cobaltstrike | f026659380293aebc45bc97cd4aeee19c96e8ae5b88673283f2ed113bed4110f

General

Target

SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm
Size

25KB
MD5

d68eb2a0c4ef9306e93e7f993544bbfe
SHA1

a503bfdf64589003faeee0857cb9808fdc659dea
SHA256

f026659380293aebc45bc97cd4aeee19c96e8ae5b88673283f2ed113bed4110f
SHA512

460306fa32c29a3c3e0ff74c33e2399e454668589d7786e28770804d1a11dd787f994829ad7c772ee259219133a362aabcacac67e5936dbc5357864b9cc9c949

Score

10^/10

cobaltstrike metasploit backdoor trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://resources.healthmade.org:80/thumb/preview.gif

Attributes

headers User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Extracted

Family

cobaltstrike

C2

http://resources.healthmade.org:80/__utm.gif

Attributes

access_type
512
beacon_type
0
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
resources.healthmade.org,/__utm.gif
http_header1
AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAABwAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
injection_process
jitter
7680
maxdns
0
month
0
pipe_name
polling_time
30000
port_number
80
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\WerFault.exe
sc_process64
%windir%\sysnative\WerFault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpRrJXGxXzjCf2S2A1wbdkekxgKbnifIIayLRat08R6vjjTxcWEeZrDjY0U7bl4LJSGOAZRwV9m/P5VqFGU6N8Zufhz2wCiag/oTNSDQNVJn+ijTEtdfkS0nMXEry5AkH6k7AG8BYszdU4CofCRJdRnh6dixXclrdyCMFL9p04gwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
6.71092736e+08
unknown2
AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.9665394e+07
uri
/___utm.gif
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MSBuild.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2672	3996	MSBuild.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3996 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EXCEL.EXEMSBuild.execsc.exe

description	pid	process	target process
PID 3996 wrote to memory of 2672	3996	EXCEL.EXE	MSBuild.exe
PID 3996 wrote to memory of 2672	3996	EXCEL.EXE	MSBuild.exe
PID 3996 wrote to memory of 2672	3996	EXCEL.EXE	MSBuild.exe
PID 2672 wrote to memory of 1784	2672	MSBuild.exe	csc.exe
PID 2672 wrote to memory of 1784	2672	MSBuild.exe	csc.exe
PID 2672 wrote to memory of 1784	2672	MSBuild.exe	csc.exe
PID 1784 wrote to memory of 2604	1784	csc.exe	cvtres.exe
PID 1784 wrote to memory of 2604	1784	csc.exe	cvtres.exe
PID 1784 wrote to memory of 2604	1784	csc.exe	cvtres.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.VB.Heur2.EmoDldr.5.18D41831.Gen.23202.26536.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" C:\Users\Admin\Documents\template.xml
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DF0.tmp" "c:\Users\Admin\AppData\Local\Temp\d4yulwqk\CSCE949B34C95B04726B1A18783527FFC3.TMP"
4⤵
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7DF0.tmp
MD5
8a625e8fe5d77fed9f37ece65c7a176b

SHA1
7a9c622b8b946f9f69be9f301bd2f415faf97296

SHA256
522044e80cf7f0559912a34cb7fa1ba3ae618938ca2e59d068c490b49646c1c5

SHA512
47ee4035423efa253ca9ab5a26320f64c9ec7c127d47ef47eccd37b77d2f48caa72ed388892a7434014a22763a13d18ebe5e0c66df4e7139be06f042ae19bc28

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.dll
MD5
4ebc488120e8cd113a2d214a1dc5ab9b

SHA1
f2ce65613003b9ad4dd9dba8cd22804b2bf7485f

SHA256
d68596a5559887faac550f5d37d62ddc5de432cd7cc43fab348bcece3b22a705

SHA512
10fbe2bc8fd45920682ec09239f8c1536e8342584882f61503a0d6abd494e42bcdb61c8357ad53ddf995db0a1f35a8e52bb547c4a3cebb529b1e0e472bb908b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.pdb
MD5
cf14291afbc1f5cb432426ca399c8fba

SHA1
742dfdf9b9f23a6f923a79db6f03d9d110ee0bf7

SHA256
707acfc8485a51b9a8928a902e4d5e2cdb32b015a1bb3f4763abf75baa453ea5

SHA512
f168f4ded1e50c07c01bb89a17907641c1c05535031c1c4fa7d49a459a54d3c3f4d568f2af255421e516c3e0dc73c79ad7db5cb1137589c0b93c92f67de93f0c

Download Submit
C:\Users\Admin\Documents\template.xml
MD5
798ab3936c2e1043fdb1e22559e20632

SHA1
142b7c353881800cb4a415bb0edf33e0bac0e2b5

SHA256
ddb8cebd9406dcfc78dfa6471f603c3f6518d055983477c955934f38de088242

SHA512
aac2382181be42edc0397302a2d85c41cb9bddbf6b6a031e3470254f90cfc4173e629a569f696c29f802acb80250b45fa368ee66c567a64c8160b3f85b1d09bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d4yulwqk\CSCE949B34C95B04726B1A18783527FFC3.TMP
MD5
ad137a4a2f2d1ef73f8f29642f5cacbb

SHA1
6d358159f52238ff09647a7024ee3ff43c1677af

SHA256
5e511fe8df9e444cee3930f6396eb72981a8a905f1910da244b8071c042c36a5

SHA512
335ba06599d0be66562fe58838b0d9f0e4e3a1269f95125340a0348a9db4d84f54ce70639f0bebb41f799407d2afa1d6ce34b43495d5c3343bae669156aaa44a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.0.cs
MD5
b8b482aab01645e96a2d4b90b184a117

SHA1
17e0651c870e73b2f637efd8a9b5b77f9a8ac657

SHA256
588fcb3c48884352073316b139665924bff0f72eb9e0a8b26b664efc78d36a51

SHA512
24cc4e0c2b7810e15d9e7e2fb3625b0fe0138b85df4fb276424ca5f184fb1805e9d609815d60a2bb4ca52dbba648cb2635207cfc1be71eb3a6ffd704c9e95d69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d4yulwqk\d4yulwqk.cmdline
MD5
3ec2d12b0f08e316138d4cda89fcb88b

SHA1
8ff6e4803c8aaa9d42440f64c3edc648ac1429dd

SHA256
34936d63734ed38e723c6a60319334fbcdbb2c1f7733c154c39a74ec2d809fac

SHA512
0ef50c3b1a408294482ac41abea8f4831fd26f1d3c4501896882381c9f95ca5a9abdd6a04b70649fe2c5d3a50356af452807d6bcdb5bdf1598670a14c4c776a0

Download Submit
memory/1784-22-0x0000000000000000-mapping.dmp

Download
memory/2604-25-0x0000000000000000-mapping.dmp

Download
memory/2672-9-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2672-21-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/2672-13-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2672-11-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/2672-15-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/2672-17-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/2672-20-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/2672-30-0x0000000005EA0000-0x0000000005EA2000-memory.dmp

Filesize
8KB

Download
memory/2672-10-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/2672-12-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2672-8-0x00000000739C0000-0x00000000740AE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-7-0x0000000000000000-mapping.dmp

Download
memory/2672-32-0x0000000006960000-0x0000000006D60000-memory.dmp

Filesize
4.0MB

Download
memory/2672-31-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/3996-2-0x00007FFC108D0000-0x00007FFC108E0000-memory.dmp

Filesize
64KB

Download
memory/3996-3-0x00007FFC108D0000-0x00007FFC108E0000-memory.dmp

Filesize
64KB

Download
memory/3996-4-0x00007FFC108D0000-0x00007FFC108E0000-memory.dmp

Filesize
64KB

Download
memory/3996-5-0x00007FFC33A00000-0x00007FFC34037000-memory.dmp

Filesize
6.2MB

Download
memory/3996-6-0x00007FFC108D0000-0x00007FFC108E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads