Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-2004-x64

8

4363463463...63.exe

windows10-ltsc 2021-x64

10

4363463463...63.exe

windows11-21h2-x64

10

Resubmissions

14-01-2025 12:40

250114-pwhacaykaz 10

14-01-2025 11:59

250114-n5y4saxngy 10

13-01-2025 14:41

250113-r2dv8avrgs 10

Analysis

  • max time kernel
    57s
  • max time network
    60s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    14-01-2025 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
cobaltstrikebackdoordiscoverytrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://152.67.212.187:443/accelerate/irc/Z0LCY5JYZL5

Attributes
  • user_agent

    Accept: application/xml, image/*, application/json Accept-Language: nl-be Accept-Encoding: gzip, * User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Cobaltstrike family
    cobaltstrike
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\Files\c1.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\c1.exe"
      2⤵
      • Executes dropped EXE
      PID:4232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Files\c1.exe
    Filesize

    547KB

    MD5

    2609215bb4372a753e8c5938cf6001fb

    SHA1

    ef1d238564be30f6080e84170fd2115f93ee9560

    SHA256

    1490105c73976217f35fe31d65939d1d9711d370c61f3d7d892afbb07eaaec63

    SHA512

    3892f3e4188250ab0d3508dd9c1825fa6dfab4fc50b4bc858703123e5512071d710fd8431f94912e74eaa4ca29b40c0b1b97805a5432a07fc09c35a87e6b23d2

    Download Submit

  • memory/2268-3-0x0000000074F70000-0x0000000075721000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2268-2-0x0000000004B00000-0x0000000004B9C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2268-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-4-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-5-0x0000000074F70000-0x0000000075721000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2268-1-0x0000000000160000-0x0000000000168000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4232-18-0x0000000000710000-0x0000000000711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4232-17-0x00007FFFC5130000-0x00007FFFC5328000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4232-19-0x0000000003EC0000-0x0000000003F3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4232-20-0x0000000003AC0000-0x0000000003EC0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4232-21-0x0000000003D30000-0x0000000003D32000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4232-22-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/4232-23-0x0000000003AC0000-0x0000000003EC0000-memory.dmp

    Filesize

    4.0MB

    Download