Overview

overview

10

Static

static

3

2024-02-26...uk.exe

windows7-x64

10

2024-02-26...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-02-26_20b5cf2c27b496d579eff920b6b020ea_ryuk.exe

  • Size

    91KB

  • MD5

    20b5cf2c27b496d579eff920b6b020ea

  • SHA1

    eb5cd4c784c3f8e84712e4f8d9cf0fcbf9ddcffd

  • SHA256

    8792ad217a3e74c8b3f09da095c98b0f75074e3d0a52711ccd46ff40b6e44d51

  • SHA512

    d8c0084fa00713baed9dbd8c4d9f8fccb3052eedddf21d632f69d59b204330fef9a15e42200296af822bae54a30d367d8dd4967f3eb6e2a6e7307d2c3369920e

  • SSDEEP

    1536:suRFSPMJQAS2K7+gZfkEgaIwgKG1sWVdc9dlDXnGa9VhR68MIF:suzSPwq7BFkErHRGHUl3t9VhRZ

Score
10/10
cobaltstrikebackdoorpersistencetrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://154.204.58.234:4433/jquery-3.3.2.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4242.0 Safari/537.36

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-02-26_20b5cf2c27b496d579eff920b6b020ea_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-02-26_20b5cf2c27b496d579eff920b6b020ea_ryuk.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1968
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1256
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2996

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1256-0-0x0000000002C00000-0x0000000002C01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1256-1-0x0000000002C00000-0x0000000002C01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1256-2-0x0000000002BE0000-0x0000000002BE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2996-3-0x0000000004240000-0x0000000004241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2996-4-0x0000000004240000-0x0000000004241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2996-8-0x0000000002750000-0x0000000002760000-memory.dmp
      Filesize

      64KB

      Download