cobaltstrike | d032d57e8f366c59979f536722b5cfbded08b94fc032da27220df46dfcd43208

General

Target

Reciept 0198478.xlsb
Size

67KB
MD5

16b275e48c1d27c448b4ed772206315c
SHA1

317988ea2f7fa8fa288850adce94bf2543bbd8d0
SHA256

d032d57e8f366c59979f536722b5cfbded08b94fc032da27220df46dfcd43208
SHA512

518b238dee5d8f69ab2f09a92f7daf12613358b21bbc38247e6e9faa45470eb450815d7a094dddc0dfc8db7b4698da27e76480258c9b7feb61f0c73e1cf04c50

Score

10^/10

cobaltstrike 1359593325 backdoor cryptone packer trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://94.198.40.11:80/visit.js

Attributes

access_type
512
host
94.198.40.11,/visit.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
watermark
1359593325

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Windows\Temp\e15k9.exe	cryptone

Blocklisted process makes network request 1 IoCs

Processes:

WMIC.exe

flow pid process

6 932 WMIC.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

e15k9.exe

pid process

1052 e15k9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
6	932	WMIC.exe

pid	process
1052	e15k9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

304 EXCEL.EXE

pid	process
304	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	932	WMIC.exe
Token: SeSecurityPrivilege	932	WMIC.exe
Token: SeTakeOwnershipPrivilege	932	WMIC.exe
Token: SeLoadDriverPrivilege	932	WMIC.exe
Token: SeSystemProfilePrivilege	932	WMIC.exe
Token: SeSystemtimePrivilege	932	WMIC.exe
Token: SeProfSingleProcessPrivilege	932	WMIC.exe
Token: SeIncBasePriorityPrivilege	932	WMIC.exe
Token: SeCreatePagefilePrivilege	932	WMIC.exe
Token: SeBackupPrivilege	932	WMIC.exe
Token: SeRestorePrivilege	932	WMIC.exe
Token: SeShutdownPrivilege	932	WMIC.exe
Token: SeDebugPrivilege	932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	932	WMIC.exe
Token: SeRemoteShutdownPrivilege	932	WMIC.exe
Token: SeUndockPrivilege	932	WMIC.exe
Token: SeManageVolumePrivilege	932	WMIC.exe
Token: 33	932	WMIC.exe
Token: 34	932	WMIC.exe
Token: 35	932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	932	WMIC.exe
Token: SeSecurityPrivilege	932	WMIC.exe
Token: SeTakeOwnershipPrivilege	932	WMIC.exe
Token: SeLoadDriverPrivilege	932	WMIC.exe
Token: SeSystemProfilePrivilege	932	WMIC.exe
Token: SeSystemtimePrivilege	932	WMIC.exe
Token: SeProfSingleProcessPrivilege	932	WMIC.exe
Token: SeIncBasePriorityPrivilege	932	WMIC.exe
Token: SeCreatePagefilePrivilege	932	WMIC.exe
Token: SeBackupPrivilege	932	WMIC.exe
Token: SeRestorePrivilege	932	WMIC.exe
Token: SeShutdownPrivilege	932	WMIC.exe
Token: SeDebugPrivilege	932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	932	WMIC.exe
Token: SeRemoteShutdownPrivilege	932	WMIC.exe
Token: SeUndockPrivilege	932	WMIC.exe
Token: SeManageVolumePrivilege	932	WMIC.exe
Token: 33	932	WMIC.exe
Token: 34	932	WMIC.exe
Token: 35	932	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

304 EXCEL.EXE
304 EXCEL.EXE
304 EXCEL.EXE
304 EXCEL.EXE
304 EXCEL.EXE

pid	process
304	EXCEL.EXE
304	EXCEL.EXE
304	EXCEL.EXE
304	EXCEL.EXE
304	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

taskeng.exemshta.EXEWMIC.exe

description	pid	process	target process
PID 1872 wrote to memory of 1652	1872	taskeng.exe	mshta.EXE
PID 1872 wrote to memory of 1652	1872	taskeng.exe	mshta.EXE
PID 1872 wrote to memory of 1652	1872	taskeng.exe	mshta.EXE
PID 1652 wrote to memory of 932	1652	mshta.EXE	WMIC.exe
PID 1652 wrote to memory of 932	1652	mshta.EXE	WMIC.exe
PID 1652 wrote to memory of 932	1652	mshta.EXE	WMIC.exe
PID 932 wrote to memory of 1052	932	WMIC.exe	e15k9.exe
PID 932 wrote to memory of 1052	932	WMIC.exe	e15k9.exe
PID 932 wrote to memory of 1052	932	WMIC.exe	e15k9.exe
PID 932 wrote to memory of 1052	932	WMIC.exe	e15k9.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Reciept 0198478.xlsb"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:304

C:\Windows\system32\taskeng.exe
taskeng.exe {E9EE2BCF-C3B6-492F-9EFA-61190C2AE8AA} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\mshta.EXE
C:\Windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogSeriesAxes.xsl"" & Chr(34)),0:close")
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogSeriesAxes.xsl"
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\Temp\e15k9.exe
"C:\Windows\Temp\e15k9.exe"
4⤵
- Executes dropped EXE
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qDialogSeriesAxes.xsl
MD5
ed9a97566e5179a4793dad89b79f3c8b

SHA1
3aba6229322c12118a7999b35387045159429078

SHA256
c6ce5cf41a799c6c427a8facae15fa9ac40eb3562132189c72e1398178c74981

SHA512
08f827a3bea007feae33e69f43a09cfcb08f0f636d1eab3d937203bad63d94cd9f99312f162cefb1217e115d5ae3985b6202f2b773212134c540e01fe2d071f1

Download Submit
C:\Windows\Temp\e15k9.exe
MD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

SHA1
d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

SHA256
b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

SHA512
c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

Download Submit
memory/304-60-0x00000000716F1000-0x00000000716F3000-memory.dmp

Filesize
8KB

Download
memory/304-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/304-59-0x000000002F911000-0x000000002F914000-memory.dmp

Filesize
12KB

Download
memory/932-63-0x0000000000000000-mapping.dmp

Download
memory/1052-68-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/1052-65-0x0000000000000000-mapping.dmp

Download
memory/1052-67-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1052-69-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1052-70-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1052-71-0x0000000001D90000-0x0000000001DCD000-memory.dmp

Filesize
244KB

Download
memory/1652-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads