cobaltstrike | d5e324cf92f71748cc5be8f7a3fb9115139323f9ac58a9d8a34f440c758fdebe

Analysis

max time kernel
112s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5dfa00f917e2698b9b29d8f5f80cdd00N.exe
Size

9.5MB
MD5

5dfa00f917e2698b9b29d8f5f80cdd00
SHA1

1fbf1fcb77d294685962c6e199cee7bbb3215859
SHA256

d5e324cf92f71748cc5be8f7a3fb9115139323f9ac58a9d8a34f440c758fdebe
SHA512

98491ebbf28ea4875a2e1112a130ee2cf31b40fe4f84f278796880216af13b13acf1df1f562f85583b87f5a6abc4385c590b416dae59a1f44907b7b8f3ff6ab4
SSDEEP

196608:dvb+GI7Vr7PnILLZWdoCOiV9onJ5hrZERJyiU8AdZYJERoWIrTYJvte:EP7Vr7M5liV9c5hlERFAdZYyGWIrkNt

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://81.70.190.25:80/FwRN

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 2.0.50727)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 16 IoCs

Processes:

5dfa00f917e2698b9b29d8f5f80cdd00N.exe

pid	process
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5dfa00f917e2698b9b29d8f5f80cdd00N.exe

pid	process
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5dfa00f917e2698b9b29d8f5f80cdd00N.exe

description pid process

Token: SeDebugPrivilege 2024 5dfa00f917e2698b9b29d8f5f80cdd00N.exe

description	pid	process
Token: SeDebugPrivilege	2024	5dfa00f917e2698b9b29d8f5f80cdd00N.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

5dfa00f917e2698b9b29d8f5f80cdd00N.exe

description	pid	process	target process
PID 2896 wrote to memory of 2024	2896	5dfa00f917e2698b9b29d8f5f80cdd00N.exe	5dfa00f917e2698b9b29d8f5f80cdd00N.exe
PID 2896 wrote to memory of 2024	2896	5dfa00f917e2698b9b29d8f5f80cdd00N.exe	5dfa00f917e2698b9b29d8f5f80cdd00N.exe

C:\Users\Admin\AppData\Local\Temp\5dfa00f917e2698b9b29d8f5f80cdd00N.exe
"C:\Users\Admin\AppData\Local\Temp\5dfa00f917e2698b9b29d8f5f80cdd00N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\5dfa00f917e2698b9b29d8f5f80cdd00N.exe
"C:\Users\Admin\AppData\Local\Temp\5dfa00f917e2698b9b29d8f5f80cdd00N.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28962\VCRUNTIME140.dll
Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_bz2.pyd
Filesize
83KB

MD5
6c7565c1efffe44cb0616f5b34faa628

SHA1
88dd24807da6b6918945201c74467ca75e155b99

SHA256
fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a

SHA512
822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_cffi_backend.cp39-win_amd64.pyd
Filesize
177KB

MD5
ba20b38817bd31b386615e6cf3096940

SHA1
dfd0286bc3d11d779f6b24f4245b5602b1842df0

SHA256
0fffe7a441f2c272a7c6d8cf5eb1adce71fde6f6102bc7c1ceb90e05730c4b07

SHA512
b580c1c26f4ddea3fb7050c83839e9e3ede7659f934928072ae8da53db0c92babc72dbc01130ec931f4ec87e3a3118b6d6c42a4654cd6775e24710517585b275

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_ctypes.pyd
Filesize
122KB

MD5
29da9b022c16da461392795951ce32d9

SHA1
0e514a8f88395b50e797d481cbbed2b4ae490c19

SHA256
3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372

SHA512
5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_hashlib.pyd
Filesize
63KB

MD5
f377a418addeeb02f223f45f6f168fe6

SHA1
5d8d42dec5d08111e020614600bbf45091c06c0b

SHA256
9551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac

SHA512
6f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_lzma.pyd
Filesize
157KB

MD5
b5355dd319fb3c122bb7bf4598ad7570

SHA1
d7688576eceadc584388a179eed3155716c26ef5

SHA256
b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5

SHA512
0e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\_socket.pyd
Filesize
77KB

MD5
f5dd9c5922a362321978c197d3713046

SHA1
4fbc2d3e15f8bb21ecc1bf492f451475204426cd

SHA256
4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626

SHA512
ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\base_library.zip
Filesize
1006KB

MD5
0e2ea15530071afe6d13547c565a2f84

SHA1
249367d1d175312a894f40dde9e5d4b370307e1f

SHA256
b1ffe8ec407911bf0be9e9794dd01e5a115ddbee6270b30e1bcba80b3d97c584

SHA512
d09b1f1de2ba822ba941132f58a8ee0b64cc84a738ad7030a4c7f6246bd4e6cdbbcf4f493194731a159543cf4c41e892501f1a2543ba4d09438407d18f958460

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\bcrypt\_bcrypt.pyd
Filesize
294KB

MD5
03ef5e8da65667751e1fd3fa0c182d3e

SHA1
4608d1efca23143006c1338deda144a2f3bb8a16

SHA256
3d1c66bdcb4fa0b8e917895e1b4d62ee14260eaa1bd6fe908877c47585ec6127

SHA512
c094a3dfbd863726524c56dab2592b3513a3a8c445bcaac6cfb41a5ddec3079d9b1f849c6826c1cc4241ca8b0aa44e33d2502bb20856313966af31f480ba8811

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\cryptography\hazmat\bindings\_rust.pyd
Filesize
6.3MB

MD5
23b2d3aac2a873e981c0539eea21d2b3

SHA1
679249f218c46025b0572714beba5a288e6d6eb9

SHA256
58339e750fd6cee450aa21fbbd1657c78ef84b9d35503750696372c8aa845ec7

SHA512
18c559df7dd992c55c247ef541693737a192fd5f5e94ae36116c4a23bad73623a46994ffc521bf81fa67ccedb571f1d886d7f45e50f6904bacf1c5e32ccddffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\libcrypto-1_1.dll
Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\psutil\_psutil_windows.pyd
Filesize
76KB

MD5
ebefbc98d468560b222f2d2d30ebb95c

SHA1
ee267e3a6e5bed1a15055451efcccac327d2bc43

SHA256
67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

SHA512
ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\python3.dll
Filesize
57KB

MD5
3c88de1ebd52e9fcb46dc44d8a123579

SHA1
7d48519d2a19cac871277d9b63a3ea094fbbb3d9

SHA256
2b22b6d576118c5ae98f13b75b4ace47ab0c1f4cd3ff098c6aee23a8a99b9a8c

SHA512
1e55c9f7ac5acf3f7262fa2f3c509ee0875520bb05d65cd68b90671ac70e8c99bce99433b02055c07825285004d4c5915744f17eccfac9b25e0f7cd1bee9e6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\python39.dll
Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\select.pyd
Filesize
26KB

MD5
7a442bbcc4b7aa02c762321f39487ba9

SHA1
0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83

SHA256
1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad

SHA512
3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28962\ucrtbase.dll
Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
memory/2024-102-0x000001B98FE80000-0x000001B98FE81000-memory.dmp

Filesize
4KB

Download