cobaltstrike | 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c

General

Target

5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
Size

1.4MB
MD5

8ec45a62cf34fc74d4bef6292b0840a7
SHA1

6578ab3b13864909b972a8916adc85a117970661
SHA256

5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c
SHA512

2190f14e74b61af4e720ecb68bf61fba73dba24fb1650ca378d23d4d13692d5b81092752cb076683dc59ac011aa731d9be97d37c489337e1fe5af731c02122e5

Score

10^/10

cobaltstrike metasploit backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

svchost.bat

pid process

1344 svchost.bat

pid	process
1344	svchost.bat

Loads dropped DLL 5 IoCs

Processes:

5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe

pid	process
2016	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
2016	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
2016	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
2016	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
2016	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exesvchost.bat

description	pid	process	target process
PID 2016 wrote to memory of 1344	2016	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe	svchost.bat
PID 2016 wrote to memory of 1344	2016	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe	svchost.bat
PID 2016 wrote to memory of 1344	2016	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe	svchost.bat
PID 2016 wrote to memory of 1344	2016	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe	svchost.bat
PID 1344 wrote to memory of 2036	1344	svchost.bat	svchost.exe
PID 1344 wrote to memory of 2036	1344	svchost.bat	svchost.exe
PID 1344 wrote to memory of 2036	1344	svchost.bat	svchost.exe
PID 1344 wrote to memory of 2036	1344	svchost.bat	svchost.exe
PID 1344 wrote to memory of 2036	1344	svchost.bat	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
"C:\Users\Admin\AppData\Local\Temp\5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat
"C:\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat
Filesize
641KB

MD5
041b36a7b4616b747525d6bb166d2487

SHA1
75bac4fef064e10deccaf9e03d498bd2f5ba9810

SHA256
e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea

SHA512
7eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat
Filesize
641KB

MD5
041b36a7b4616b747525d6bb166d2487

SHA1
75bac4fef064e10deccaf9e03d498bd2f5ba9810

SHA256
e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea

SHA512
7eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat
Filesize
641KB

MD5
041b36a7b4616b747525d6bb166d2487

SHA1
75bac4fef064e10deccaf9e03d498bd2f5ba9810

SHA256
e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea

SHA512
7eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat
Filesize
641KB

MD5
041b36a7b4616b747525d6bb166d2487

SHA1
75bac4fef064e10deccaf9e03d498bd2f5ba9810

SHA256
e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea

SHA512
7eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat
Filesize
641KB

MD5
041b36a7b4616b747525d6bb166d2487

SHA1
75bac4fef064e10deccaf9e03d498bd2f5ba9810

SHA256
e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea

SHA512
7eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat
Filesize
641KB

MD5
041b36a7b4616b747525d6bb166d2487

SHA1
75bac4fef064e10deccaf9e03d498bd2f5ba9810

SHA256
e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea

SHA512
7eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b

Download Submit
memory/1344-60-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/2036-62-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2036-64-0x0000000000000000-mapping.dmp

Download
memory/2036-65-0x0000000000080000-0x000000000010E000-memory.dmp

Filesize
568KB

Download
memory/2036-68-0x00000000000AB000-0x000000000010E000-memory.dmp

Filesize
396KB

Download
memory/2036-69-0x00000000002F0000-0x0000000000359000-memory.dmp

Filesize
420KB

Download
memory/2036-67-0x0000000000240000-0x0000000000271000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing