cobaltstrike | 78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6

Analysis

max time kernel
97s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
Size

4.9MB
MD5

7e7ff11b0d625063e27adff0df1ee1f7
SHA1

de5ea272578a1923a3a3fc280114f30cce32e169
SHA256

78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6
SHA512

ad7b2489472877abec2cbe8642c776685b21b641e49b3bc1c4917974393b5706811836a2ad366df3aebb944f9437b825a57d854753dd233ead6b0c3195a7b0a4
SSDEEP

98304:32BgFlIxDGj1cK7ggczHBC8Z+9gXVhA30JssDchwMQ7qFp5NW/z0B:3Y6j1cMczA8+9gXVa30WsDcSMt/W7u

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

http://103.214.174.101:10443/LVfU

Attributes

user_agent
User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.101

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 4 IoCs

pid	Process
4832	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
4832	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
4832	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
4832	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023499-54.dat	upx
behavioral2/memory/4832-58-0x00007FFA476C0000-0x00007FFA47A95000-memory.dmp	upx
behavioral2/files/0x000700000002346c-60.dat	upx
behavioral2/memory/4832-62-0x00007FFA4C010000-0x00007FFA4C039000-memory.dmp	upx
behavioral2/memory/4832-64-0x00007FFA476C0000-0x00007FFA47A95000-memory.dmp	upx
behavioral2/memory/4832-65-0x00007FFA4C010000-0x00007FFA4C039000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	4832	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 4832	852	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe	82
PID 852 wrote to memory of 4832	852	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe	82

C:\Users\Admin\AppData\Local\Temp\78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
"C:\Users\Admin\AppData\Local\Temp\78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
  "C:\Users\Admin\AppData\Local\Temp\78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI8522\VCRUNTIME140.dll

Filesize
85KB

MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8522\_ctypes.pyd

Filesize
56KB

MD5
fcde90f68dab8e883d7fd0ca405ef646

SHA1
e812e0749fbb169c92ce49d431db28c22c222958

SHA256
20b69e9d0f6b2515dfe6f5b09990996049fb1a903f26f3af2b4295ae53b13dae

SHA512
d37e8bb8353a02791ee2f089366244aae2cea1066894766b5bd9f03aa377ad445b17b3d8407980e0c127d16acf688f01b821a155e4c1507acb2eb72719600f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8522\base_library.zip

Filesize
1000KB

MD5
8386cf8add72bab03573064b6e1d89d2

SHA1
c451d2f3eed6b944543f19c5bd15ae7e8832bbd4

SHA256
2eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c

SHA512
2bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8522\python37.dll

Filesize
1.2MB

MD5
742532ae17937f3d337699e9308488f5

SHA1
ae3c8ebd61d7d6cf8600dc2227ab827010acd442

SHA256
24765fa3d2d443ae03f909679a7e6c8ea92ea4ce7abebc3962f05d2ca3eebdd0

SHA512
2d94fd0f4909df91834b6f39c100786be78685fd423aa4d07ea01adf77e4a4fdc80c0b9a0bd82f0ea58e3dc2185ff39183312d0be6f9577c1a6b5db3e0a66f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8522\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
memory/4832-58-0x00007FFA476C0000-0x00007FFA47A95000-memory.dmp

Filesize
3.8MB

Download
memory/4832-62-0x00007FFA4C010000-0x00007FFA4C039000-memory.dmp

Filesize
164KB

Download
memory/4832-63-0x0000024797530000-0x0000024797531000-memory.dmp

Filesize
4KB

Download
memory/4832-64-0x00007FFA476C0000-0x00007FFA47A95000-memory.dmp

Filesize
3.8MB

Download
memory/4832-65-0x00007FFA4C010000-0x00007FFA4C039000-memory.dmp

Filesize
164KB

Download