Analysis Overview
SHA256
35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c
Threat Level: Known bad
The file 35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Enumerates VirtualBox DLL files
Looks for VirtualBox drivers on disk
Looks for VirtualBox executables on disk
Looks for VMWare drivers on disk
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-24 15:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-24 15:35
Reported
2024-02-24 15:38
Platform
win7-20240221-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobaltstrike
Enumerates VirtualBox DLL files
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\System32\vboxdisp.dll | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\vboxhook.dll | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\vboxoglerrorspu.dll | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\vboxoglpassthroughspu.dll | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
Looks for VirtualBox drivers on disk
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\System32\Drivers\VBoxVideo.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\Drivers\VBoxMouse.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\Drivers\VBoxGuest.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\Drivers\VBoxSF.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
Looks for VirtualBox executables on disk
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\System32\vboxservice.exe | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\vboxtray.exe | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\VBoxControl.exe | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
Looks for VMWare drivers on disk
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\System32\Drivers\Vmmouse.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe
"C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp |
Files
memory/2340-0-0x00000000006B0000-0x00000000006B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-24 15:35
Reported
2024-02-24 15:38
Platform
win10v2004-20240221-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobaltstrike
Enumerates VirtualBox DLL files
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\System32\vboxdisp.dll | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\vboxhook.dll | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\vboxoglerrorspu.dll | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\vboxoglpassthroughspu.dll | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
Looks for VirtualBox drivers on disk
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\System32\Drivers\VBoxMouse.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\Drivers\VBoxGuest.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\Drivers\VBoxSF.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\Drivers\VBoxVideo.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
Looks for VirtualBox executables on disk
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\System32\vboxservice.exe | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\vboxtray.exe | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
| File opened (read-only) | C:\windows\System32\VBoxControl.exe | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
Looks for VMWare drivers on disk
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\windows\System32\Drivers\Vmmouse.sys | C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe
"C:\Users\Admin\AppData\Local\Temp\35aed61c71c39e4419d486ea62de8083c01dc32d374dd6f6ce4f320a2054289c.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.137.3:80 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 192.168.137.3:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp | |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp | |
| N/A | 192.168.137.3:80 | tcp |
Files
memory/4268-0-0x000001DD6F100000-0x000001DD6F101000-memory.dmp