cobaltstrike | 29e3108e1e342656b110ac330e062a5dc011a344b0c3dd47e31677633b6adb87

Analysis

max time kernel
142s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29e3108e1e342656b110ac330e062a5dc011a344b0c3dd47e31677633b6adb87.exe
Size

699KB
MD5

0edfd6c81b8049963d2dec7415f96e3b
SHA1

ac265328a53eda401e8002d7180f084c0c8a202c
SHA256

29e3108e1e342656b110ac330e062a5dc011a344b0c3dd47e31677633b6adb87
SHA512

89a6443f51f45e37ea15801e4b6a38496aec1b49a936a79bac59bb8c876b5988f379fface138d3222eefb4c1dc5445a62e7b3ae5a6607a248bb86d58f8b824c9
SSDEEP

12288:f8p/m5VG7tUI0awURrzfU/6o9bsE91du+bCVdeiCYI:f8Nm5YtUI0a/RrlEbX6+Grefl

Score

10^/10

cobaltstrike 20410727 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

20410727

http://118.183.8.24:443/c/msdownload/update/others/2021/10/29136388_

http://180.119.234.99:443/c/msdownload/update/others/2021/10/29136388_

http://117.169.113.20:443/c/msdownload/update/others/2021/10/29136388_

http://112.90.43.142:443/c/msdownload/update/others/2021/10/29136388_

Attributes

access_type
512
beacon_type
2048
host
118.183.8.24,/c/msdownload/update/others/2021/10/29136388_,180.119.234.99,/c/msdownload/update/others/2021/10/29136388_,117.169.113.20,/c/msdownload/update/others/2021/10/29136388_,112.90.43.142,/c/msdownload/update/others/2021/10/29136388_
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5oYW8xMjMuY29tLwAAAAcAAAAAAAAADQAAAAEAAAAELmNhYgAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5oYW8xMjMuY29tLwAAAAcAAAAAAAAADQAAAAEAAAAELmNhYgAAAAwAAAAHAAAAAQAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\wuauclt.exe
sc_process64
%windir%\sysnative\wuauclt.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCF1zjI+xZPJbfNIiBHfEwtaVvJoXjG9Ev7jJ3qjJn3AKqIVMhQShUanmIBlWsoFFThHOMkXQq39YV/se3oeoUdzMfMxu1uLfb0jXWILdIamukrubI2NAWDzpn+IXmazVmWh/6m47kO7crmLyjnF82cf6LlxnFl6N40CjMigBwp2wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/c/msdownload/update/others/2021/10/3215234_
user_agent
Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.31
watermark
20410727

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious behavior: RenamesItself 1 IoCs

Processes:

29e3108e1e342656b110ac330e062a5dc011a344b0c3dd47e31677633b6adb87.exe

pid process

472 29e3108e1e342656b110ac330e062a5dc011a344b0c3dd47e31677633b6adb87.exe

pid	process
472	29e3108e1e342656b110ac330e062a5dc011a344b0c3dd47e31677633b6adb87.exe

C:\Users\Admin\AppData\Local\Temp\29e3108e1e342656b110ac330e062a5dc011a344b0c3dd47e31677633b6adb87.exe
"C:\Users\Admin\AppData\Local\Temp\29e3108e1e342656b110ac330e062a5dc011a344b0c3dd47e31677633b6adb87.exe"
1⤵
- Suspicious behavior: RenamesItself
PID:472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/472-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/472-9-0x000002A360170000-0x000002A360270000-memory.dmp

Filesize
1024KB

Download
memory/472-11-0x000002A360370000-0x000002A3603B1000-memory.dmp

Filesize
260KB

Download
memory/472-13-0x000002A3603D0000-0x000002A36041E000-memory.dmp

Filesize
312KB

Download
memory/472-14-0x00007FF733AE0000-0x00007FF733B94000-memory.dmp

Filesize
720KB

Download
memory/472-16-0x000002A360170000-0x000002A360270000-memory.dmp

Filesize
1024KB

Download
memory/472-17-0x000002A3603D0000-0x000002A36041E000-memory.dmp

Filesize
312KB

Download