cobaltstrike | 7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618

General

Target

8e96a9977d96e47db7c33cf350338b87.exe
Size

2.5MB
MD5

8e96a9977d96e47db7c33cf350338b87
SHA1

84842f681f7640332f51e283aa8988cb37f4ff77
SHA256

7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618
SHA512

627627d69c9d5e065803a938839d6aa8cfbb8518c2cb40dc7959639eed406c255d343a773e30dc2c3f169576991a44148f97679677f5a5c041d1a4397c3f1eca

Score

10^/10

cobaltstrike 426352781 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://42.81.120.12:443/c/msdownload/update/others/2021/10/29136388_

http://111.12.28.24:443/c/msdownload/update/others/2021/10/29136388_

http://120.221.245.161:443/c/msdownload/update/others/2021/10/29136388_

http://221.180.219.232:443/c/msdownload/update/others/2021/10/29136388_

Attributes

access_type
512
beacon_type
2048
host
42.81.120.12,/c/msdownload/update/others/2021/10/29136388_,111.12.28.24,/c/msdownload/update/others/2021/10/29136388_,120.221.245.161,/c/msdownload/update/others/2021/10/29136388_,221.180.219.232,/c/msdownload/update/others/2021/10/29136388_
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAADQAAAAEAAAAELmNhYgAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAADQAAAAEAAAAELmNhYgAAAAwAAAAHAAAAAQAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
3000
port_number
443
sc_process32
%windir%\syswow64\wusa.exe
sc_process64
%windir%\sysnative\wusa.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeKX2ZC6z352UquYL608HlqSqWZnpPWO6XVwMv0J1dRN2RoKK8RqAOQRojHYe5D+ZtsIqIQ8g9CvgtGiloDvyEfOUjer8u/3SDM6ERYWtyxZH2iFm6OL2EGAAb0ysNFQImRN9ynhJ4iqll29xS6McHClteDRdJqRu/cZiOzMyjywIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/c/msdownload/update/others/2021/10/3215234_
user_agent
Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.31
watermark
426352781

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	8e96a9977d96e47db7c33cf350338b87.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	8e96a9977d96e47db7c33cf350338b87.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1648	8e96a9977d96e47db7c33cf350338b87.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1572	1648	8e96a9977d96e47db7c33cf350338b87.exe	30
PID 1648 wrote to memory of 1572	1648	8e96a9977d96e47db7c33cf350338b87.exe	30
PID 1648 wrote to memory of 1572	1648	8e96a9977d96e47db7c33cf350338b87.exe	30

C:\Users\Admin\AppData\Local\Temp\8e96a9977d96e47db7c33cf350338b87.exe
"C:\Users\Admin\AppData\Local\Temp\8e96a9977d96e47db7c33cf350338b87.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C set
  2⤵
  PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1648-55-0x00000000004D2000-0x00000000004D6000-memory.dmp

Filesize
16KB

Download
memory/1648-56-0x0000000000550000-0x00000000007AA000-memory.dmp

Filesize
2.4MB

Download
memory/1648-54-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/1648-57-0x0000000000DB0000-0x0000000000F58000-memory.dmp

Filesize
1.7MB

Download
memory/1648-58-0x0000000180000000-0x00000001801AC000-memory.dmp

Filesize
1.7MB

Download
memory/1648-63-0x0000000180000000-0x00000001801AC000-memory.dmp

Filesize
1.7MB

Download
memory/1648-64-0x0000000002D70000-0x0000000002DBE000-memory.dmp

Filesize
312KB

Download
memory/1648-65-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing