Overview

overview

10

Static

static

1

2024-04-12...uk.exe

windows7-x64

10

2024-04-12...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2024 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe

  • Size

    583KB

  • MD5

    e99ff56fe506975fa18cb1e7e775fdd6

  • SHA1

    b1e43558e8e4850121c00e795488471f32b31dfe

  • SHA256

    732fbb3f1c828c6f1cbe0492a35feaae4cb1b68d04d9b0e82e82deddc0c48d97

  • SHA512

    3b0416ee6f91160a612baf995bbb7aa73f57937c2198b3dd0e4be4b56d0634e66c5756c7322c3f34859adaa12e4bdece043c48fb9f1d04a52a1a4792b3049dc1

  • SSDEEP

    12288:12ye/RY4Lmil2eRM756/b5utNNTX5c6vSNNyh:My54T9/+X5cyh

Score
10/10
cobaltstrike100000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q

Attributes
  • user_agent

    Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://img.uioqwea.xyz:8443/messages/xV5GdE

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    img.uioqwea.xyz,/messages/xV5GdE

  • http_header1

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    2560

  • polling_time

    10000

  • port_number

    8443

  • sc_process32

    %windir%\syswow64\esentutl.exe

  • sc_process64

    %windir%\sysnative\esentutl.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.092976896e+09

  • unknown2

    AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /messages/96OpFu

  • user_agent

    Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

  • watermark

    100000

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3408
    • C:\Users\Admin\AppData\Local\Temp\2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /cd2J4Z2xjbm0.doc
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4364
        • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
          "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d2J4Z2xjbm0.doc" /o ""
          4⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:3316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d2J4Z2xjbm0.doc
    Filesize

    93KB

    MD5

    de72533ed8828182ad05d8e7f694548f

    SHA1

    06c86de28558b5cb22539a077e94884a97804f6a

    SHA256

    3ae8dd53d8d97d71900ee8f194e6ce2aeab40b2f01ce01f756098facd249eda2

    SHA512

    ce681b28fd2d3158788399d8c7f81e8b7e31eaceb8885bd4e3209c55b359afd64ef357ffe31c0114aea49ffea2dc7008e6437b863648f54be195edb5fb125c36

    Download Submit
  • memory/3316-11-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3316-8-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-13-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-15-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-14-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-7-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3316-9-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3316-10-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-12-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-3-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3316-6-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-4-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-5-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3316-16-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-18-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-17-0x00007FFB53330000-0x00007FFB53340000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3316-28-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3316-19-0x00007FFB53330000-0x00007FFB53340000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3316-27-0x00007FFB95830000-0x00007FFB95A25000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3408-20-0x0000000000E90000-0x0000000000E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3408-33-0x0000000002C10000-0x0000000002C71000-memory.dmp
    Filesize

    388KB

    Download