cobaltstrike | 78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
Size

4.9MB
MD5

7e7ff11b0d625063e27adff0df1ee1f7
SHA1

de5ea272578a1923a3a3fc280114f30cce32e169
SHA256

78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6
SHA512

ad7b2489472877abec2cbe8642c776685b21b641e49b3bc1c4917974393b5706811836a2ad366df3aebb944f9437b825a57d854753dd233ead6b0c3195a7b0a4
SSDEEP

98304:32BgFlIxDGj1cK7ggczHBC8Z+9gXVhA30JssDchwMQ7qFp5NW/z0B:3Y6j1cMczA8+9gXVa30WsDcSMt/W7u

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Extracted

Family

cobaltstrike

http://103.214.174.101:10443/LVfU

Attributes

user_agent
User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.101

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 21 IoCs

pid	Process
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a4e1-64.dat	upx
behavioral1/memory/2888-92-0x000007FEF6460000-0x000007FEF6835000-memory.dmp	upx
behavioral1/memory/2888-96-0x000007FEF7160000-0x000007FEF7189000-memory.dmp	upx
behavioral1/files/0x000700000001942e-95.dat	upx
behavioral1/memory/2888-98-0x000007FEF6460000-0x000007FEF6835000-memory.dmp	upx
behavioral1/memory/2888-99-0x000007FEF7160000-0x000007FEF7189000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	2888	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2888	2016	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe	30
PID 2016 wrote to memory of 2888	2016	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe	30
PID 2016 wrote to memory of 2888	2016	78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe	30

C:\Users\Admin\AppData\Local\Temp\78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
"C:\Users\Admin\AppData\Local\Temp\78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe
  "C:\Users\Admin\AppData\Local\Temp\78201772a7971266f80873aa22ea745ccb937820994e45e1b10fe59da3db11c6.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI20162\VCRUNTIME140.dll

Filesize
85KB

MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
1ed0b196ab58edb58fcf84e1739c63ce

SHA1
ac7d6c77629bdee1df7e380cc9559e09d51d75b7

SHA256
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2

SHA512
e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7e8b61d27a9d04e28d4dae0bfa0902ed

SHA1
861a7b31022915f26fb49c79ac357c65782c9f4b

SHA256
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c

SHA512
1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
fa770bcd70208a479bde8086d02c22da

SHA1
28ee5f3ce3732a55ca60aee781212f117c6f3b26

SHA256
e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf

SHA512
f8d81e350cebdba5afb579a072bad7986691e9f3d4c9febca8756b807301782ee6eb5ba16b045cfa29b6e4f4696e0554c718d36d4e64431f46d1e4b1f42dc2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8906279245f7385b189a6b0b67df2d7c

SHA1
fcf03d9043a2daafe8e28dee0b130513677227e4

SHA256
f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f

SHA512
67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
dd8176e132eedea3322443046ac35ca2

SHA1
d13587c7cc52b2c6fbcaa548c8ed2c771a260769

SHA256
2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e

SHA512
77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
074b81a625fb68159431bb556d28fab5

SHA1
20f8ead66d548cfa861bc366bb1250ced165be24

SHA256
3af38920e767bd9ebc08f88eaf2d08c748a267c7ec60eab41c49b3f282a4cf65

SHA512
36388c3effa0d94cf626decaa1da427801cc5607a2106abdadf92252c6f6fd2ce5bf0802f5d0a4245a1ffdb4481464c99d60510cf95e83ebaf17bd3d6acbc3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f1a23c251fcbb7041496352ec9bcffbe

SHA1
be4a00642ec82465bc7b3d0cc07d4e8df72094e8

SHA256
d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198

SHA512
31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b79965f06fd756a5efde11e8d373108

SHA1
3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50

SHA256
1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6

SHA512
7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
1d48a3189a55b632798f0e859628b0fb

SHA1
61569a8e4f37adc353986d83efc90dc043cdc673

SHA256
b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0

SHA512
47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\base_library.zip

Filesize
1000KB

MD5
8386cf8add72bab03573064b6e1d89d2

SHA1
c451d2f3eed6b944543f19c5bd15ae7e8832bbd4

SHA256
2eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c

SHA512
2bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20162\python37.dll

Filesize
1.2MB

MD5
742532ae17937f3d337699e9308488f5

SHA1
ae3c8ebd61d7d6cf8600dc2227ab827010acd442

SHA256
24765fa3d2d443ae03f909679a7e6c8ea92ea4ce7abebc3962f05d2ca3eebdd0

SHA512
2d94fd0f4909df91834b6f39c100786be78685fd423aa4d07ea01adf77e4a4fdc80c0b9a0bd82f0ea58e3dc2185ff39183312d0be6f9577c1a6b5db3e0a66f53

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20162\_ctypes.pyd

Filesize
56KB

MD5
fcde90f68dab8e883d7fd0ca405ef646

SHA1
e812e0749fbb169c92ce49d431db28c22c222958

SHA256
20b69e9d0f6b2515dfe6f5b09990996049fb1a903f26f3af2b4295ae53b13dae

SHA512
d37e8bb8353a02791ee2f089366244aae2cea1066894766b5bd9f03aa377ad445b17b3d8407980e0c127d16acf688f01b821a155e4c1507acb2eb72719600f23

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
91a2ae3c4eb79cf748e15a58108409ad

SHA1
d402b9df99723ea26a141bfc640d78eaf0b0111b

SHA256
b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34

SHA512
8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
4ec4790281017e616af632da1dc624e1

SHA1
342b15c5d3e34ab4ac0b9904b95d0d5b074447b7

SHA256
5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639

SHA512
80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
7a859e91fdcf78a584ac93aa85371bc9

SHA1
1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7

SHA256
b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607

SHA512
a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
972544ade7e32bfdeb28b39bc734cdee

SHA1
87816f4afabbdec0ec2cfeb417748398505c5aa9

SHA256
7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86

SHA512
5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
a6a3d6d11d623e16866f38185853facd

SHA1
fbeadd1e9016908ecce5753de1d435d6fcf3d0b5

SHA256
a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0

SHA512
abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20162\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
55b2eb7f17f82b2096e94bca9d2db901

SHA1
44d85f1b1134ee7a609165e9c142188c0f0b17e0

SHA256
f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb

SHA512
0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI20162\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
memory/2888-92-0x000007FEF6460000-0x000007FEF6835000-memory.dmp

Filesize
3.8MB

Download
memory/2888-96-0x000007FEF7160000-0x000007FEF7189000-memory.dmp

Filesize
164KB

Download
memory/2888-97-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2888-98-0x000007FEF6460000-0x000007FEF6835000-memory.dmp

Filesize
3.8MB

Download
memory/2888-99-0x000007FEF7160000-0x000007FEF7189000-memory.dmp

Filesize
164KB

Download