Overview

overview

10

Static

static

3

cf2d751c9c...fc.exe

windows7-x64

10

cf2d751c9c...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-04-2024 04:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf2d751c9c834f20760a78df080d0f5a82c4a227a01ecfbc10efdddb9f1e2cfc.exe

  • Size

    6.3MB

  • MD5

    09d3ed57114952660493d6dd78420556

  • SHA1

    fc415e12f54e028977749316b7d315527ac786b5

  • SHA256

    cf2d751c9c834f20760a78df080d0f5a82c4a227a01ecfbc10efdddb9f1e2cfc

  • SHA512

    e37643c9c33add5be03343f8ac2b8293daea1553a41fdefd33ae35669dc8262f01a63d4befe2d5dd9a024ec38392a23c3d241dc7d0ecbe01394f10e01a326590

  • SSDEEP

    196608:t+4hF+m1vG5C8pRQOz7b5b/yVLbyqyN7ank1d4RJ:tX1O1l7b5z9anw0

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://43.138.112.88:5555/wJUG

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENAU)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Loads dropped DLL 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf2d751c9c834f20760a78df080d0f5a82c4a227a01ecfbc10efdddb9f1e2cfc.exe
    "C:\Users\Admin\AppData\Local\Temp\cf2d751c9c834f20760a78df080d0f5a82c4a227a01ecfbc10efdddb9f1e2cfc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Local\Temp\cf2d751c9c834f20760a78df080d0f5a82c4a227a01ecfbc10efdddb9f1e2cfc.exe
      "C:\Users\Admin\AppData\Local\Temp\cf2d751c9c834f20760a78df080d0f5a82c4a227a01ecfbc10efdddb9f1e2cfc.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:864
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4772

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_MEI36282\VCRUNTIME140.dll
      Filesize

      85KB

      MD5

      edf9d5c18111d82cf10ec99f6afa6b47

      SHA1

      d247f5b9d4d3061e3d421e0e623595aa40d9493c

      SHA256

      d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

      SHA512

      bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI36282\_ctypes.pyd
      Filesize

      127KB

      MD5

      41d0a0a29151e675334f780c941c159f

      SHA1

      effc2358cd8b29a7dd838d854bdd985ef7c2ca7b

      SHA256

      753f0ed64458b593fb181d971353742c37529a333580e83f8af4f2828dc65b81

      SHA512

      43c8a7b8f12b14f33cc21a2e312be32da1cf1dccbed72d0765930075bca7914f549ccfd4233f1e9410cd0909e36eb4cf5e32f7c1af8e914ed2c4c2b139a4432a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI36282\base_library.zip
      Filesize

      767KB

      MD5

      46443819f1b99332e2e37dbb6496088c

      SHA1

      f1cb8dca548a75c83870dd67564d60c74061fa0a

      SHA256

      e73fffa46200d9bf0172059d3a656588dfc35bba25351a298eefa4840d3521d7

      SHA512

      5d8ec0848e640bf2c9043cedce3f25ff0d65147abf1fe0476be6d7417b1c82487851a90cef30185e034efbfce857809bb609a3b8a8bcc1690d38b31a7585a2ad

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI36282\python36.dll
      Filesize

      3.4MB

      MD5

      93de8b996048d9090d7d6b36e7c22c58

      SHA1

      d6d8ceb8a871a2b837989f5bc8517922364fb062

      SHA256

      89a963d8b75e2c23cc8d0c24d72e2662424cd9006dece16bc93fb5d3a3f665fa

      SHA512

      bc34ea015d763e50dd3e7c3791b224c1ea242e87b35c178baedff46075fbe61bccd9ff6cae997f63922dea5f8c2f3e2ff6396cf64b9f5ca7979dd08c72186d89

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI36282\pywintypes36.dll
      Filesize

      133KB

      MD5

      1bd3075cbff50b3761065efa900b9dbd

      SHA1

      94a43392a5f1644d5c0809704afb21a3df28f94f

      SHA256

      88653bb3828f9a4ce988ff92f56976e08540cbe14bd8d87bab5dd044e0d5a66e

      SHA512

      b673714e4756b635592a117d5ebba2960ecc8c856bb5d8bd30b6ad2154906606b131b0771c12f29cfb0e110f45fedb25834d2da96b523040da4f5bbcfe62c051

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI36282\ucrtbase.dll
      Filesize

      978KB

      MD5

      cca4929ef8dd988d7221ef6ba398f1b5

      SHA1

      1d21e60e56a15038702dc18148be8cecee279890

      SHA256

      4292c29e74d90aef21bbad50e8fe25858c5990846adb629372ca6fd717cd0ca3

      SHA512

      d990d1370201541e7a1e1ec9b68e40a984d0195847010919148d0de80d2a2c51bcccfeeca59087fca95ab410c9e170c4585c8daa1383f1383b98500d797a41ca

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI36282\win32gui.pyd
      Filesize

      237KB

      MD5

      c56101dd4ee240ae8770b54cd5ad1525

      SHA1

      69e770986f7cad500fabfe6d9abb8fd791f9ccc2

      SHA256

      30623bc9bf3f8f7e123fab2981bf63c96909d7889e4e09c44345f7332414708f

      SHA512

      96fe6ae1e1d14ecd27e036c80d1203fd2b311f02072e7081d80716eaac6972d84169398aced380a6823840defd8a9499b88a27155fee6e578c5fa7fe0a6b8f48

      Download Submit
    • memory/864-66-0x0000028F8EE60000-0x0000028F8EE61000-memory.dmp
      Filesize

      4KB

      Download