File name:	2024-10-28_c9c4d2c659985660eb9d8afc35bb51b8_cobalt-strike_cobaltstrike_ryuk
Full analysis:	https://app.any.run/tasks/caf0afab-eb04-4124-b521-f70c594114c9
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks. Malware Trends Tracker >>>
Analysis date:	October 28, 2024, 14:39:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	cobaltstrike backdoor xor-url generic
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 12 sections
MD5:	C9C4D2C659985660EB9D8AFC35BB51B8
SHA1:	622E529898CB530AD93937FC50E7C1225C179021
SHA256:	14030B5868E045EB1508F44697520CCADCB3247D9165E3E02F45B1CF94CB93EF
SSDEEP:	49152:fjj5hOpu3JwIvrpsKdqY3BDhS418t8rlWZFPjBrDkrzglW7rluncEV:bj3OqJfrpjdqY3Z3WZFPjxkrzic

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:10:24 02:38:34+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	704000
InitializedDataSize:	835584
UninitializedDataSize:	-
EntryPoint:	0x7d0c8
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

PID	Process	Filename		Type
6464	2024-10-28_c9c4d2c659985660eb9d8afc35bb51b8_cobalt-strike_cobaltstrike_ryuk.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurityHealthSystray.lnk		binary
		MD5:1D961B76DB408C755D6059C28D606D23	SHA256:69734E7A9FD2E7565697BDCF4C31CD2AF9BFE82A7923F80E7FBA513F9B303A35

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1252	RUXIMICS.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1252	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	45.14.226.64:443	https://bbs.lvsehacker.com/jquery-3.3.1.min.js	unknown	binary	5.50 Kb	malicious
6944	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	—	45.14.226.64:443	https://bbs.lvsehacker.com/jquery-3.3.1.min.js	unknown	—	—	—
—	—	GET	200	45.14.226.64:443	https://bbs.lvsehacker.com/jquery-3.3.1.min.js	unknown	binary	5.50 Kb	malicious
—	—	GET	200	45.14.226.64:443	https://bbs.lvsehacker.com/jquery-3.3.1.min.js	unknown	binary	5.56 Kb	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1252	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5488	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.23.209.189:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6464	2024-10-28_c9c4d2c659985660eb9d8afc35bb51b8_cobalt-strike_cobaltstrike_ryuk.exe	142.250.185.228:443	www.google.com	GOOGLE	US	whitelisted
6464	2024-10-28_c9c4d2c659985660eb9d8afc35bb51b8_cobalt-strike_cobaltstrike_ryuk.exe	103.235.47.188:443	www.baidu.com	Beijing Baidu Netcom Science and Technology Co., Ltd.	HK	whitelisted
6464	2024-10-28_c9c4d2c659985660eb9d8afc35bb51b8_cobalt-strike_cobaltstrike_ryuk.exe	45.14.226.64:443	bbs.lvsehacker.com	SpectraIP B.V.	NL	unknown
6464	2024-10-28_c9c4d2c659985660eb9d8afc35bb51b8_cobalt-strike_cobaltstrike_ryuk.exe	162.159.46.1:443	cloudflare-ip-v4.html.zone	CLOUDFLARENET	—	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
www.bing.com	2.23.209.189 2.23.209.143 2.23.209.142 2.23.209.137 2.23.209.133 2.23.209.135 2.23.209.144 2.23.209.140 2.23.209.186	whitelisted
google.com	142.250.185.78	whitelisted
cloudflare-ip-v4.html.zone	162.159.46.1 162.159.36.1	unknown
www.google.com	142.250.185.228	whitelisted
www.baidu.com	103.235.47.188 103.235.46.96	whitelisted
bbs.lvsehacker.com	45.14.226.64	malicious
f3hrq9vj.bjguigang.com	45.14.224.176	unknown
crl.microsoft.com	2.16.164.9 2.16.164.43	whitelisted
www.microsoft.com	88.221.169.152	whitelisted

PID	Process	Class	Message
—	—	Malware Command and Control Activity Detected	ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
—	—	A Network Trojan was detected	ET MALWARE Cobalt Strike Beacon Activity (GET)
—	—	Malware Command and Control Activity Detected	ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
—	—	Malware Command and Control Activity Detected	ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
—	—	A Network Trojan was detected	ET MALWARE Cobalt Strike Beacon Activity (GET)
—	—	Malware Command and Control Activity Detected	ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
—	—	A Network Trojan was detected	ET MALWARE Cobalt Strike Beacon Activity (GET)
—	—	Malware Command and Control Activity Detected	ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
—	—	Malware Command and Control Activity Detected	ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
—	—	A Network Trojan was detected	ET MALWARE Cobalt Strike Beacon Activity (GET)

General Info

2024-10-28_c9c4d2c659985660eb9d8afc35bb51b8_cobalt-strike_cobaltstrike_ryuk

C9C4D2C659985660EB9D8AFC35BB51B8

622E529898CB530AD93937FC50E7C1225C179021

14030B5868E045EB1508F44697520CCADCB3247D9165E3E02F45B1CF94CB93EF

49152:fjj5hOpu3JwIvrpsKdqY3BDhS418t8rlWZFPjBrDkrzglW7rluncEV:bj3OqJfrpjdqY3Z3WZFPjxkrzic

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XORed URL has been found (YARA)

COBALTSTRIKE has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Connects to unusual port

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Checks proxy server information

Reads the software policy settings

Malware configuration

xor-url

CobalStrike

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

xor-url

CobalStrike

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings