Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0122dc62d0...3c.exe

windows7-x64

10

0122dc62d0...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0122dc62d013e938ceeb5416d1dd2281b0031fc23734426847e6662050bb143c.exe

  • Size

    2.8MB

  • MD5

    aa01858bd6596a339fba887aafb270b0

  • SHA1

    2a38c7beb03a633ed396f393404191aff2b186a9

  • SHA256

    0122dc62d013e938ceeb5416d1dd2281b0031fc23734426847e6662050bb143c

  • SHA512

    23a8e5c6ad9e6fbec2006dc7f8cf53be9a9cb08c3c4b95ec05530db126c8aa6bc9fa2bfc37937fff68fe2cba945e6d7271cb2e302716f8eec748501d50a69dbf

  • SSDEEP

    49152:9ORocsGjsxoAHT2tWCOcEf56epMddiqbi/R9/MAgwf8j6Nf1bm9jFQNqRLDIPHo:f9a02tWCRqedk/n0Agwf8j6NfJIDI

Score
10/10
cobaltstrike391144938backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://149.104.25.1:5541/cM5x

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) LBBROWSER

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://149.104.25.1:5541/mht_image/

Attributes
  • access_type

    512

  • host

    149.104.25.1,/mht_image/

  • http_header1

    AAAACgAAAEhBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKmw7cT0wLjgAAAAKAAAAHlJlZmVyZXI6IGh0dHA6Ly93d3cuZ29vZ2xlLmNvbQAAAAoAAAAQUHJhZ21hOiBuby1jYWNoZQAAAAoAAAAXQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUAAAAHAAAAAAAAAAgAAAABAAAABC5qcGcAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAoAAAAeUmVmZXJlcjogaHR0cDovL3d3dy5nb29nbGUuY29tAAAACgAAABBQcmFnbWE6IG5vLWNhY2hlAAAACgAAABdDYWNoZS1Db250cm9sOiBuby1jYWNoZQAAAAcAAAAAAAAACwAAAAEAAAAELnBuZwAAAAwAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    5541

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEZbzcff9JbW4j2x/g8sxgLnunWbGHmo3zR9JkMt0jK+fjwjaNT/mOzuzkVf/b9ewCmrfrKpQ7VriS/9HHUjqL/v5CIgjJ9PqutAmfSq/EZEeWHGnfn5N+Pn0VFOphJom0jX5slvpnPmCF/tRFs0xgSDKQJPQbH+5JLh4koNstzQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /mht_email/

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;SVSE)

  • watermark

    391144938

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Loads dropped DLL 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0122dc62d013e938ceeb5416d1dd2281b0031fc23734426847e6662050bb143c.exe
    "C:\Users\Admin\AppData\Local\Temp\0122dc62d013e938ceeb5416d1dd2281b0031fc23734426847e6662050bb143c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Users\Admin\AppData\Local\Temp\0122dc62d013e938ceeb5416d1dd2281b0031fc23734426847e6662050bb143c.exe
      "C:\Users\Admin\AppData\Local\Temp\0122dc62d013e938ceeb5416d1dd2281b0031fc23734426847e6662050bb143c.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI42082\VCRUNTIME140.dll
    Filesize

    87KB

    MD5

    0e675d4a7a5b7ccd69013386793f68eb

    SHA1

    6e5821ddd8fea6681bda4448816f39984a33596b

    SHA256

    bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

    SHA512

    cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI42082\_ctypes.pyd
    Filesize

    131KB

    MD5

    9a69561e94859bc3411c6499bc46c4bd

    SHA1

    3fa5bc2d4ffc23c4c383252c51098d6211949b99

    SHA256

    6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c

    SHA512

    31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI42082\base_library.zip
    Filesize

    777KB

    MD5

    0e6058a5f76271c2e67f526ecf1dd1e7

    SHA1

    9266d66b72db5e3d1dfcf7e8be0dd2dc409cb53a

    SHA256

    ab3b96de6190cd8aa7d49f41530047e7aa39e4d620d79665bd88e4e1beed6a62

    SHA512

    f71f8d85974520546951105e0ccb6c49df0f561498648182eec6c983e27d775a7d8b38ca4b01b46c9f0660d974291fc78ed57042ab0a543273aac6a34fd37323

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI42082\python37.dll
    Filesize

    3.6MB

    MD5

    86af9b888a72bdceb8fd8ed54975edd5

    SHA1

    c9d67c9243f818c0a8cc279267cca44d9995f0cf

    SHA256

    e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f

    SHA512

    5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7

    Download Submit

  • memory/4740-14-0x000002101D0E0000-0x000002101D0E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4740-15-0x000002101D3A0000-0x000002101D7A0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4740-16-0x000002101D7A0000-0x000002101D7F2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/4740-17-0x000002101DA70000-0x000002101DA72000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4740-18-0x000002101D7A0000-0x000002101D7F2000-memory.dmp

    Filesize

    328KB

    Download