cobaltstrike | 7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618

General

Target

7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618.exe
Size

2.5MB
MD5

8e96a9977d96e47db7c33cf350338b87
SHA1

84842f681f7640332f51e283aa8988cb37f4ff77
SHA256

7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618
SHA512

627627d69c9d5e065803a938839d6aa8cfbb8518c2cb40dc7959639eed406c255d343a773e30dc2c3f169576991a44148f97679677f5a5c041d1a4397c3f1eca

Score

10^/10

cobaltstrike 426352781 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://42.81.120.12:443/c/msdownload/update/others/2021/10/29136388_

http://111.12.28.24:443/c/msdownload/update/others/2021/10/29136388_

http://120.221.245.161:443/c/msdownload/update/others/2021/10/29136388_

http://221.180.219.232:443/c/msdownload/update/others/2021/10/29136388_

Attributes

access_type
512
beacon_type
2048
host
42.81.120.12,/c/msdownload/update/others/2021/10/29136388_,111.12.28.24,/c/msdownload/update/others/2021/10/29136388_,120.221.245.161,/c/msdownload/update/others/2021/10/29136388_,221.180.219.232,/c/msdownload/update/others/2021/10/29136388_
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAADQAAAAEAAAAELmNhYgAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAADQAAAAEAAAAELmNhYgAAAAwAAAAHAAAAAQAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
3000
port_number
443
sc_process32
%windir%\syswow64\wusa.exe
sc_process64
%windir%\sysnative\wusa.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeKX2ZC6z352UquYL608HlqSqWZnpPWO6XVwMv0J1dRN2RoKK8RqAOQRojHYe5D+ZtsIqIQ8g9CvgtGiloDvyEfOUjer8u/3SDM6ERYWtyxZH2iFm6OL2EGAAb0ysNFQImRN9ynhJ4iqll29xS6McHClteDRdJqRu/cZiOzMyjywIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/c/msdownload/update/others/2021/10/3215234_
user_agent
Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.31
watermark
426352781

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2704	7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 508	2704	7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618.exe	69
PID 2704 wrote to memory of 508	2704	7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618.exe	69

C:\Users\Admin\AppData\Local\Temp\7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618.exe
"C:\Users\Admin\AppData\Local\Temp\7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C set
  2⤵
  PID:508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2704-115-0x000001CF34370000-0x000001CF34372000-memory.dmp

Filesize
8KB

Download
memory/2704-116-0x000001CF34372000-0x000001CF34376000-memory.dmp

Filesize
16KB

Download
memory/2704-117-0x000001CF34581000-0x000001CF347DB000-memory.dmp

Filesize
2.4MB

Download
memory/2704-118-0x000001CF352EA000-0x000001CF35492000-memory.dmp

Filesize
1.7MB

Download
memory/2704-119-0x000001CF34890000-0x000001CF348DE000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing