Overview

overview

10

Static

static

3

94a7c995a3...d6.exe

windows7-x64

10

94a7c995a3...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-04-2024 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe

  • Size

    315KB

  • MD5

    36eed47751bc04ee9fb82d3f0e836239

  • SHA1

    e17fbeefbdca5b0a87393f031479e35cd38d8a68

  • SHA256

    94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6

  • SHA512

    b0a76342e605cfa95940cb41f61579a8bd2fb347521a6c10a34fc526546abbdc721ec499a8e9c422137eced2a9ad966c69e1ace7ba976e059e273838f8ce3066

  • SSDEEP

    6144:SCGaECnpAoDO1A8dg3iTPJLMfgQZX+tJs0dxm:DGHCnaomAEg3uPdkgOX+tZdxm

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://192.168.209.130:80/6Uco

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUS)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe
    "C:\Users\Admin\AppData\Local\Temp\94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\windows\artifact.exe
      "C:\windows\artifact.exe"
      2⤵
      • Executes dropped EXE
      PID:4636
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\windows\1.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2532
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4036

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\artifact.exe
      Filesize

      17KB

      MD5

      4c3a97498bc22396427d1219c0ec9f32

      SHA1

      cf4e60fee510fe040b68e23fd12ae862f8e9e01f

      SHA256

      e2f7be9ba9a6a7efedf2dbdcf4be285a3d886d54528b60a5432d5e0ba9054ced

      SHA512

      4e1fdc6a8d26834fcc0de67a59cda8c154ff86a219b4b3f443a6199488ceb1562bf01c14b90e049dc2cd3edc7aeee9fbedbbef83392fc305aaf84ba7f61583b8

      Download Submit
    • memory/4636-9-0x0000000000020000-0x0000000000021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-10-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download