cobaltstrike | f026659380293aebc45bc97cd4aeee19c96e8ae5b88673283f2ed113bed4110f

General

Target

SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm
Size

25KB
MD5

d68eb2a0c4ef9306e93e7f993544bbfe
SHA1

a503bfdf64589003faeee0857cb9808fdc659dea
SHA256

f026659380293aebc45bc97cd4aeee19c96e8ae5b88673283f2ed113bed4110f
SHA512

460306fa32c29a3c3e0ff74c33e2399e454668589d7786e28770804d1a11dd787f994829ad7c772ee259219133a362aabcacac67e5936dbc5357864b9cc9c949

Score

10^/10

cobaltstrike metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://resources.healthmade.org:80/thumb/preview.gif

Attributes

headers User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

cobaltstrike

C2

http://resources.healthmade.org:80/__utm.gif

Attributes

access_type
512
beacon_type
0
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
resources.healthmade.org,/__utm.gif
http_header1
AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
injection_process
jitter
7680
maxdns
0
month
0
pipe_name
polling_time
30000
port_number
80
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpRrJXGxXzjCf2S2A1wbdkekxgKbnifIIayLRat08R6vjjTxcWEeZrDjY0U7bl4LJSGOAZRwV9m/P5VqFGU6N8Zufhz2wCiag/oTNSDQNVJn+ijTEtdfkS0nMXEry5AkH6k7AG8BYszdU4CofCRJdRnh6dixXclrdyCMFL9p04gwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
6.71092736e+08
unknown2
AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.9665394e+07
uri
/___utm.gif
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSBuild.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1716	296	MSBuild.exe	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

296 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

296 EXCEL.EXE
296 EXCEL.EXE
296 EXCEL.EXE

pid	process
296	EXCEL.EXE

pid	process
296	EXCEL.EXE
296	EXCEL.EXE
296	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EXCEL.EXEMSBuild.execsc.exe

description	pid	process	target process
PID 296 wrote to memory of 1716	296	EXCEL.EXE	MSBuild.exe
PID 296 wrote to memory of 1716	296	EXCEL.EXE	MSBuild.exe
PID 296 wrote to memory of 1716	296	EXCEL.EXE	MSBuild.exe
PID 296 wrote to memory of 1716	296	EXCEL.EXE	MSBuild.exe
PID 1716 wrote to memory of 1348	1716	MSBuild.exe	csc.exe
PID 1716 wrote to memory of 1348	1716	MSBuild.exe	csc.exe
PID 1716 wrote to memory of 1348	1716	MSBuild.exe	csc.exe
PID 1716 wrote to memory of 1348	1716	MSBuild.exe	csc.exe
PID 1348 wrote to memory of 1512	1348	csc.exe	cvtres.exe
PID 1348 wrote to memory of 1512	1348	csc.exe	cvtres.exe
PID 1348 wrote to memory of 1512	1348	csc.exe	cvtres.exe
PID 1348 wrote to memory of 1512	1348	csc.exe	cvtres.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Admin\Documents\template.xml
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2166.tmp" "c:\Users\Admin\AppData\Local\Temp\52qdswze\CSCCB79ED0A12E84724AF5BFCE83F4E10F3.TMP"
4⤵
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.dll
MD5
6599e5e62269b8f8a7f94900d583f135

SHA1
a110b554f57bc07f6bf680b7011ea7a78ddea628

SHA256
ecc385f6f9a3954b36b1d57d6c56061d0fb208b472d403e31c246d540c9e7e8b

SHA512
6b4834d247b5a54b49b239d55fc26a031bea72e5b0a342d5e6955d4caa8037796fa267c5f8e537dee9d5f2791764bc48a46e4cd63a4d735a1812ffd6ec5dc8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.pdb
MD5
f9467e01875ab2b69589f4cbd59062fb

SHA1
7e78060718968594d7a415d22b7f1ae04acceea7

SHA256
0b00a20b87fc07efb3e073778ddf8da16aac181b1f254ca1c9f84e9593277db9

SHA512
15718633bc2d5b13adc9f33148a535e19ee5a941c941fc8a52448342134bd4606c06f186f48e751be1dc3df8bed107da22b1ff52c818a419eb42e58d6f0bd326

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2166.tmp
MD5
922927a95ed11ae2d8a996c9fa868c5a

SHA1
92d186e0edd6afe110fad40c8eb0b3f519c91add

SHA256
524606e55ad27e25852cbd780957b9348c1ed66b9102c5057116c258082fe233

SHA512
3bde2f67728940f5ec318a65f8afbfb457b081beb0460ca5d266f8cda975cf6e1a92845b61db34593e826088d13db20c48ae4ea55639bfd9025de3f44dd73721

Download Submit
C:\Users\Admin\Documents\template.xml
MD5
798ab3936c2e1043fdb1e22559e20632

SHA1
142b7c353881800cb4a415bb0edf33e0bac0e2b5

SHA256
ddb8cebd9406dcfc78dfa6471f603c3f6518d055983477c955934f38de088242

SHA512
aac2382181be42edc0397302a2d85c41cb9bddbf6b6a031e3470254f90cfc4173e629a569f696c29f802acb80250b45fa368ee66c567a64c8160b3f85b1d09bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.0.cs
MD5
b8b482aab01645e96a2d4b90b184a117

SHA1
17e0651c870e73b2f637efd8a9b5b77f9a8ac657

SHA256
588fcb3c48884352073316b139665924bff0f72eb9e0a8b26b664efc78d36a51

SHA512
24cc4e0c2b7810e15d9e7e2fb3625b0fe0138b85df4fb276424ca5f184fb1805e9d609815d60a2bb4ca52dbba648cb2635207cfc1be71eb3a6ffd704c9e95d69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52qdswze\52qdswze.cmdline
MD5
f20891ff1bc3bb8c8ecf65ec9aa373ec

SHA1
0e72a3d58bcc0cf2a1564fe81f9834f4793321e1

SHA256
bd0a1831f0b3bf03d7e9cac2e77be8019f14980331010c0d6a4168194d1c4d2c

SHA512
3a44ac81185237f45e386526f247f8a8d299459b6a098605162e206f6dedb6cc41f26fc521965ce7105a45ed64e31f1d78922e8128cebe015003f6725ac9ef7b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52qdswze\CSCCB79ED0A12E84724AF5BFCE83F4E10F3.TMP
MD5
5473e1485182f59e1ec30fea5e8ad2da

SHA1
79a606bf2b4f92686a72e4806add6668596e9896

SHA256
ba71a1950abc79fbf05283b92d8ba9140a449043b5bb8e12f0757e41d3913cb2

SHA512
863f0c34b02b4bf6c5c78d86339df74917db2685586242119ab9820dd4ab54ea76c35fa68f254b1b5f6eca9508e44493f8d8f13fa31b18ba2526e172e267e066

Download Submit
memory/284-26-0x000007FEF7850000-0x000007FEF7ACA000-memory.dmp

Filesize
2.5MB

Download
memory/296-2-0x000000002F911000-0x000000002F914000-memory.dmp

Filesize
12KB

Download
memory/296-3-0x0000000071771000-0x0000000071773000-memory.dmp

Filesize
8KB

Download
memory/296-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1348-15-0x0000000000000000-mapping.dmp

Download
memory/1512-19-0x0000000000000000-mapping.dmp

Download
memory/1716-11-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1716-14-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1716-13-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1716-18-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1716-12-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1716-5-0x0000000000000000-mapping.dmp

Download
memory/1716-24-0x0000000000590000-0x0000000000592000-memory.dmp

Filesize
8KB

Download
memory/1716-6-0x000000006C4B0000-0x000000006CB9E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-10-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1716-9-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1716-25-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1716-7-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1716-27-0x00000000063F0000-0x00000000067F0000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads