cobaltstrike | 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c

General

Target

5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
Size

1.4MB
MD5

8ec45a62cf34fc74d4bef6292b0840a7
SHA1

6578ab3b13864909b972a8916adc85a117970661
SHA256

5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c
SHA512

2190f14e74b61af4e720ecb68bf61fba73dba24fb1650ca378d23d4d13692d5b81092752cb076683dc59ac011aa731d9be97d37c489337e1fe5af731c02122e5

Score

10^/10

cobaltstrike metasploit backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Executes dropped EXE 1 IoCs

Processes:

svchost.bat

pid process

1756 svchost.bat

pid	process
1756	svchost.bat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exesvchost.bat

description	pid	process	target process
PID 3356 wrote to memory of 1756	3356	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe	svchost.bat
PID 3356 wrote to memory of 1756	3356	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe	svchost.bat
PID 3356 wrote to memory of 1756	3356	5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe	svchost.bat
PID 1756 wrote to memory of 3916	1756	svchost.bat	svchost.exe
PID 1756 wrote to memory of 3916	1756	svchost.bat	svchost.exe
PID 1756 wrote to memory of 3916	1756	svchost.bat	svchost.exe
PID 1756 wrote to memory of 3916	1756	svchost.bat	svchost.exe

C:\Users\Admin\AppData\Local\Temp\5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
"C:\Users\Admin\AppData\Local\Temp\5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\7zSC1D82AA6\svchost.bat
"C:\Users\Admin\AppData\Local\Temp\7zSC1D82AA6\svchost.bat"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSC1D82AA6\svchost.bat
Filesize
641KB

MD5
041b36a7b4616b747525d6bb166d2487

SHA1
75bac4fef064e10deccaf9e03d498bd2f5ba9810

SHA256
e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea

SHA512
7eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1D82AA6\svchost.bat
Filesize
641KB

MD5
041b36a7b4616b747525d6bb166d2487

SHA1
75bac4fef064e10deccaf9e03d498bd2f5ba9810

SHA256
e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea

SHA512
7eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b

Download Submit
memory/1756-130-0x0000000000000000-mapping.dmp

Download
memory/3916-133-0x0000000000000000-mapping.dmp

Download
memory/3916-134-0x0000000000630000-0x00000000006BE000-memory.dmp

Filesize
568KB

Download
memory/3916-138-0x0000000002560000-0x00000000025C9000-memory.dmp

Filesize
420KB

Download
memory/3916-137-0x000000000065B000-0x00000000006BE000-memory.dmp

Filesize
396KB

Download
memory/3916-136-0x0000000000D50000-0x0000000000D81000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing