cobaltstrike | 46f18091cf10d22dfb79b372c9c0d44f3547ec2fb9f0f7c772ef08b33ed53a83

General

Target

ScanClientUpdate/ScanClientUpdate.lnk
Size

1KB
MD5

d98d2caa6e63ca70c245e1d6eda2100b
SHA1

44b1884801c72dc8b218298aa1c537c69f2dfbfa
SHA256

74202eed181e2b83dd0ab6f791a34a13bd94e63e86b82395f9443cb5aeddc891
SHA512

2f63de892d0d757a2310ed5d1c59a8059b9a5fac9dc8c8f45c56b140d82e1009c9d25ff6a9ca9b27e571ee27e8a3329148f53a86cc73ef4a5384387526eb2cfa

Score

10^/10

cobaltstrike 1359593325 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://doggroomingnews.com:443/storage/main.woff2

Attributes

access_type
512
beacon_type
2048
host
doggroomingnews.com,/storage/main.woff2
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAFX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAABV9fdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
15000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCme/zaiZGT7pLjqDAy16p3eFtu90inaA2f41oeA4p/oHZuEumSy882EEc1UdIdb1t55cOwN7OQrfDBkRhcI9ZJuFVHFjb+O01lf9ppl+xBjW0Z7rjpo8RLJCmwNWyymCD1iQJuG0DSkU+RTjZPelztOIFqJS9twRnuhA7wGUGgkwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
5.76066816e+08
unknown2
AAAABAAAAAEAAABjAAAAAgAAAGQAAAANAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/storage/page.woff2
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4183.83 Safari/537.36
watermark
1359593325

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
5	472	rundll32.exe
6	472	rundll32.exe
7	472	rundll32.exe
9	472	rundll32.exe
10	472	rundll32.exe
11	472	rundll32.exe
13	472	rundll32.exe
14	472	rundll32.exe
15	472	rundll32.exe
17	472	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1572 wrote to memory of 1352	1572	cmd.exe	rundll32.exe
PID 1572 wrote to memory of 1352	1572	cmd.exe	rundll32.exe
PID 1572 wrote to memory of 1352	1572	cmd.exe	rundll32.exe
PID 1352 wrote to memory of 472	1352	rundll32.exe	rundll32.exe
PID 1352 wrote to memory of 472	1352	rundll32.exe	rundll32.exe
PID 1352 wrote to memory of 472	1352	rundll32.exe	rundll32.exe
PID 1352 wrote to memory of 472	1352	rundll32.exe	rundll32.exe
PID 1352 wrote to memory of 472	1352	rundll32.exe	rundll32.exe
PID 1352 wrote to memory of 472	1352	rundll32.exe	rundll32.exe
PID 1352 wrote to memory of 472	1352	rundll32.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ScanClientUpdate\ScanClientUpdate.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" KM.FileSystem.dll KMGetInterface
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" KM.FileSystem.dll KMGetInterface
3⤵
- Blocklisted process makes network request
PID:472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-56-0x0000000000000000-mapping.dmp

Download
memory/472-57-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/472-58-0x00000000001D0000-0x0000000000203000-memory.dmp

Filesize
204KB

Download
memory/472-59-0x0000000002FC0000-0x0000000003432000-memory.dmp

Filesize
4.4MB

Download
memory/472-60-0x0000000002FC0000-0x0000000003432000-memory.dmp

Filesize
4.4MB

Download
memory/1352-55-0x0000000000000000-mapping.dmp

Download
memory/1572-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing