Overview

overview

10

Static

static

3

55d484eed1...ee.exe

windows7-x64

10

55d484eed1...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    286s
  • max time network
    295s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe

  • Size

    628KB

  • MD5

    2e01e07dd7d228810126e8e449ffd97b

  • SHA1

    144639db8ba3e7ce5ba03fa9c9cee61758e34de9

  • SHA256

    55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee

  • SHA512

    9cebf8f26da3cdb15dd01b275b030151f11c48a19a6c16274a50fb5d5099f6db3c77b9d9d4f7ab899ba9630a99ccdfa5702490c113978250584a00ec9fc92ad2

  • SSDEEP

    12288:JAsWP4S+JJ91FEUPiNavGL+mRjTfFkbfp6OZr9JbFSBZ:yHYJJ97F6NSGLlRu4I4BZ

Score
10/10
cobaltstrike0backdoordiscoverytrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://178.132.4.150:80/owa/

Attributes
  • access_type

    512

  • host

    178.132.4.150,/owa/

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    GET

  • jitter

    5120

  • polling_time

    30000

  • port_number

    80

  • sc_process32

    %windir%\syswow64\gpupdate.exe

  • sc_process64

    %windir%\sysnative\gpupdate.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.448416512e+09

  • unknown2

    AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    1.610612736e+09

  • uri

    /OWA/

  • user_agent

    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)

  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Cobaltstrike family
    cobaltstrike
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe
    "C:\Users\Admin\AppData\Local\Temp\55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:4612
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:1396
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3204-8-0x00000000748E0000-0x0000000075090000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3204-2-0x0000000005EC0000-0x0000000006464000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3204-9-0x0000000006710000-0x00000000067AC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3204-10-0x00000000069C0000-0x0000000006A54000-memory.dmp

        Filesize

        592KB

        Download

      • memory/3204-4-0x00000000058E0000-0x00000000058EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3204-5-0x00000000748E0000-0x0000000075090000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3204-6-0x0000000005BD0000-0x0000000005BDA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3204-7-0x00000000748EE000-0x00000000748EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3204-1-0x0000000000E40000-0x0000000000EE2000-memory.dmp

        Filesize

        648KB

        Download

      • memory/3204-3-0x0000000005910000-0x00000000059A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3204-16-0x00000000748E0000-0x0000000075090000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3636-14-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3636-11-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3636-13-0x0000000000400000-0x000000000044B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3636-18-0x0000000001380000-0x00000000013B4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3636-20-0x00000000013C0000-0x00000000013FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3636-21-0x00000000013C0000-0x00000000013FE000-memory.dmp

        Filesize

        248KB

        Download