cobaltstrike | c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe
Size

1.8MB
MD5

c12ffe233630bb216f04c392a3a46ba2
SHA1

33abb4914e43f575e6689d88ffc10fed90c04ff3
SHA256

c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314
SHA512

f9a7731feea054663d811024d59e8460e4fd1ba48844334113fd5b35fc9d33cd1b74b9a5ba8e434499d3aa93b20063a711234500c8589c72fd57b48c4a47ebdb
SSDEEP

49152:r7LEqdDdrb/TXvO90dL3BmAFd4A64nsfJO7CDWRgvUVNO1AFub1Nd:jE8J9/2v

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://1.116.160.39:80/user.js

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe

pid process

2892 c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe

pid	process
2892	c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.execmd.exe

description	pid	process	target process
PID 2892 wrote to memory of 3016	2892	c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe	cmd.exe
PID 2892 wrote to memory of 3016	2892	c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe	cmd.exe
PID 2892 wrote to memory of 3016	2892	c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe	cmd.exe
PID 3016 wrote to memory of 2520	3016	cmd.exe	NOTEPAD.EXE
PID 3016 wrote to memory of 2520	3016	cmd.exe	NOTEPAD.EXE
PID 3016 wrote to memory of 2520	3016	cmd.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe
"C:\Users\Admin\AppData\Local\Temp\c419c26008463823963113284f1b01535ec141a30f5e14bf151147b3c1386314.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\system32\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\谷歌.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\谷歌.txt
3⤵
PID:2520

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\谷歌.txt
Filesize
349B

MD5
39c36f1364ae8568df34eb9523da440d

SHA1
f27a71203e9ac14125eaaaa4f5e017530e8cfb8b

SHA256
78117462ce9ede6688e95338da19e7160e039b8e37869f8d6e8389d82c2f011b

SHA512
621e89de6fda053b029ae98880c8b017437723ed143892e17446c5ab529ab4b41146c64c689c0ca481f47711acbf46a23e03a5ee66cb46efefef7c77bd96c01a

Download Submit
memory/2892-2-0x000000C000000000-0x000000C000400000-memory.dmp

Filesize
4.0MB

Download