cobaltstrike | e9157e32da346917b0092b432ede9945fa6d86ceccc07e0afa1e33826a3fecab

General

Target

Reciept 9133447.xlsb
Size

67KB
MD5

c44c8e5c2b7ed4b597557bf12cc279c4
SHA1

bf99994ffb3cd21635e1ef7f09e773e48068d3c1
SHA256

e9157e32da346917b0092b432ede9945fa6d86ceccc07e0afa1e33826a3fecab
SHA512

694058e46ac7b324e4df54e11ceba4ed92a40878f934f9369059905acc264d48c3ec888f52e7fb20e8931d62b0a22121efdf13167da8fe82b512d90ecdc77233

Score

10^/10

cobaltstrike 1359593325 backdoor cryptone packer trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://94.198.40.11:80/visit.js

Attributes

access_type
512
host
94.198.40.11,/visit.js
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHFcV/jTWIWbMLGsg/xD3cCk0yHN+dWUBeSAZEdvXFEiawkFkWyJWyGyT0NbgSrwHmz+krYJY6l6YOoUNPWMNc6YpuQUYrBiilMX6rDkmmqUqem2tP6G4E6nBva8DOwNu671c8iFZeK4M8s6PPnUDuEuSHchHBLc5wV6Ew7BLO5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
watermark
1359593325

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Windows\Temp\ea2mx.exe	cryptone

Blocklisted process makes network request 1 IoCs

Processes:

WMIC.exe

flow pid process

6 1156 WMIC.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

ea2mx.exe

pid process

1332 ea2mx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
6	1156	WMIC.exe

pid	process
1332	ea2mx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2036 EXCEL.EXE

pid	process
2036	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1156	WMIC.exe
Token: SeSecurityPrivilege	1156	WMIC.exe
Token: SeTakeOwnershipPrivilege	1156	WMIC.exe
Token: SeLoadDriverPrivilege	1156	WMIC.exe
Token: SeSystemProfilePrivilege	1156	WMIC.exe
Token: SeSystemtimePrivilege	1156	WMIC.exe
Token: SeProfSingleProcessPrivilege	1156	WMIC.exe
Token: SeIncBasePriorityPrivilege	1156	WMIC.exe
Token: SeCreatePagefilePrivilege	1156	WMIC.exe
Token: SeBackupPrivilege	1156	WMIC.exe
Token: SeRestorePrivilege	1156	WMIC.exe
Token: SeShutdownPrivilege	1156	WMIC.exe
Token: SeDebugPrivilege	1156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1156	WMIC.exe
Token: SeRemoteShutdownPrivilege	1156	WMIC.exe
Token: SeUndockPrivilege	1156	WMIC.exe
Token: SeManageVolumePrivilege	1156	WMIC.exe
Token: 33	1156	WMIC.exe
Token: 34	1156	WMIC.exe
Token: 35	1156	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1156	WMIC.exe
Token: SeSecurityPrivilege	1156	WMIC.exe
Token: SeTakeOwnershipPrivilege	1156	WMIC.exe
Token: SeLoadDriverPrivilege	1156	WMIC.exe
Token: SeSystemProfilePrivilege	1156	WMIC.exe
Token: SeSystemtimePrivilege	1156	WMIC.exe
Token: SeProfSingleProcessPrivilege	1156	WMIC.exe
Token: SeIncBasePriorityPrivilege	1156	WMIC.exe
Token: SeCreatePagefilePrivilege	1156	WMIC.exe
Token: SeBackupPrivilege	1156	WMIC.exe
Token: SeRestorePrivilege	1156	WMIC.exe
Token: SeShutdownPrivilege	1156	WMIC.exe
Token: SeDebugPrivilege	1156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1156	WMIC.exe
Token: SeRemoteShutdownPrivilege	1156	WMIC.exe
Token: SeUndockPrivilege	1156	WMIC.exe
Token: SeManageVolumePrivilege	1156	WMIC.exe
Token: 33	1156	WMIC.exe
Token: 34	1156	WMIC.exe
Token: 35	1156	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

2036 EXCEL.EXE
2036 EXCEL.EXE
2036 EXCEL.EXE
2036 EXCEL.EXE
2036 EXCEL.EXE

pid	process
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

taskeng.exemshta.EXEWMIC.exe

description	pid	process	target process
PID 1964 wrote to memory of 1304	1964	taskeng.exe	mshta.EXE
PID 1964 wrote to memory of 1304	1964	taskeng.exe	mshta.EXE
PID 1964 wrote to memory of 1304	1964	taskeng.exe	mshta.EXE
PID 1304 wrote to memory of 1156	1304	mshta.EXE	WMIC.exe
PID 1304 wrote to memory of 1156	1304	mshta.EXE	WMIC.exe
PID 1304 wrote to memory of 1156	1304	mshta.EXE	WMIC.exe
PID 1156 wrote to memory of 1332	1156	WMIC.exe	ea2mx.exe
PID 1156 wrote to memory of 1332	1156	WMIC.exe	ea2mx.exe
PID 1156 wrote to memory of 1332	1156	WMIC.exe	ea2mx.exe
PID 1156 wrote to memory of 1332	1156	WMIC.exe	ea2mx.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Reciept 9133447.xlsb"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\system32\taskeng.exe
taskeng.exe {F537491F-4D26-452F-B995-93F1B42A9107} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\mshta.EXE
C:\Windows\system32\mshta.EXE vbscript:Execute("set osh = CreateObject(""Wscript.Shell""):osh.Run(""wmic os get /format:"" & Chr(34) & osh.ExpandEnvironmentStrings(""C:\ProgramData"") & ""\\qDialogOptionsCalculation.xsl"" & Chr(34)),0:close")
2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" os get /format:"C:\ProgramData\\qDialogOptionsCalculation.xsl"
3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\Temp\ea2mx.exe
"C:\Windows\Temp\ea2mx.exe"
4⤵
- Executes dropped EXE
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qDialogOptionsCalculation.xsl
MD5
620bf55623214f88f930947072f5f85e

SHA1
e6d49a4bad59023d69653186a8193340d4b54adb

SHA256
144d5d7cc423e850a7ae9599fffeaed84e9ee5a882330f38a295381fe5263c7b

SHA512
87a8443c3477dcd3cc1a3ddfc1ce53031e1bcc82ee141946ef1da944c60207e22798efe625fef19cbd66a10f44972f3e2626166b9953f4b18608bbd3996e91e1

Download Submit
C:\Windows\Temp\ea2mx.exe
MD5
9a2e1bb9ad6f1ccfeaa4c2c55637ae3b

SHA1
d42d55cab8637f847efdc1a01bcd5bb2d4668b7d

SHA256
b012145b80d5176d73ed67924be9b1290d7920f05bf436f37deca4799b6d88b6

SHA512
c8233171f957979936ea517dcabb3732e54b1cc19e89853d198b48c36f9609d2d8d0a0e75267a63162bd7d40371d22fbc62084441eaaec4d8670a5c2d985d1a6

Download Submit
memory/1156-65-0x0000000000000000-mapping.dmp

Download
memory/1304-63-0x0000000000000000-mapping.dmp

Download
memory/1304-64-0x000007FEFC471000-0x000007FEFC473000-memory.dmp

Filesize
8KB

Download
memory/1332-67-0x0000000000000000-mapping.dmp

Download
memory/1332-69-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/1332-70-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1332-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1332-72-0x0000000000360000-0x0000000000393000-memory.dmp

Filesize
204KB

Download
memory/1332-73-0x0000000000460000-0x000000000049D000-memory.dmp

Filesize
244KB

Download
memory/2036-60-0x000000002F0D1000-0x000000002F0D4000-memory.dmp

Filesize
12KB

Download
memory/2036-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2036-61-0x0000000071C71000-0x0000000071C73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads