Overview

overview

10

Static

static

3

c16a2a2f42...61.exe

windows7-x64

7

c16a2a2f42...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 05:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe

  • Size

    1.8MB

  • MD5

    69359444b4d6c20a5d35760c4e398e72

  • SHA1

    b18cafef685055e4bdbe34a090d0cf11028b5d86

  • SHA256

    c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61

  • SHA512

    eec44f156cfd811b638c85da9a5c5b2f03d3e3ec621e4229cf7d2361e72296e23e1dd5f4a0d78ab02ce390e70aae54c068cbf3b491120d671069098c26342070

  • SSDEEP

    24576:VhQYeEDa/vWCcFbPzvTtfO6BgCf5ekB1ovK+am89fnK4X9ZNYd1MV1FdKD1vWk+p:VS0k69FXpKD1LpIYDrcp2fS/XTl

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://43.142.193.86:80/sIp1

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe
    "C:\Users\Admin\AppData\Local\Temp\c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\SysWOW64\cmd.exe
      cmd " /c " C:\Users\Admin\AppData\Local\Temp\中国计量大学现代科技学院关于10月9日施行临时封闭管理措施(1).docx
      2⤵
        PID:2656
      • C:\Users\Public\fdp.exe
        C:\Users\Public\fdp.exe
        2⤵
        • Executes dropped EXE
        PID:3732

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\fdp.exe
      Filesize

      19KB

      MD5

      85ca4c24b93dde56321e62ce71aa8bb2

      SHA1

      4eab75f775686e0bc73227158a1efa432aa462e9

      SHA256

      d477d9fdfd2da88396a21f277c066635d34c6ed17c570b740364d7e04d3618eb

      SHA512

      135775dab2dd24b345e33ac6a026e72d8b37b63a2f4156921c8995dd5e1cf2a8219571f29de4ded832d4d4cc8a6235449f962e797065ad6094ba1b622eb5aec6

      Download Submit
    • memory/3732-5-0x00007FF677E30000-0x00007FF677E38000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3732-6-0x0000021A6A440000-0x0000021A6A442000-memory.dmp
      Filesize

      8KB

      Download