cobaltstrike | 9737c963c888d2df3b767ef7c77265c47decabc4b71210146be9e9f81914ecf0

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 09:42

Target

csc.exe
Size

56KB
MD5

0d26d99bd550e9b08c9c9d4ce3636df6
SHA1

9de4dc9e25a14b8fa6c199cf6bfa1df66b19a81b
SHA256

965bb8e7822d62e4355362aee29031737ab83b22eeb620814e9e3fd7e0f6672a
SHA512

9448c0c17d7bf78019302c4f62eee591785f5ba5e870f9e0f73f2e82206a2000cfca33ed319f7732ac6ad1373795be94d119363de91d07e4f73a0952694b339b
SSDEEP

768:FpdhYE3ClRJdWgSH+uXK52qRl2wwH2jsBMtDqxmheMnS1yWbEj:L3ClftSH5w2qXQ2oMtDqxmQMnS8mY

Score

10^/10

Family

cobaltstrike

http://service-61oc67uo-1327454768.gz.tencentapigw.com.cn:443/Content/js/cookie/jquery.cookie.js

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0)

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1600	OpenWith.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 3772	1900	csc.exe	90
PID 1900 wrote to memory of 3772	1900	csc.exe	90
PID 3772 wrote to memory of 4488	3772	cmd.exe	91
PID 3772 wrote to memory of 4488	3772	cmd.exe	91
PID 1900 wrote to memory of 1540	1900	csc.exe	93
PID 1900 wrote to memory of 1540	1900	csc.exe	93
PID 1900 wrote to memory of 1540	1900	csc.exe	93

C:\Users\Admin\AppData\Local\Temp\csc.exe
"C:\Users\Admin\AppData\Local\Temp\csc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c calc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:4488
- C:\Windows\SysTem32\notepad.exe
  C:\Windows\SysTem32\notepad.exe
  2⤵
  PID:1540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=3868 /prefetch:8
1⤵
PID:2828

memory/1540-2-0x000001992F660000-0x000001992F661000-memory.dmp

Filesize
4KB

Download
memory/1900-0-0x00007FFD01A53000-0x00007FFD01A55000-memory.dmp

Filesize
8KB

Download
memory/1900-1-0x0000028F575A0000-0x0000028F575B2000-memory.dmp

Filesize
72KB

Download