cobaltstrike | 073ab12911a074bce5ce6fa0b9720d6ca0bdf07a1f4f2b00712620e8f10f2008

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 01:31

Target

WiFi驱动高危漏洞补丁.exe
Size

951KB
MD5

40d889427c3db5dcf479378dcac954c9
SHA1

e60fe132d8ddffd242f794b3ebbe2f8ab04824ff
SHA256

030405f03e9152882d7a480cd4af1ae1e60ab5e10a010c4ac98bad7d8b9c05b4
SHA512

97f2b968621647ca5de8ff99e321f8a3620a808e6b5af0085274a53ec1bbc6310ee7808e4b4f4d831bb18a7c3e78c8fd242f9aa9a276a5d3ac9070f32d7ed862
SSDEEP

12288:4QwwPAuxstPiXhK3WX89QLkTtgoYfZFV8BxNDCDZc5bP+MZQFVFmh/Z/4ANyB0:4QKuxst/3WugoBNGD9MaNB

Score

10^/10

Family

cobaltstrike

http://124.222.72.51:4433/fl9R

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2944	WiFi驱动高危漏洞补丁.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 5064	2944	WiFi驱动高危漏洞补丁.exe	84
PID 2944 wrote to memory of 5064	2944	WiFi驱动高危漏洞补丁.exe	84

C:\Users\Admin\AppData\Local\Temp\WiFi驱动高危漏洞补丁.exe
"C:\Users\Admin\AppData\Local\Temp\WiFi驱动高危漏洞补丁.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\System32\nslookup.exe
  "C:\Windows\System32\nslookup.exe"
  2⤵
  PID:5064

memory/5064-0-0x00000277273D0000-0x00000277273D1000-memory.dmp

Filesize
4KB

Download