cobaltstrike | 3542078fd524e3cb141d5bebf96aea73467505a07ae72fc58395afa14f22e8a3

General

Target

RFP_AllianxMexico_2022.doc
Size

3.2MB
MD5

b371e1c2ca2e5718e151760bc4664366
SHA1

73457d23e5235df0fcfbf6547aaf26cccc765011
SHA256

3542078fd524e3cb141d5bebf96aea73467505a07ae72fc58395afa14f22e8a3
SHA512

b6d4ae4f09c8bb660d46dba8cce9a28a811af28f9364e38dc58da85bff011bf6ac21130a790a96ed9f015f27a916f6d8090a1712bb3f6192412f38381a7f4486

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1936	812	DW20.EXE	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

812 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

WINWORD.EXE

pid process

812 WINWORD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwwin.exe

pid process

108 dwwin.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

812 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

812 WINWORD.EXE
812 WINWORD.EXE

pid	process
812	WINWORD.EXE

pid	process
812	WINWORD.EXE

pid	process
108	dwwin.exe

pid	process
812	WINWORD.EXE

pid	process
812	WINWORD.EXE
812	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WINWORD.EXEDW20.EXE

description	pid	process	target process
PID 812 wrote to memory of 1936	812	WINWORD.EXE	DW20.EXE
PID 812 wrote to memory of 1936	812	WINWORD.EXE	DW20.EXE
PID 812 wrote to memory of 1936	812	WINWORD.EXE	DW20.EXE
PID 812 wrote to memory of 1936	812	WINWORD.EXE	DW20.EXE
PID 812 wrote to memory of 1936	812	WINWORD.EXE	DW20.EXE
PID 812 wrote to memory of 1936	812	WINWORD.EXE	DW20.EXE
PID 812 wrote to memory of 1936	812	WINWORD.EXE	DW20.EXE
PID 1936 wrote to memory of 108	1936	DW20.EXE	dwwin.exe
PID 1936 wrote to memory of 108	1936	DW20.EXE	dwwin.exe
PID 1936 wrote to memory of 108	1936	DW20.EXE	dwwin.exe
PID 1936 wrote to memory of 108	1936	DW20.EXE	dwwin.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFP_AllianxMexico_2022.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812

C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE
"C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1256
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 1256
3⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:108

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259400802.cvr
MD5
924bb5b2288a37dd1f27baaa3268fc13

SHA1
1434c500fe20dfd0f5558dc671fe6e69953fc24f

SHA256
78b57801a219fbaacec23d54314f9d24b2b896dbe48a62ccf8f128652f578a05

SHA512
d49d421a2407fcac118dcbe7be52af576b8d26130fdf2502bc083345cd01dc3825aff1ff38bb9e80541e68ffdc7621dfd658e0aaaa54b455ac61423e064c6065

Download Submit
memory/108-392-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/812-54-0x0000000072421000-0x0000000072424000-memory.dmp

Filesize
12KB

Download
memory/812-55-0x000000006FEA1000-0x000000006FEA3000-memory.dmp

Filesize
8KB

Download
memory/812-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/812-57-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/812-390-0x0000000007480000-0x0000000008481000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads