Malware Analysis Report

2025-08-05 14:15

Sample ID 240306-exj58aah41
Target b67d52bf30515f2537b0a3a076ee60dd
SHA256 6bbabed7b0f11e304b0cb97013c9095d51fa330aee3a966b5626088e92a0dfeb
Tags
cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bbabed7b0f11e304b0cb97013c9095d51fa330aee3a966b5626088e92a0dfeb

Threat Level: Known bad

The file b67d52bf30515f2537b0a3a076ee60dd was found to be: Known bad.

Malicious Activity Summary

cobaltstrike backdoor trojan

Cobaltstrike

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-06 04:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-06 04:19

Reported

2024-03-06 04:21

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\System32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings C:\Windows\System32\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe

"C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "start 7月网格自主发展情况通报0725.txt"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
CN 47.100.48.157:8787 tcp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
CN 47.100.48.157:8787 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
CN 47.100.48.157:8787 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CN 47.100.48.157:8787 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
CN 47.100.48.157:8787 tcp
CN 47.100.48.157:8787 tcp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt

MD5 2d0cd72ef9e2bbb91af9aa3e2a269fa6
SHA1 8537cef926f6af02f5cebf470fd5629b9314c24f
SHA256 cd83d993a216b269a62c3678394b8500162c259a35d36b4000ea165028080c43
SHA512 3e5f610e841312524a248508fc1c8b4b0bf205367132831f6983bff178002fa63defa1ec9777633f588be2369a647d9ee81a537016f733224608e40951279d6e

memory/3712-3-0x000001A1EBC50000-0x000001A1EBC51000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 04:19

Reported

2024-03-06 04:21

Platform

win7-20240221-en

Max time kernel

136s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe

"C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c "start 7月网格自主发展情况通报0725.txt"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt

Network

Country Destination Domain Proto
CN 47.100.48.157:8787 tcp
CN 47.100.48.157:8787 tcp
CN 47.100.48.157:8787 tcp
CN 47.100.48.157:8787 tcp
CN 47.100.48.157:8787 tcp
CN 47.100.48.157:8787 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt

MD5 2d0cd72ef9e2bbb91af9aa3e2a269fa6
SHA1 8537cef926f6af02f5cebf470fd5629b9314c24f
SHA256 cd83d993a216b269a62c3678394b8500162c259a35d36b4000ea165028080c43
SHA512 3e5f610e841312524a248508fc1c8b4b0bf205367132831f6983bff178002fa63defa1ec9777633f588be2369a647d9ee81a537016f733224608e40951279d6e

memory/2240-24-0x0000000002AE0000-0x0000000002AE1000-memory.dmp