Malware Analysis Report

2024-08-06 11:02

Sample ID 240222-e71wqabf2z
Target b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a
SHA256 b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a
Tags
cobaltstrike 100000000 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a

Threat Level: Known bad

The file b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a was found to be: Known bad.

Malicious Activity Summary

cobaltstrike 100000000 backdoor trojan

Cobaltstrike family

Cobaltstrike

Downloads MZ/PE file

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-22 04:35

Signatures

Cobaltstrike family

cobaltstrike

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 04:35

Reported

2024-02-22 04:38

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe

"C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 04:35

Reported

2024-02-22 04:38

Platform

win10v2004-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\sword C:\Windows\system32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\dllhost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\dllhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\dllhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 692 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe C:\Windows\system32\dllhost.exe
PID 692 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe C:\Windows\system32\dllhost.exe
PID 692 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe C:\Windows\system32\dllhost.exe
PID 692 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe C:\Windows\system32\dllhost.exe
PID 4104 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe C:\Windows\system32\dllhost.exe
PID 4104 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe C:\Windows\system32\dllhost.exe
PID 4104 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe C:\Windows\system32\dllhost.exe
PID 4104 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe C:\Windows\system32\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe

"C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe"

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe yETrFvE9z1wrSlAo9xpSCKyntmn0v477AB+TUNQUZTI= 8N7LyzY/lJCpIyRD5h447Q==

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sw.falsh.co udp
US 104.21.33.39:443 sw.falsh.co tcp
US 8.8.8.8:53 39.33.21.104.in-addr.arpa udp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
N/A 127.0.0.1:62800 tcp
HK 103.140.229.187:80 103.140.229.187 tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 8.8.8.8:53 187.229.140.103.in-addr.arpa udp
US 104.21.33.39:443 sw.falsh.co tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 104.21.33.39:443 sw.falsh.co tcp
N/A 127.0.0.1:62800 tcp
N/A 127.0.0.1:62800 tcp
US 104.21.33.39:443 sw.falsh.co tcp
N/A 127.0.0.1:62800 tcp
N/A 127.0.0.1:62800 tcp
US 104.21.33.39:443 sw.falsh.co tcp
N/A 127.0.0.1:62800 tcp
US 104.21.33.39:443 sw.falsh.co tcp
N/A 127.0.0.1:62800 tcp
US 104.21.33.39:443 sw.falsh.co tcp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp
N/A 127.0.0.1:62800 tcp
US 104.21.33.39:443 sw.falsh.co tcp
N/A 127.0.0.1:62800 tcp

Files

memory/692-0-0x00000127E3E70000-0x00000127E3E71000-memory.dmp

memory/692-1-0x00000127E5E60000-0x00000127E62D2000-memory.dmp

memory/692-2-0x00000127E5A60000-0x00000127E5E60000-memory.dmp

memory/3432-3-0x0000014F51D50000-0x0000014F51D6E000-memory.dmp

memory/3432-4-0x0000014F53600000-0x0000014F53608000-memory.dmp

memory/3432-5-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

memory/3432-7-0x0000014F53610000-0x0000014F53620000-memory.dmp

memory/3432-6-0x0000014F53610000-0x0000014F53620000-memory.dmp

memory/3432-8-0x0000014F53610000-0x0000014F53620000-memory.dmp

memory/4876-9-0x000001C716100000-0x000001C71611E000-memory.dmp

memory/4876-10-0x000001C717AB0000-0x000001C717AE2000-memory.dmp

memory/4876-11-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

memory/4876-12-0x000001C730560000-0x000001C730570000-memory.dmp

memory/4876-13-0x000001C730560000-0x000001C730570000-memory.dmp

memory/692-14-0x00000127E5A60000-0x00000127E5E60000-memory.dmp

memory/3432-15-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

memory/3432-16-0x0000014F53610000-0x0000014F53620000-memory.dmp

memory/4876-17-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

memory/4876-18-0x000001C730560000-0x000001C730570000-memory.dmp

memory/4876-19-0x000001C730560000-0x000001C730570000-memory.dmp

C:\Users\Admin\AppData\Roaming\system.ini

MD5 5283802957ec8772f014315e03648687
SHA1 a16e0af0bae48f315a5c353b860ace0436009ae7
SHA256 0fc3dbedec81763871b9fadc19edd624d0e8ae91403c8d6bbc95b8047adacc4d
SHA512 d25adb853a421249dab2a38f75eca6df172ff7b3c63bbb94e2910819d42b648c24fd8a034e5c881b908c775f1165357d24295d2e6b98545a85e0a3ec3f454f30

memory/4876-25-0x000001C717CC0000-0x000001C717D16000-memory.dmp

memory/4876-27-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe

MD5 3d131dfc947e318d0005023b9e97c535
SHA1 bf9da19e0506542d8b6da990cf3b8e56f4652ea6
SHA256 d6d7c05965fddeb35241b886d3ced1e9c3ac5e3c77a7746d91a93211229226e6
SHA512 046b75ec810df3aec2a305a2e72138f41c403d0a4821f1a3586b9ef1e4f798dae78c3f1365092e8964f949c62db2573dee9a4031215ed5ee0e5f5559d7a3e3f2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe

MD5 3073a15943ea36e1748ca4c6f4ad4943
SHA1 827895027d3e0625cfa775283ce64b843b6be3a6
SHA256 b2a7044ea934465739f68e043f926eb1c4d85a2f188b18de72c082a8ccf0cc77
SHA512 c651e1dd29f38e9a7752fa1aec7179636cb2019ad29984284e4b21f45288e48a9bb9b1907cf239fccefad8b4141a469122c9e0d3c6cb0c0854c6a9de8ac4760f

memory/4104-30-0x000001CED87B0000-0x000001CED87B1000-memory.dmp

memory/4104-31-0x000001CED8BB0000-0x000001CED8D69000-memory.dmp

memory/4104-33-0x000001CED8BB0000-0x000001CED8D69000-memory.dmp

memory/4104-35-0x000001CED87D0000-0x000001CED87D1000-memory.dmp

memory/4104-34-0x000001CED87C0000-0x000001CED87C1000-memory.dmp

memory/4104-32-0x000001CED8BB0000-0x000001CED8D69000-memory.dmp

memory/4104-38-0x000001CED93B0000-0x000001CED93C0000-memory.dmp

memory/4104-39-0x000001CED9B00000-0x000001CED9F72000-memory.dmp

memory/3412-40-0x000001C177850000-0x000001C17786E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

MD5 66a0a4aa01208ed3d53a5e131a8d030a
SHA1 ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1
SHA256 f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8
SHA512 626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

memory/3412-42-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

memory/3412-44-0x000001C179110000-0x000001C179120000-memory.dmp

memory/3412-43-0x000001C179110000-0x000001C179120000-memory.dmp

memory/4104-45-0x000001CED93B0000-0x000001CED93C0000-memory.dmp

memory/4104-46-0x000001CED9700000-0x000001CED9B00000-memory.dmp

memory/3412-47-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

memory/3412-48-0x000001C179110000-0x000001C179120000-memory.dmp

memory/1700-49-0x00000153884D0000-0x00000153884EE000-memory.dmp

memory/1700-50-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp