt5HeuwYvd4dSdcn2FFvg/SjZo9OH1axpowQSIBwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /system/dept/edit

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9;ENUS)

  • watermark

    987654321

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fdd41b38c01811abd562209dcb3b8aaa26e52fe755fbbc728a365004ebe4579.exe
    "C:\Users\Admin\AppData\Local\Temp\9fdd41b38c01811abd562209dcb3b8aaa26e52fe755fbbc728a365004ebe4579.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\system32\cmd.exe
      cmd " /c " C:\Users\Admin\AppData\Local\Temp\123.txt
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\123.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:2776
    • C:\Users\Public\main.exe
      C:\Users\Public\main.exe
      2⤵
      • Executes dropped EXE
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\main.exe
    Filesize

    2.2MB

    MD5

    5380b4e12f7ef3247f5928466cfa0767

    SHA1

    8a29b96f7302786b47ddce0db80145fb1d65cecb

    SHA256

    42a465b5d10c0229720e8dcc705599a879e710328d3e59823ed75738d48e14be

    SHA512

    c92ab8036da1325f0f228875fe1f8ca7b0b99f9fdcdfb1a880e9d00cfd9479eebe31f1399e7b141fef3ad68292bd78db8e9d3e3a0a027412a5351514f81f28cb

    Download Submit

  • memory/2044-4-0x0000024065500000-0x0000024065544000-memory.dmp

    Filesize

    272KB

    Download