Overview

overview

10

Static

static

3

b35c3e6c87...69.exe

windows7-x64

1

b35c3e6c87...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 13:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b35c3e6c870e87bef502f7bbd55a1cd197523f044811c48492ec2db2ddb3d369.exe

  • Size

    784KB

  • MD5

    d0acccab52778b77c96346194e38b244

  • SHA1

    b76de41fe35f040ba740171272e202f7119ec6e4

  • SHA256

    b35c3e6c870e87bef502f7bbd55a1cd197523f044811c48492ec2db2ddb3d369

  • SHA512

    b5899e1345615397a64b53db67f837ed823de6dc7952a499063c21a826fe7d296b91031515ae1324d7120573594ab39a184f1d1b196160031af75cbb6783f6f3

  • SSDEEP

    12288:7E+Qn1elNjMVfiXhHP5+C+ZKMnolVZAHI1VOoLpOFEBQe6n:77KMlNjMVIEChey7ACVOo4I6

Score
10/10
cobaltstrike0backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://check.update.fia-gov.org:53/jquery-3.3.1.min.js

http://lms.update.fia-gov.org:53/jquery-3.3.1.min.js

http://scan.update.fia-gov.org:53/jquery-3.3.1.min.js
Attributes
  • access_type

    512

  • beacon_type

    256

  • dns_idle

    1.908702538e+09

  • host

    check.update.fia-gov.org,/jquery-3.3.1.min.js,lms.update.fia-gov.org,/jquery-3.3.1.min.js,scan.update.fia-gov.org,/jquery-3.3.1.min.js

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • maxdns

    255

  • polling_time

    45000

  • port_number

    53

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.234810624e+09

  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3400
      • C:\Users\Admin\AppData\Local\Temp\b35c3e6c870e87bef502f7bbd55a1cd197523f044811c48492ec2db2ddb3d369.exe
        "C:\Users\Admin\AppData\Local\Temp\b35c3e6c870e87bef502f7bbd55a1cd197523f044811c48492ec2db2ddb3d369.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of WriteProcessMemory
        PID:968
      • C:\windows\system32\dwm.exe
        "C:\windows\system32\dwm.exe"
        2⤵
          PID:224

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/224-1-0x0000018FBC510000-0x0000018FBC551000-memory.dmp

              Filesize

              260KB

              Download

            • memory/224-2-0x0000018FBE010000-0x0000018FBE482000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/224-3-0x0000018FBE010000-0x0000018FBE482000-memory.dmp

              Filesize

              4.4MB

              Download

            • memory/968-0-0x00007FFD2EAD0000-0x00007FFD2ECC5000-memory.dmp

              Filesize

              2.0MB

              Download