Analysis Overview
SHA256
fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9
Threat Level: Known bad
The file fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 10:30
Signatures
Cobaltstrike family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 10:30
Reported
2024-06-11 10:33
Platform
win7-20240220-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobaltstrike
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2784 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe |
| PID 2784 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe |
| PID 2784 wrote to memory of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe
"C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe"
C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe
"C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI27842\python38.dll
| MD5 | 3cd1e87aeb3d0037d52c8e51030e1084 |
| SHA1 | 49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af |
| SHA256 | 13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8 |
| SHA512 | 497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340 |
C:\Users\Admin\AppData\Local\Temp\_MEI27842\VCRUNTIME140.dll
| MD5 | 8697c106593e93c11adc34faa483c4a0 |
| SHA1 | cd080c51a97aa288ce6394d6c029c06ccb783790 |
| SHA256 | ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833 |
| SHA512 | 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987 |
C:\Users\Admin\AppData\Local\Temp\_MEI27842\base_library.zip
| MD5 | df8b8c969ff2b6f8bb7366501364edea |
| SHA1 | abe794715ba88790786c171625db7547f6f7dbac |
| SHA256 | 6cb8ff9586c8511e415b08fb2ea329c66eb4e19c345a951b29781f8bf6de3b08 |
| SHA512 | 80415fce07ddc2bd4ccad95b9d4899ee7745a5f001880e72f8eee80eca884ed432a9dcbf1301cf193e09f89d74393469cdd7e2d5eca89b77e40b98323cbf5a3b |
C:\Users\Admin\AppData\Local\Temp\_MEI27842\_ctypes.pyd
| MD5 | 4d13a7b3ecc8c7dc96a0424c465d7251 |
| SHA1 | 0c72f7259ac9108d956aede40b6fcdf3a3943cb5 |
| SHA256 | 2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed |
| SHA512 | 68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8 |
C:\Users\Admin\AppData\Local\Temp\_MEI27842\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI27842\_socket.pyd
| MD5 | eb974aeda30d7478bb800bb4c5fbc0a2 |
| SHA1 | c5b7bc326bd003d42bcf620d657cac3f46f9d566 |
| SHA256 | 1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016 |
| SHA512 | f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b |
C:\Users\Admin\AppData\Local\Temp\_MEI27842\select.pyd
| MD5 | 08b499ae297c5579ba05ea87c31aff5b |
| SHA1 | 4a1a9f1bf41c284e9c5a822f7d018f8edc461422 |
| SHA256 | 940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281 |
| SHA512 | ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9 |
memory/3056-34-0x0000000002960000-0x0000000002961000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 10:30
Reported
2024-06-11 10:33
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobaltstrike
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4944 wrote to memory of 3804 | N/A | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe |
| PID 4944 wrote to memory of 3804 | N/A | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe | C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe
"C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe"
C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe
"C:\Users\Admin\AppData\Local\Temp\fabb563ea894000b1a55841f50308d80b36dfc0184888fe5b3923964eaf50cd9.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp | |
| N/A | 192.168.104.38:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI49442\python38.dll
| MD5 | 3cd1e87aeb3d0037d52c8e51030e1084 |
| SHA1 | 49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af |
| SHA256 | 13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8 |
| SHA512 | 497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340 |
C:\Users\Admin\AppData\Local\Temp\_MEI49442\VCRUNTIME140.dll
| MD5 | 8697c106593e93c11adc34faa483c4a0 |
| SHA1 | cd080c51a97aa288ce6394d6c029c06ccb783790 |
| SHA256 | ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833 |
| SHA512 | 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987 |
C:\Users\Admin\AppData\Local\Temp\_MEI49442\base_library.zip
| MD5 | df8b8c969ff2b6f8bb7366501364edea |
| SHA1 | abe794715ba88790786c171625db7547f6f7dbac |
| SHA256 | 6cb8ff9586c8511e415b08fb2ea329c66eb4e19c345a951b29781f8bf6de3b08 |
| SHA512 | 80415fce07ddc2bd4ccad95b9d4899ee7745a5f001880e72f8eee80eca884ed432a9dcbf1301cf193e09f89d74393469cdd7e2d5eca89b77e40b98323cbf5a3b |
C:\Users\Admin\AppData\Local\Temp\_MEI49442\_ctypes.pyd
| MD5 | 4d13a7b3ecc8c7dc96a0424c465d7251 |
| SHA1 | 0c72f7259ac9108d956aede40b6fcdf3a3943cb5 |
| SHA256 | 2995ef03e784c68649fa7898979cbb2c1737f691348fae15f325d9fc524df8ed |
| SHA512 | 68ff7c421007d63a970269089afb39c949d6cf9f4d56aff7e4e0b88d3c43cfaa352364c5326523386c00727cc36e64274a51b5dbb3a343b16201cf5fc264fec8 |
C:\Users\Admin\AppData\Local\Temp\_MEI49442\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI49442\_socket.pyd
| MD5 | eb974aeda30d7478bb800bb4c5fbc0a2 |
| SHA1 | c5b7bc326bd003d42bcf620d657cac3f46f9d566 |
| SHA256 | 1db7b4f6ae31c4d35ef874eb328f735c96a2457677a3119e9544ee2a79bc1016 |
| SHA512 | f9eea3636371ba508d563cf21541a21879ce50a5666e419ecfd74255c8decc3ae5e2ceb4a8f066ae519101dd71a116335a359e3343e8b2ff3884812099ae9b1b |
memory/3804-34-0x000001E960540000-0x000001E960541000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI49442\select.pyd
| MD5 | 08b499ae297c5579ba05ea87c31aff5b |
| SHA1 | 4a1a9f1bf41c284e9c5a822f7d018f8edc461422 |
| SHA256 | 940fb90fd78b5be4d72279dcf9c24a8b1fcf73999f39909980b12565a7921281 |
| SHA512 | ab26f4f80449aa9cc24e68344fc89aeb25d5ba5aae15aeed59a804216825818edfe31c7fda837a93a6db4068ccfb1cc7e99173a80bd9dda33bfb2d3b5937d7e9 |