Malware Analysis Report

2025-03-15 06:06

Sample ID 240728-c94paatflm
Target b0c6734f8ee36ccfd2d10158c45fb3420b9a1ca8f168e235178a8d76f1592973.zip
SHA256 08f9a948229cadd8562540887e3c33c13f6f5a2aa463a77cfdba89afe469a08a
Tags
305419896 cobaltstrike
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f9a948229cadd8562540887e3c33c13f6f5a2aa463a77cfdba89afe469a08a

Threat Level: Known bad

The file b0c6734f8ee36ccfd2d10158c45fb3420b9a1ca8f168e235178a8d76f1592973.zip was found to be: Known bad.

Malicious Activity Summary

305419896 cobaltstrike

Cobaltstrike family

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-28 02:47

Signatures

Cobaltstrike family

cobaltstrike

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 02:47

Reported

2024-07-28 02:50

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0c6734f8ee36ccfd2d10158c45fb3420b9a1ca8f168e235178a8d76f1592973.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2884 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2884 wrote to memory of 2944 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0c6734f8ee36ccfd2d10158c45fb3420b9a1ca8f168e235178a8d76f1592973.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2884 -s 104

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 02:47

Reported

2024-07-28 02:50

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0c6734f8ee36ccfd2d10158c45fb3420b9a1ca8f168e235178a8d76f1592973.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0c6734f8ee36ccfd2d10158c45fb3420b9a1ca8f168e235178a8d76f1592973.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A