cobaltstrike | 87ab17e508a10e428e8866ae491876252f7f5c6a060ee99bfa34b8c321abeedd

General

Target

????-???/????-???.docx.lnk
Size

1KB
MD5

595b692c96eab950790501f4099c032d
SHA1

b9324edd0706b8297dd6c23c91a19d4ed1acc8c6
SHA256

cf61bbe7cd523f4a7b619c5f3c8edf8632fd38d3aacf7534236da38a9f57c0f0
SHA512

a85b6bca5ae843be75c372e0a29e6cd6e1f14f56c176d9a5bbfe38c170901e88f9294f5de1b42bf6d03b971361d74ad2c9611ba05598c5ad1be278c474357cf6

Score

10^/10

cobaltstrike 1234567890 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1234567890

C2

http://iqiyiv101.gslb.c.cdnhwc2.com:80/audiencemanager.js

Attributes

access_type
512
host
iqiyiv101.gslb.c.cdnhwc2.com,/audiencemanager.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
30000
port_number
80
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpqQ7Mn7l+ao5tHedYx56Hknzc/ning7Hw8Hyyx5LFalgrfQ7/aTC2oBLeXtXXjtFXB/TSxg2r/eQH7NgRv3Uzt6Uyw/DA9kdZgeQAWi3AxWYi45PpNCX0BavPZmCa9kO9F9Iev5bkRvtj2QcOGGhTZy3JkHToQA2EUQIHMO4QFwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.435374848e+09
unknown2
AAAABAAAAAEAAAf+AAAAAgAAIUwAAAACAAAPtQAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/audiencemanager-v2.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
watermark
1234567890

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exeexplorer.exe

description	pid	process	target process
PID 3872 wrote to memory of 312	3872	cmd.exe	explorer.exe
PID 3872 wrote to memory of 312	3872	cmd.exe	explorer.exe
PID 3264 wrote to memory of 1892	3264	explorer.exe	log.com
PID 3264 wrote to memory of 1892	3264	explorer.exe	log.com

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\____-___\____-___.docx.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" ".\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\log.com"
2⤵
PID:312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\____-___\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\log.com
"C:\Users\Admin\AppData\Local\Temp\____-___\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\log.com"
2⤵
PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/312-130-0x0000000000000000-mapping.dmp

Download
memory/1892-131-0x0000000000000000-mapping.dmp

Download
memory/1892-132-0x000001A688160000-0x000001A6881A1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing