Overview

overview

10

Static

static

10

2024-06-09...uk.exe

windows7-x64

1

2024-06-09...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-09_2b1cd3e00b5ba3df3b0328aeb5876ea5_cobalt-strike_cobaltstrike_ryuk.exe

  • Size

    1.9MB

  • MD5

    2b1cd3e00b5ba3df3b0328aeb5876ea5

  • SHA1

    d736463ea5745e158c34e073145a4815075a6fb2

  • SHA256

    72a0d983693ffa95d76976efc9dc329450899f09cbbfc610b3d29e0fbdc620ba

  • SHA512

    1a4cfff08b1355da5571a58ab5c13ce7b558febac56b596575d7e00623619df066d98c536be81173b460ffce683ca197bf14b063050ae6d00ac70542fb120b68

  • SSDEEP

    24576:CNAqOAHzeEevemDMUnr1UE2XCCWiFNJRjlI1kmt22+GPjRREw/TQy0z/9we:zDASDMURCfjlI1aK

Score
10/10
cobaltstrike100000000backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://oss-ap-northeast-1.aliyunesc.com:443/logstores/web/track

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    oss-ap-northeast-1.aliyunesc.com,/logstores/web/track

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAiQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlLCBicgAAABAAAAAmSG9zdDogb3NzLWFwLW5vcnRoZWFzdC0xLmFsaXl1bmVzYy5jb20AAAAKAAAAIU9yaWdpbjogaHR0cHM6Ly9zdGF0dXMuYWxpeXVuLmNvbQAAAAoAAAAiUmVmZXJlcjogaHR0cHM6Ly9zdGF0dXMuYWxpeXVuLmNvbQAAAAcAAAAAAAAADQAAAAIAAAAKaGVscF9jc3JmPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAABhDb250ZW50LVR5cGU6IHRleHQvcGxhaW4AAAAQAAAAJkhvc3Q6IG9zcy1hcC1ub3J0aGVhc3QtMS5hbGl5dW5lc2MuY29tAAAACgAAAE1BdXRob3JpemF0aW9uOiBTVFMuTlRvYkZ1WVluNkVCeEFWaEMxOHRhVW94Y2lzOmdTMDlrOGE4ZkR3d2dSMGV5OUllQ0Z1TmZyeHBTQQAAAAoAAAAtQ29udGVudC1NRDU6IDg2RTRDRDExRkYxMjBDNDFDQzBDMjZCM0Q1MTlBQzYyAAAABwAAAAAAAAAPAAAADQAAAAUAAAAOWC1BQ0NFU1MtVE9LRU4AAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    35000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\svchost.exe -k netsvcs

  • sc_process64

    %windir%\sysnative\svchost.exe -k netsvcs

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWAGo2mSS56xc1gxUYOjN+RphQu6wlY6A7G2GZ41QgxVEKKlE2obIvYnsqQd20lzowy1uxNHNB+UTQkd50Bx/3YyF6u7OGUvH0u2OpARSsyKflRNl66Yu+JD/dRm1iHvwhRBI9dtEqY+XhBJtoS3cPbOn9mYcSNdxwqXMyMZCsIwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.532302592e+09

  • unknown2

    AAAABAAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /logstores/server/trackers.log

  • user_agent

    HTTPie/3.1.6

  • watermark

    100000000

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Detects Reflective DLL injection artifacts 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-09_2b1cd3e00b5ba3df3b0328aeb5876ea5_cobalt-strike_cobaltstrike_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-09_2b1cd3e00b5ba3df3b0328aeb5876ea5_cobalt-strike_cobaltstrike_ryuk.exe"
    1⤵
      PID:4924
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3620 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3928

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4924-8-0x0000022A4D220000-0x0000022A4D261000-memory.dmp

        Filesize

        260KB

        Download

      • memory/4924-9-0x0000022A4D270000-0x0000022A4D2BE000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4924-10-0x0000022A4D270000-0x0000022A4D2BE000-memory.dmp

        Filesize

        312KB

        Download