Overview

overview

10

Static

static

3

9242846351...5b.exe

windows7-x64

10

9242846351...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9242846351a65655e93ed2aeaf36b535ff5b79ddf76c33d54089d9005a66265b.exe

  • Size

    923KB

  • MD5

    c41a78ea6f6ef7ed148f331e167008ff

  • SHA1

    17f9fddc92e5ab21507a87120c9d4ec8415f7198

  • SHA256

    9242846351a65655e93ed2aeaf36b535ff5b79ddf76c33d54089d9005a66265b

  • SHA512

    4f51851e16b719399b98bc73d3a16197801e0a7bf216439216fc53d46ac3f629099dbc4b7d758d666c7535e45f2f81ebbcbbd7e52c122d0b7f6d3eecd6d02c1a

  • SSDEEP

    12288:wC7iyATFbLPe66rAM0Nzqn3wOAd2/J1zBxDdlanupaS+G5/E29nkmDJ6X1o/JkKd:H0+bRxGGZy1oNiqrA6zI+cH

Score
10/10
cobaltstrike0100000000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://images.cdn-sina.tw:443/pixel

Attributes
  • access_type

    512

  • host

    images.cdn-sina.tw,/pixel

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7VJ3JwsesWc1dRxBWAsnNJgMfXO5ibLcTHa1BZbfWN061Jcd0cjyXq/d2NX5SRoFlnXkXAlI8Wz8VQ3elfDbedz21+Ny0yoK9zjsrrzDyqRVvJ7uJrAp8WWz+dkByTg49clUmX/BYb8fRr+UCh3XCO6J3vSNnyTIANpIWmoSv8QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)

  • watermark

    100000000

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9242846351a65655e93ed2aeaf36b535ff5b79ddf76c33d54089d9005a66265b.exe
    "C:\Users\Admin\AppData\Local\Temp\9242846351a65655e93ed2aeaf36b535ff5b79ddf76c33d54089d9005a66265b.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2852-0-0x000000013FF90000-0x000000014007C000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2852-1-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2852-2-0x000000001BE50000-0x000000001BED0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2852-3-0x00000000005D0000-0x0000000000611000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2852-4-0x0000000000820000-0x000000000086E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2852-5-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2852-6-0x0000000000820000-0x000000000086E000-memory.dmp

    Filesize

    312KB

    Download