cobaltstrike | 7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe
Size

7.6MB
MD5

5289242e599f93011d7962b25f1dd296
SHA1

015d9367bfe8b1d7f07b0f0df4708acf38f16748
SHA256

7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159
SHA512

61e592a78866807de4cff53b80736bad267f7d9d4aaf0fc6b605a7d30df2ec4cb495418ea95c86ef9b2feab7c828bca6be00c7e13bc03cb43769becc5c65df3e
SSDEEP

196608:eVY0aVhTDfyGR21X5Sp6GemDMPw9arWhSiMRVA:mY0aVBDfDspfaMPkS1A

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://192.168.10.10:443/VIXf

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Win64; x64; Trident/6.0)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 5 IoCs

pid	Process
2976	7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe
2976	7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe
2976	7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe
2976	7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe
2976	7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 2976	3200	7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe	89
PID 3200 wrote to memory of 2976	3200	7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe	89

C:\Users\Admin\AppData\Local\Temp\7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe
"C:\Users\Admin\AppData\Local\Temp\7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Users\Admin\AppData\Local\Temp\7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe
  "C:\Users\Admin\AppData\Local\Temp\7c01e248d469188af0f32369c0ab472762d54011b56d522f7ff2345870c81159.exe"
  2⤵
  - Loads dropped DLL
  PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
1⤵
PID:3996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI32002\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32002\_ctypes.pyd

Filesize
120KB

MD5
9b344f8d7ce5b57e397a475847cc5f66

SHA1
aff1ccc2608da022ecc8d0aba65d304fe74cdf71

SHA256
b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf

SHA512
2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32002\base_library.zip

Filesize
1.7MB

MD5
c02b1b28775aa757d008b2b0e52a4943

SHA1
f5c12fa0eddb3a4127bd0866714bdcf10a7abead

SHA256
eb71c75ad9fa6aba6e8b793948a96029a190b612bb289c780621757d90c08577

SHA512
58ae35c802ef81da05e9aeef0f16e9b27d6391e9dffb8aa77ea8406497201766d9fd7834d40a167485f452f57b51066988afc344c733129d1e4fad78b8dcf1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32002\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32002\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32002\ucrtbase.dll

Filesize
1020KB

MD5
2c8fe06966d5085a595ffa3c98fe3098

SHA1
e82945e3e63ffef0974d6dd74f2aef2bf6d0a908

SHA256
de8d08d01291df93821314176381f3d1ae863e6c5584a7f8ea42f0b94b15ef65

SHA512
fb08838983c16082a362b3fc89d5b82e61ae629207c13c3cb76b8a0af557ad95c842ce5197ae458b5af61e5449cbab579f509fa72866308aa6fbd3d751522d0f

Download Submit
memory/2976-65-0x00000196590D0000-0x00000196590D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads