Analysis Overview
SHA256
7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463
Threat Level: Known bad
The file 7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Loads dropped DLL
Detects Pyinstaller
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-26 22:22
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 22:22
Reported
2024-06-26 22:25
Platform
win7-20240221-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Cobaltstrike
Loads dropped DLL
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"
C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"
Network
| Country | Destination | Domain | Proto |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29442\exec.exe.manifest
| MD5 | d555b8701399d1321224301eb1406b28 |
| SHA1 | 23bb3e011e5292be289b5c34c2eaa212369d0118 |
| SHA256 | 5ba176b93e8e4a59f8867e14776d635c7bf924f262f7187febdc53334a5e6694 |
| SHA512 | 325ffc64a500c5470656a9f745c9a3d712c3ad7f92b1f153f26e67b5c05f3da4bf57b1ce618ffbdf91de69258ddf2b4645d09293f6232ca53926ab7bd8491234 |
C:\Users\Admin\AppData\Local\Temp\_MEI29442\python27.dll
| MD5 | 4815ee7d57479791d7bf6bbdcff1649b |
| SHA1 | 3645bc481e0c8c76a7d74342d196e9f55c762637 |
| SHA256 | 60e9cfbb62bbae5164ddb73082370900a435ef591222caaa0b352b8eaa26600e |
| SHA512 | 7d131238d176854d61fa13750d0a47aa03d84b3a1f51cfdd1f0e5033efbec7984fa88decf8b7a2ffb9c96eb545fc492bfd57ffaaa97e9e2b6b637834fbceae6f |
C:\Users\Admin\AppData\Local\Temp\_MEI29442\MSVCR90.dll
| MD5 | 552cf56353af11ce8e0d10ee12fdcd85 |
| SHA1 | 6ab062b709f851a9576685fe0410ff9f1a4af670 |
| SHA256 | e88299ea1a140ff758163dfff179fff3bc5e90e7cfbbd178d0c886dbad184012 |
| SHA512 | 122f389e7047b728b27f3c964d34b9c8bcae7c36177122e6aa997a6edadad20b14552879f60667a084d34727cb2c85dd5534b6fa7a451f0ab33555b315335457 |
C:\Users\Admin\AppData\Local\Temp\_MEI29~1\_ctypes.pyd
| MD5 | 3935ef74c5f36eda2b9f156d467bc1f6 |
| SHA1 | 2a40c66a8d364640f3f1fb97641c516661912191 |
| SHA256 | ae04c9ca90c317a2ab9a4a95e795ef6677adeb7151c58bea3e31371dc9607518 |
| SHA512 | eefe08daa387fd95dea34c00c551c4fb2bddbca87ee38ef7172b3442814b17343bf86d392455e383c7e2ca2dbedb1df635cefd89c59070d1052c1d5524669668 |
memory/284-19-0x0000000001ED0000-0x0000000001F73000-memory.dmp
memory/284-20-0x0000000000580000-0x0000000000581000-memory.dmp
memory/2944-21-0x0000000000400000-0x0000000000433000-memory.dmp
memory/284-22-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 22:22
Reported
2024-06-26 22:25
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobaltstrike
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3384 wrote to memory of 4348 | N/A | C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe | C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe |
| PID 3384 wrote to memory of 4348 | N/A | C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe | C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"
C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe
"C:\Users\Admin\AppData\Local\Temp\7f268f270af2bc87840bb89758dda61e73df5166fac1a0946b8c6322cb13f463.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp | |
| CN | 101.35.173.226:10890 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI33842\exec.exe.manifest
| MD5 | d555b8701399d1321224301eb1406b28 |
| SHA1 | 23bb3e011e5292be289b5c34c2eaa212369d0118 |
| SHA256 | 5ba176b93e8e4a59f8867e14776d635c7bf924f262f7187febdc53334a5e6694 |
| SHA512 | 325ffc64a500c5470656a9f745c9a3d712c3ad7f92b1f153f26e67b5c05f3da4bf57b1ce618ffbdf91de69258ddf2b4645d09293f6232ca53926ab7bd8491234 |
C:\Users\Admin\AppData\Local\Temp\_MEI33842\python27.dll
| MD5 | 4815ee7d57479791d7bf6bbdcff1649b |
| SHA1 | 3645bc481e0c8c76a7d74342d196e9f55c762637 |
| SHA256 | 60e9cfbb62bbae5164ddb73082370900a435ef591222caaa0b352b8eaa26600e |
| SHA512 | 7d131238d176854d61fa13750d0a47aa03d84b3a1f51cfdd1f0e5033efbec7984fa88decf8b7a2ffb9c96eb545fc492bfd57ffaaa97e9e2b6b637834fbceae6f |
C:\Users\Admin\AppData\Local\Temp\_MEI33~1\_ctypes.pyd
| MD5 | 3935ef74c5f36eda2b9f156d467bc1f6 |
| SHA1 | 2a40c66a8d364640f3f1fb97641c516661912191 |
| SHA256 | ae04c9ca90c317a2ab9a4a95e795ef6677adeb7151c58bea3e31371dc9607518 |
| SHA512 | eefe08daa387fd95dea34c00c551c4fb2bddbca87ee38ef7172b3442814b17343bf86d392455e383c7e2ca2dbedb1df635cefd89c59070d1052c1d5524669668 |
memory/4348-16-0x00000000009B0000-0x00000000009B1000-memory.dmp
memory/3384-17-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4348-18-0x0000000000400000-0x0000000000433000-memory.dmp