Analysis

  • max time kernel
    135s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 06:43

General

  • Target

    2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe

  • Size

    5.3MB

  • MD5

    67cd9060b9faaeb89d7cf321698692d8

  • SHA1

    3de9a15bb35b4541308ed7268f7ace9fa6f32fd7

  • SHA256

    ff8a3cab3207bce30673ea12d6285400f464979b433e2902ec56beb20d140645

  • SHA512

    afab54e08cde4d38b57b62907ea6cfc4d30cfa5e51396bc7a1197588d97675015d5649ffa9ca9386b6d3646bb2b8df4ef80e5587fd42356d3bb0c9e120852bad

  • SSDEEP

    98304:IJ+g5paiu6HM2sH1mDzBuTcQxmsqK5C6y9+h+K2xb/XcLUk:A+g5pazDH1SzBSlC6G+t2xb/X7k

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 3 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Cobaltstrike family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 8 IoCs
  • Loads dropped DLL 36 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 5 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-27_67cd9060b9faaeb89d7cf321698692d8_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:2448

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7-zip.dll.exe

          Filesize

          5.6MB

          MD5

          c3858f97825b8353e8bd0b82a6c67317

          SHA1

          e5c539aed96b5fb575a71760ee6ed906480e0d1b

          SHA256

          e513580015bfb7f8a754e8ed6274c78d2dca9ee51178d2b18e7e7dee2cb0c6a0

          SHA512

          ca177f1203b0bb986a037e43fc0c4025494b4ab8e019005f9fd54d750b15f8780055cf46899f4c6be60f3595082284846abb2317ee5b7fb89b5917dc626b185c

        • C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL

          Filesize

          5.5MB

          MD5

          743fa443fcc65bfed39cdf92fa298a29

          SHA1

          0ddfcd8dae8884460c89dca38ca27f7a1c66f58e

          SHA256

          4fe64de34e806b3d54139d1c630cc116b57b464d7622ea750b60830a973a1eb9

          SHA512

          4df1d60776e7495ae351b22b73ba0df503c0d1a6caf05b01cf958a8f2a493e6c7e931be4a3642dfd867439bb73569797f38ebb5c8130ffbaf6f9b0dd6086ccfa

        • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll

          Filesize

          5.5MB

          MD5

          3cf18c66ed9d0f59b658ffbd6eed0068

          SHA1

          b62e6e8b255ccffd92139033007cae8ca6cd158d

          SHA256

          c07ab468f1ad2080fafd85c66574902b7a3920098a8479d79df63c7ce0118ab6

          SHA512

          d9728733de6cf0bb40b43d3b25907ec38105395201d40ae18ec182bdfdd7f5f967400bf56243c5fdeeb59db4f4963a159006a93ca8a2f8283515523b7fae99fc

        • memory/2448-4510-0x0000000000400000-0x00000000010B6000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-818-0x0000000000400000-0x00000000010B6000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-1986-0x0000000000400000-0x00000000010B6000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-3098-0x0000000000400000-0x00000000010B6000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-4185-0x0000000000400000-0x00000000010B6000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-0-0x0000000000400000-0x00000000010B6000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-4513-0x0000000000060000-0x0000000000062000-memory.dmp

          Filesize

          8KB

        • memory/2448-4516-0x0000000000400000-0x00000000010B6000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-4517-0x0000000000401000-0x00000000010B5000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-4518-0x0000000000400000-0x00000000010B6000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-4519-0x0000000000401000-0x00000000010B5000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-820-0x0000000000400000-0x00000000010B6000-memory.dmp

          Filesize

          12.7MB

        • memory/2448-1-0x00000000001F0000-0x0000000000200000-memory.dmp

          Filesize

          64KB