cobaltstrike | 1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239

Analysis

max time kernel
128s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239.dll
Size

297KB
MD5

d622b7b553d981c526ab7ac4c5884ad5
SHA1

bca1177027130c0d6b30a328cff526e882cc8d65
SHA256

1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239
SHA512

c5ef99d73ca520a775c05e6e7be3205cb5cf34f7ab227903a6cd0f42bd78c7dbc3f0e3e6aa643016cc1a744163e51ac85d4bf05367d2370a06a25d6e694f11ae
SSDEEP

6144:1msMAvQ2l2lr0TVLWmwaRPl2Bal9W8g+3IW8O:1bMWQ2l2lrSLxqBaXg+YHO

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://tacomanewspaper.com:443/security/update/uaswraddfaWf

Attributes

access_type
512
beacon_type
2048
host
tacomanewspaper.com,/security/update/uaswraddfaWf
http_header1
AAAACgAAABxBY2NlcHQ6IHRleHQvaHRtbCxpbWFnZS9qcGVnAAAACgAAABdDYWNoZS1Db250cm9sOiBuby1jYWNoZQAAAAcAAAAAAAAACAAAAAEAAAAGdjIuMzlzAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAABZDb25uZWN0aW9uOiBLZWVwLUFsaXZlAAAACgAAABdDYWNoZS1Db250cm9sOiBuby1jYWNoZQAAAAcAAAAAAAAACwAAAAEAAAAGL3YyLjI4AAAADAAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
3840
maxdns
255
polling_time
35000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDk6IzLqUoHwEbiA53p6R+ozKtuJJbTwLanw3L8EtsxdScTZaz/lTgpbmnQ4XWix3/Dpa33rT3kldnu77KUxRF1xPjG/kAzJLQYtIRKL+Y7G9fXGMP96D63lMtJBZStijYgeYhOOU9/kRGbO8mfTxpN+4rdSBpGD9GgjGtyF5oM2QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/security/download/posdkgk
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2920 notepad.exe

pid	process
2920	notepad.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2912 wrote to memory of 2924	2912	rundll32.exe	rundll32.exe
PID 2912 wrote to memory of 2924	2912	rundll32.exe	rundll32.exe
PID 2912 wrote to memory of 2924	2912	rundll32.exe	rundll32.exe
PID 2912 wrote to memory of 2924	2912	rundll32.exe	rundll32.exe
PID 2912 wrote to memory of 2924	2912	rundll32.exe	rundll32.exe
PID 2912 wrote to memory of 2924	2912	rundll32.exe	rundll32.exe
PID 2912 wrote to memory of 2924	2912	rundll32.exe	rundll32.exe
PID 2924 wrote to memory of 2920	2924	rundll32.exe	notepad.exe
PID 2924 wrote to memory of 2920	2924	rundll32.exe	notepad.exe
PID 2924 wrote to memory of 2920	2924	rundll32.exe	notepad.exe
PID 2924 wrote to memory of 2920	2924	rundll32.exe	notepad.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f5a915e75ad96e560cee3e24861cf6f8de299fdf79e1829453defbfe2013239.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\notepad.exe
notepad.exe C:\Users\Admin\AppData\Local\Temp\data\information.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2924-0-0x0000000001E30000-0x0000000001E96000-memory.dmp

Filesize
408KB

Download
memory/2924-1-0x00000000001D0000-0x000000000020D000-memory.dmp

Filesize
244KB

Download
memory/2924-15-0x00000000001D0000-0x000000000020D000-memory.dmp

Filesize
244KB

Download