cobaltstrike | f01f5fb0137d71bbaa7e2762e6e92d9b8fdb56d16b60c332b7e0a897c6205f31

General

Target

20220124svchost/host.exe
Size

7KB
MD5

4b7b09158efe990aeae84bffd3495a06
SHA1

4d5a9a49b22815f344c90e04d8f3536bea29d501
SHA256

ef9fe61878d9d6ef602dedf8bad61927b8a754886c4923119572117141a87227
SHA512

90c9bd74c843bcfa0749509ffe0a647ed93318734bed8e68379037ffe84c4200854fd42bd726c8e214f15e1094abcb6cb818c14562bc717a15bcba08a0714d84

Score

10^/10

cobaltstrike 999999 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://dash.139pro.com:8880/w/static/js/app.clf44eeb.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: dash.139pro.com Referer: http://www.bing.com/ Accept-Encoding: deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0

Extracted

Family

cobaltstrike

Botnet

999999

C2

http://dash.139pro.com:8880/w/static/js/chunk-vendors.811798f9.js

Attributes

access_type
512
host
dash.139pro.com,/w/static/js/chunk-vendors.811798f9.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogZGFzaC4xMzlwcm8uY29tAAAACgAAAB1SZWZlcmVyOiBodHRwOi8vd3d3LmJpbmcuY29tLwAAAAoAAAAYQWNjZXB0LUVuY29kaW5nOiBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAABJzZW5zb3JzX3N0YXlfdGltZT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogZGFzaC4xMzlwcm8uY29tAAAACgAAAB1SZWZlcmVyOiBodHRwOi8vd3d3LmJpbmcuY29tLwAAAAoAAAAYQWNjZXB0LUVuY29kaW5nOiBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAARc2Vuc29yc19zdGF5X3RpbWUAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
1000
port_number
8880
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsaux/wtu42BOnD2ggcEwMY95Evz5CW0fQx0ahyfR8HW/DflLHIQ4ewNdq3O0uHj71HDIrT6ChacHhvuDqvs1UD5IxDN8Auubbj3cWEkYrA6iS2wBL6O5uSwelCcOa0+ckWFDTP9ISLCyE5U+hBAj32r4+41KjlyyKZTCfYcog5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.633293568e+09
unknown2
AAAABAAAAAEAAAIlAAAAAgAAAFQAAAACAAACjQAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/w/static/js/chunk-vendors.8l1798f9.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
watermark
999999

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

host.exe

description pid process

Token: SeDebugPrivilege 1540 host.exe

description	pid	process
Token: SeDebugPrivilege	1540	host.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

host.exe

description	pid	process	target process
PID 1540 wrote to memory of 764	1540	host.exe	NOTEPAD.EXE
PID 1540 wrote to memory of 764	1540	host.exe	NOTEPAD.EXE
PID 1540 wrote to memory of 764	1540	host.exe	NOTEPAD.EXE
PID 1540 wrote to memory of 764	1540	host.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\20220124svchost\host.exe
"C:\Users\Admin\AppData\Local\Temp\20220124svchost\host.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
"C:\WINDOWS\SYSTEM32\NOTEPAD.EXE"
2⤵
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/764-59-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/764-60-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/764-61-0x00000000036D0000-0x0000000003F42000-memory.dmp

Filesize
8.4MB

Download
memory/764-62-0x00000000036D0000-0x0000000003AD0000-memory.dmp

Filesize
4.0MB

Download
memory/1540-55-0x00000000000A0000-0x00000000000A8000-memory.dmp

Filesize
32KB

Download
memory/1540-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1540-58-0x000000001B6D0000-0x000000001B6D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads