Overview

overview

10

Static

static

10

sample.zip

windows7-x64

1

sample.zip

windows10-2004-x64

1

temp/1.c

windows7-x64

3

temp/1.c

windows10-2004-x64

3

temp/1.exe

windows7-x64

10

temp/1.exe

windows10-2004-x64

10

temp/123

ubuntu-24.04-amd64

1

temp/CS4.9/CS.lnk

windows7-x64

3

temp/CS4.9/CS.lnk

windows10-2004-x64

3

temp/CS4.9...ke.bat

windows7-x64

1

temp/CS4.9...ke.bat

windows10-2004-x64

1

temp/CS4.9...at.lnk

windows7-x64

6

temp/CS4.9...at.lnk

windows10-2004-x64

7

temp/CS4.9...ke.vbs

windows7-x64

1

temp/CS4.9...ke.vbs

windows10-2004-x64

7

temp/CS4.9...bs.lnk

windows7-x64

3

temp/CS4.9...bs.lnk

windows10-2004-x64

7

temp/CS4.9...rImage

ubuntu-22.04-amd64

4

temp/CS4.9/c2lint

ubuntu-18.04-amd64

1

temp/CS4.9/c2lint

debian-9-armhf

1

temp/CS4.9/c2lint

debian-9-mips

temp/CS4.9/c2lint

debian-9-mipsel

1

temp/CS4.9...nt.jar

windows7-x64

1

temp/CS4.9...nt.jar

windows10-2004-x64

1

temp/CS4.9/uHook.jar

windows7-x64

1

temp/CS4.9/uHook.jar

windows10-2004-x64

1

temp/CS4.9...78.zip

windows7-x64

1

temp/CS4.9...78.zip

windows10-2004-x64

1

WiFi驱动...��.exe

windows7-x64

1

WiFi驱动...��.exe

windows10-2004-x64

10

temp/CS4.9...Fi.exe

windows7-x64

1

temp/CS4.9...Fi.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    temp/CS4.9/Cobalt_Strike.bat.lnk

  • Size

    984B

  • MD5

    1f7adcbd98ea973a14535f90387be49c

  • SHA1

    5cc52ceefee98506a3c3a2f63428c4b309f73764

  • SHA256

    47c797e34851e1f06c01ce3abec9133292f7036fd5b82300cc9dd07c6106d694

  • SHA512

    88b6fac11177b8bc4b7a9a58c510a2d3d1de198e169a874f7cdf47ac0019f4e9b4706151c11446e320fae8e1fa1dbff56a5ed230e1e50b3ebdedf812f76c6926

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\temp\CS4.9\Cobalt_Strike.bat.lnk
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\temp\CS4.9\Cobalt_Strike.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\system32\java.exe
        java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -javaagent:uHook.jar -Dfile.encoding=utf-8 -jar cobaltstrike-client.jar
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2656-73-0x0000000002840000-0x0000000002AB0000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2656-78-0x0000000002840000-0x0000000002AB0000-memory.dmp

    Filesize

    2.4MB

    Download