Analysis Overview
SHA256
31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459
Threat Level: Known bad
The file 31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
UPX packed file
Executes dropped EXE
Loads dropped DLL
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-03-20 12:02
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-20 12:02
Reported
2024-03-20 12:04
Platform
win7-20240215-en
Max time kernel
149s
Max time network
135s
Command Line
Signatures
Cobaltstrike
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1591615396.go | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2152 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe | C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1591615396.go |
| PID 2152 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe | C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1591615396.go |
| PID 2152 wrote to memory of 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe | C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1591615396.go |
Processes
C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe
"C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe"
C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1591615396.go
C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1591615396.go
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 00oo.o00ooo00ooo.online | udp |
| US | 74.48.12.73:80 | 00oo.o00ooo00ooo.online | tcp |
| US | 74.48.12.73:80 | 00oo.o00ooo00ooo.online | tcp |
| US | 74.48.12.73:55105 | 00oo.o00ooo00ooo.online | tcp |
| US | 74.48.12.73:55105 | 00oo.o00ooo00ooo.online | tcp |
| US | 74.48.12.73:55105 | 00oo.o00ooo00ooo.online | tcp |
| US | 74.48.12.73:55105 | 00oo.o00ooo00ooo.online | tcp |
| US | 74.48.12.73:55105 | 00oo.o00ooo00ooo.online | tcp |
Files
memory/2152-0-0x00000000000D0000-0x0000000000608000-memory.dmp
\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1591615396.go
| MD5 | 65e964c81a7fbc518fcd4b6362e3b9dd |
| SHA1 | fbbd509a26b78f213c06510bcce37d0fae341a14 |
| SHA256 | c7df8509a86009442836d92792652476ebb7d7e968d82070be3d7c555e6c57c5 |
| SHA512 | 4c35ff2b0d22403840762681f4f14f8c5d0d4c93fdf41538ff9054e0ce89b7ca04f38674e6f5a7fd0ee2e5c8b2f90f4fd22e2f3181773842deffd7bc0e5eb6e7 |
\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1591615396.go
| MD5 | a660889d0a996a6760d19591f2c67857 |
| SHA1 | b40de23e467fb23491655650a12a2101de222a48 |
| SHA256 | 44b1b0f49756a1a4a0387b1d11058ec3c4324a6871ebf291cafde811cd692ea5 |
| SHA512 | 5fec69895e02f9e5afb2cd29cfd5b1fc92fa251adf12ad50755c9618f900138c137408a23494080f44fd647738028418e4159272517a1aebac256e188b497b78 |
memory/2152-7-0x0000000048F00000-0x0000000049415000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1591615396.go
| MD5 | 00a1e280632ba660d04a0bac6e81736a |
| SHA1 | 94995eae3bc759298fbb2e1faea615333ecfb175 |
| SHA256 | 1c723bf0f5fe64f19b1aa86fb93dc053d471154548edf5657ca78a6056462972 |
| SHA512 | bc8ec04b7c9700b8b46ae9e7c4c7eec363bb261af985b75340b23b777cde5f2169bcd824f558081db4fc9a813d3590f3b1001bd6901316bc391ca8764b68087c |
memory/3032-9-0x0000000000F80000-0x0000000001495000-memory.dmp
memory/2152-10-0x0000000048F00000-0x0000000049415000-memory.dmp
memory/3032-11-0x0000000000C50000-0x0000000000C51000-memory.dmp
memory/2152-29-0x00000000000D0000-0x0000000000608000-memory.dmp
memory/3032-30-0x000000004B2D0000-0x000000004B742000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar5A95.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/3032-52-0x0000000000F80000-0x0000000001495000-memory.dmp
memory/2152-53-0x0000000048F00000-0x0000000049415000-memory.dmp
memory/2152-55-0x0000000048F00000-0x0000000049415000-memory.dmp
memory/3032-83-0x0000000000F80000-0x0000000001495000-memory.dmp
memory/2152-84-0x00000000000D0000-0x0000000000608000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-20 12:02
Reported
2024-03-20 12:04
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
130s
Command Line
Signatures
Cobaltstrike
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1346196024.go | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1680 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe | C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1346196024.go |
| PID 1680 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe | C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1346196024.go |
Processes
C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe
"C:\Users\Admin\AppData\Local\Temp\31d4eed5f53c05ea15eabeb0a36729d9c0a0de9394e2748f31dfebaf5a948459.exe"
C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1346196024.go
C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1346196024.go
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 00oo.o00ooo00ooo.online | udp |
| US | 74.48.12.73:80 | 00oo.o00ooo00ooo.online | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.12.48.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 74.48.12.73:80 | 00oo.o00ooo00ooo.online | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 74.48.12.73:55105 | 00oo.o00ooo00ooo.online | tcp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 74.48.12.73:55105 | 00oo.o00ooo00ooo.online | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 74.48.12.73:55105 | 00oo.o00ooo00ooo.online | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 74.48.12.73:55105 | 00oo.o00ooo00ooo.online | tcp |
Files
memory/1680-0-0x00000000006D0000-0x0000000000C08000-memory.dmp
memory/1680-1-0x00000000006D0000-0x0000000000C08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MicrosoftUpdata-1346196024.go
| MD5 | 5176c0f4647b09059cac237274cd58c0 |
| SHA1 | b907f43d82fc87ee44a3c01ac233206313b48b05 |
| SHA256 | 6f94b0382ef8d8469130f4110f38eed75afdf105b478aeebf8b5ff0b01cae9af |
| SHA512 | 6dd72bcfe9c0c80ee82c3b70687ea3a2ffc00cd756d4839bb636de83a41b105ed898428a27be1bde2234fcf19a71eb2311cd49a97df7a927cb27c93c40e49aca |
memory/4992-6-0x0000000000BC0000-0x00000000010D5000-memory.dmp
memory/4992-7-0x00000173F6A40000-0x00000173F6A41000-memory.dmp
memory/1680-10-0x00000000006D0000-0x0000000000C08000-memory.dmp
memory/4992-11-0x00000173F8D10000-0x00000173F9182000-memory.dmp
memory/4992-12-0x00000173F8910000-0x00000173F8A6E000-memory.dmp
memory/4992-13-0x0000000000BC0000-0x00000000010D5000-memory.dmp
memory/4992-18-0x00000173F8910000-0x00000173F8A6E000-memory.dmp
memory/1680-24-0x00000000006D0000-0x0000000000C08000-memory.dmp
memory/4992-25-0x0000000000BC0000-0x00000000010D5000-memory.dmp