cobaltstrike | d7b9dc73549657950f4335f3c75ea7e1784b0e798461c98577ab2c42b6a80da3

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 19:00

Target

d7b9dc73549657950f4335f3c75ea7e1784b0e798461c98577ab2c42b6a80da3.exe
Size

1.1MB
MD5

72786caa2500ffa576c37f1c19f2bec1
SHA1

5b32cb8a64d499432ee6a061ce12cae16a41f368
SHA256

d7b9dc73549657950f4335f3c75ea7e1784b0e798461c98577ab2c42b6a80da3
SHA512

a399d6ee67712c238e11781256dd0b60bbc451e06a75afe44f0cb02a604220372477a8be70f62c94b29c4c3d903a572065b2d64cefbb18e8ec315c35b22e6c7f
SSDEEP

12288:cWpWcDQ2bwSFIy2c8VWJ1Uqmm0saop/4iT9vfCFaxCg8MJ/elfIoqP9zP:cZJ2cSFIa8VWJcYSiNfMCCgNJ/yFqPBP

Score

10^/10

Family

cobaltstrike

http://code.nodesources.top:2096/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: code.nodesources.top Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 5 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2892	2020	d7b9dc73549657950f4335f3c75ea7e1784b0e798461c98577ab2c42b6a80da3.exe	28
PID 2020 wrote to memory of 2892	2020	d7b9dc73549657950f4335f3c75ea7e1784b0e798461c98577ab2c42b6a80da3.exe	28
PID 2020 wrote to memory of 2892	2020	d7b9dc73549657950f4335f3c75ea7e1784b0e798461c98577ab2c42b6a80da3.exe	28
PID 2020 wrote to memory of 2892	2020	d7b9dc73549657950f4335f3c75ea7e1784b0e798461c98577ab2c42b6a80da3.exe	28

C:\Users\Admin\AppData\Local\Temp\d7b9dc73549657950f4335f3c75ea7e1784b0e798461c98577ab2c42b6a80da3.exe
"C:\Users\Admin\AppData\Local\Temp\d7b9dc73549657950f4335f3c75ea7e1784b0e798461c98577ab2c42b6a80da3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Blocklisted process makes network request
  PID:2892

memory/2892-1-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2892-0-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2892-177-0x0000000003E60000-0x00000000042D2000-memory.dmp

Filesize
4.4MB

Download
memory/2892-178-0x0000000003A60000-0x0000000003E60000-memory.dmp

Filesize
4.0MB

Download
memory/2892-195-0x0000000000430000-0x0000000000432000-memory.dmp

Filesize
8KB

Download
memory/2892-196-0x0000000003A60000-0x0000000003E60000-memory.dmp

Filesize
4.0MB

Download