File name:

sa.zip

Full analysis: https://app.any.run/tasks/55c89832-928e-4528-ba55-716404689e67
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: August 01, 2024, 09:55:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

69F2CE89B8D1C153C5BC14694727668F

SHA1:

455AA296A9D3FF898078316BE9D78472C19F9166

SHA256:

BA7188E3774979CC4347ECCF26E4D5137D3698CB509066E0075A4BA9A32DD930

SSDEEP:

98304:fpOH5xQFf09XYf8x7I7zL+xa/nVq+71TQu7aqd2NCNlHqGDtMQtI8l5e9JeoI5gK:BIVAFRrXVROL/J3Sq+nkobaQaiMBux

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • alibaba.com (PID: 2872)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6436)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • alibaba.com (PID: 2872)

    • Checks Windows Trust Settings

      • alibaba.com (PID: 2872)

  • INFO

    • Manual execution by a user

      • alibaba.com (PID: 2872)

    • Reads the software policy settings

      • alibaba.com (PID: 2872)

    • Checks proxy server information

      • alibaba.com (PID: 2872)

    • Checks supported languages

      • alibaba.com (PID: 2872)

    • Reads the machine GUID from the registry

      • alibaba.com (PID: 2872)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6436)

    • Reads the computer name

      • alibaba.com (PID: 2872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(2872) alibaba.com
C2 (4)vangogh.bytedance.com/v4/static/v1.7.9/gcaptcha4.js
passport.bytedance.com/v4/static/v1.7.9/gcaptcha4.js
learning.bytedance.com/v4/static/v1.7.9/gcaptcha4.js
news.163.com/v4/static/v1.7.9/gcaptcha4.js
BeaconTypeHTTPS
Port443
SleepTime5000
MaxGetSize1412336
Jitter37
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhZrDpo62NHZnfVYr1IlwYsino KL1sKjhut0EBkybUBfs58IhqI916OZ2/9a6JSzjcYNEZ/mdiqa6dUm6aP5uJkDuj nBHrGrnDCWy5kwGJMZAwh0rkwoLzrLin4+LPnncnNF7syySVYBkEHkEgb77fOJ00 gcIIh1fcTdkYq7Ec8wIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\runonce.exe
Spawnto_x64%windir%\sysnative\runonce.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark666666666
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.35 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.35
HttpPostUri/v4/static/v1.7.9/script.js
Malleable_C2_InstructionsRemove 14234 bytes from the beginning, Base64 URL-safe decode
HttpGet_Metadata
ConstHeaders (4)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: static.microsoft.com
Referer: https://static.microsoft.com/
Accept-Encoding: gzip, deflate
SessionId (3)base64url
prepend: __ms-cv=
header: Cookie
HttpPost_Metadata
ConstHeaders (4)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: cdn.bootcss.com
Referer: http://cdn.bootcss.com/
Accept-Encoding: gzip, deflate
SessionId (2)base64url
parameter: __ms-cv
Output (2)base64url
print
SSH_BannerHost: staos.microsoft.com
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize18700
ProcInject_PrependAppend_x8690909090..90909090
ProcInject_PrependAppend_x6490909090..90909090
ProcInject_Stub40ed048138df0b3e23a0ef24dc5efa1a
ProcInject_AllocationMethodVirtualAllocEx
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:11:20 11:13:50
ZipCRC: 0xb07e7438
ZipCompressedSize: 123923
ZipUncompressedSize: 248416
ZipFileName: sa/alibaba.com
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs #COBALTSTRIKE alibaba.com runonce.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2572C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2872"C:\Users\admin\Desktop\sa\alibaba.com" C:\Users\admin\Desktop\sa\alibaba.com
explorer.exe
User:
admin
Company:
Xiaomi Inc.
Integrity Level:
MEDIUM
Description:
Mi Notebook core components
Version:
1.0.0.152
Modules
Images
c:\users\admin\desktop\sa\alibaba.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
CobalStrike
(PID) Process(2872) alibaba.com
C2 (4)vangogh.bytedance.com/v4/static/v1.7.9/gcaptcha4.js
passport.bytedance.com/v4/static/v1.7.9/gcaptcha4.js
learning.bytedance.com/v4/static/v1.7.9/gcaptcha4.js
news.163.com/v4/static/v1.7.9/gcaptcha4.js
BeaconTypeHTTPS
Port443
SleepTime5000
MaxGetSize1412336
Jitter37
PublicKey-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhZrDpo62NHZnfVYr1IlwYsino KL1sKjhut0EBkybUBfs58IhqI916OZ2/9a6JSzjcYNEZ/mdiqa6dUm6aP5uJkDuj nBHrGrnDCWy5kwGJMZAwh0rkwoLzrLin4+LPnncnNF7syySVYBkEHkEgb77fOJ00 gcIIh1fcTdkYq7Ec8wIDAQAB -----END PUBLIC KEY-----
DNS_strategyround-robin
DNS_strategy_rotate_seconds-1
DNS_strategy_fail_x-1
DNS_strategy_fail_seconds-1
SpawnTo00000000000000000000000000000000
Spawnto_x86%windir%\syswow64\runonce.exe
Spawnto_x64%windir%\sysnative\runonce.exe
CryptoScheme0
HttpGet_VerbGET
HttpPost_VerbPOST
HttpPostChunk0
Watermark666666666
bStageCleanupTrue
bCFGCautionTrue
UserAgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.35 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.35
HttpPostUri/v4/static/v1.7.9/script.js
Malleable_C2_InstructionsRemove 14234 bytes from the beginning, Base64 URL-safe decode
HttpGet_Metadata
ConstHeaders (4)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: static.microsoft.com
Referer: https://static.microsoft.com/
Accept-Encoding: gzip, deflate
SessionId (3)base64url
prepend: __ms-cv=
header: Cookie
HttpPost_Metadata
ConstHeaders (4)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: cdn.bootcss.com
Referer: http://cdn.bootcss.com/
Accept-Encoding: gzip, deflate
SessionId (2)base64url
parameter: __ms-cv
Output (2)base64url
print
SSH_BannerHost: staos.microsoft.com
bUsesCookies0001
Proxy_BehaviorUse IE settings
tcpFrameHeader0004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
smbFrameHeader0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
KillDate0-0-0
bProcInject_StartRWXFalse
bProcInject_UseRWXFalse
bProcInject_MinAllocSize18700
ProcInject_PrependAppend_x8690909090..90909090
ProcInject_PrependAppend_x6490909090..90909090
ProcInject_Stub40ed048138df0b3e23a0ef24dc5efa1a
ProcInject_AllocationMethodVirtualAllocEx
6436"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\sa.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6572C:\WINDOWS\system32\runonce.exeC:\Windows\System32\runonce.exealibaba.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run Once Wrapper
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
7 155
Read events
7 124
Write events
31
Delete events
0

Modification events

(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\sa.zip
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(6436) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6436WinRAR.exeC:\Users\admin\Desktop\sa\alibaba.comexecutable
MD5:D239ED3700F590720B4639CD88478C00
SHA256:EC8E4A4A211D934595A9AD4AA8112D9DECF682F74B08BF45D5AA38AB8FD172F5
6436WinRAR.exeC:\Users\admin\Desktop\sa\PROPSYS.dllexecutable
MD5:41E885A1F1AA539562A782C4AB22824A
SHA256:804871F6424F865800C7B0984C4FB11CE5D1E44C93568F370A7405609177EA63
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
142
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4200
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6752
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4200
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6828
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5244
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1984
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1984
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
2.23.209.173:443
www.bing.com
Akamai International B.V.
GB
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4200
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.23.209.173
  • 2.23.209.174
  • 2.23.209.175
  • 2.23.209.167
  • 2.23.209.180
  • 2.23.209.178
  • 2.23.209.179
  • 2.23.209.177
  • 2.23.209.169
  • 95.100.146.33
  • 95.100.146.25
  • 95.100.146.17
  • 95.100.146.24
  • 95.100.146.35
  • 95.100.146.32
  • 95.100.146.10
  • 95.100.146.19
  • 95.100.146.34
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.138
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.74
  • 20.190.160.14
  • 40.126.32.76
  • 40.126.32.140
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
th.bing.com
  • 2.23.209.137
  • 2.23.209.143
  • 2.23.209.142
  • 2.23.209.133
  • 2.23.209.135
  • 2.23.209.141
  • 2.23.209.134
  • 2.23.209.136
  • 2.23.209.139
  • 95.100.146.34
  • 95.100.146.33
  • 95.100.146.25
  • 95.100.146.17
  • 95.100.146.24
  • 95.100.146.35
  • 95.100.146.32
  • 95.100.146.10
  • 95.100.146.19
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sa.zip