Malware Analysis Report

2024-10-19 06:19

Sample ID 240625-qlmyhsvflj
Target 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662
SHA256 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662
Tags
cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662

Threat Level: Known bad

The file 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662 was found to be: Known bad.

Malicious Activity Summary

cobaltstrike backdoor trojan

Cobaltstrike

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 13:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 13:21

Reported

2024-06-25 13:23

Platform

win7-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\artifact.exe N/A

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe

"C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe"

C:\Windows\SysWOW64\cmd.exe

cmd " /c " C:\Users\Admin\AppData\Local\Temp\1.png

C:\Users\Public\artifact.exe

C:\Users\Public\artifact.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

Network

Country Destination Domain Proto
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp

Files

\Users\Public\artifact.exe

MD5 f76da48c0ed1c19bf726a06bf80a8882
SHA1 f8a5a2a2050dc0084c7badd0630193436f798247
SHA256 a676c87e4140740d2c1d8dfa455796db1ff79014e28a6f8fee50de28bdf98bb1
SHA512 bdc395e0d9cfe4f6e3f134d865ae9e87cada0bb6223bdd34a6350fbee79a6c24273dbc49fb88ea2c454b8144a51cae6e1cbe26f9d1961608f9a16f989ac0462b

memory/2220-8-0x0000000000400000-0x00000000005CB000-memory.dmp

memory/2244-59-0x0000000000470000-0x0000000000472000-memory.dmp

memory/2440-60-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2440-61-0x0000000000750000-0x0000000000751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.png

MD5 cc366db4527cce2f1b28233320fa4a0c
SHA1 fb9ad0d67e3926b3fefa4f79e5bbe5ff6af55843
SHA256 91dea1e5974ceac43d475f2e6ebcdedb7b4c46dc2e5fd8ef0b10e443d184d548
SHA512 e4cc211e15d1e4f93c87e63383ccdf10d0f4b66a3fcdd5e852be7a5cab2c9e84ceb9519bec86638cbe05c245069cc60ca390af819620b5a94dd0845d1d4c9289

memory/1244-63-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1244-64-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2440-66-0x0000000000750000-0x0000000000751000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 13:21

Reported

2024-06-25 13:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe

"C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe"

C:\Windows\SysWOW64\cmd.exe

cmd " /c " C:\Users\Admin\AppData\Local\Temp\1.png

C:\Users\Public\artifact.exe

C:\Users\Public\artifact.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 192.168.159.137:8088 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
N/A 192.168.159.137:8088 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
N/A 192.168.159.137:8088 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp
N/A 192.168.159.137:8088 tcp

Files

C:\Users\Public\artifact.exe

MD5 f76da48c0ed1c19bf726a06bf80a8882
SHA1 f8a5a2a2050dc0084c7badd0630193436f798247
SHA256 a676c87e4140740d2c1d8dfa455796db1ff79014e28a6f8fee50de28bdf98bb1
SHA512 bdc395e0d9cfe4f6e3f134d865ae9e87cada0bb6223bdd34a6350fbee79a6c24273dbc49fb88ea2c454b8144a51cae6e1cbe26f9d1961608f9a16f989ac0462b

memory/4364-3-0x0000000000F40000-0x000000000110B000-memory.dmp

memory/4440-7-0x0000000000020000-0x0000000000021000-memory.dmp

memory/4440-8-0x0000000000400000-0x000000000040C000-memory.dmp