cobaltstrike | bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee

General

Target

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe
Size

832KB
MD5

8f978a1a3775eee75434257415c5018d
SHA1

d632e4dd9212f8b021e52980f8e4d8d8ab2e255a
SHA256

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee
SHA512

0bb2a735dbe379f285ecfcc9d3e415e06db805bf529920654ee94a84a15e73f47b76392dfe3eeebba9b2f743e81296f905d528fc5a9f445dc7ef30797ddb259a

Score

10^/10

cobaltstrike backdoor suricata trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

10 2356 rundll32.exe
20 2356 rundll32.exe
50 2356 rundll32.exe
58 2356 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

Recyclc.exe

pid process

904 Recyclc.exe

flow	pid	process
10	2356	rundll32.exe
20	2356	rundll32.exe
50	2356	rundll32.exe
58	2356	rundll32.exe

pid	process
904	Recyclc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Recyclc.exe

description pid process target process

PID 904 set thread context of 2356 904 Recyclc.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 904 set thread context of 2356	904	Recyclc.exe	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2588 WINWORD.EXE
2588 WINWORD.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

WINWORD.EXE

pid	process
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE
2588	WINWORD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exeRecyclc.exe

description	pid	process	target process
PID 4044 wrote to memory of 904	4044	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	Recyclc.exe
PID 4044 wrote to memory of 904	4044	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	Recyclc.exe
PID 4044 wrote to memory of 904	4044	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	Recyclc.exe
PID 4044 wrote to memory of 2588	4044	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	WINWORD.EXE
PID 4044 wrote to memory of 2588	4044	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	WINWORD.EXE
PID 904 wrote to memory of 2356	904	Recyclc.exe	rundll32.exe
PID 904 wrote to memory of 2356	904	Recyclc.exe	rundll32.exe
PID 904 wrote to memory of 2356	904	Recyclc.exe	rundll32.exe
PID 904 wrote to memory of 2356	904	Recyclc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe
"C:\Users\Admin\AppData\Local\Temp\bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\Recyclc.exe
"C:\Users\Admin\AppData\Local\Temp\Recyclc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe
3⤵
- Blocklisted process makes network request
PID:2356

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\个人简历.doc" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Recyclc.exe
Filesize
86KB

MD5
af3d2135fafa04df6017dbdb53bee5df

SHA1
b0a774d69536ddd1ed844e9ed63a970df3a92127

SHA256
a53c500f89a269f0c3b962de22a1960c6067c9e929bb21337563d9de44b84692

SHA512
2f79597d4af0911bd94e0354c2dc8986098a9d054d0300ea1480b428b50a3903736c357f25f090585354fecdb3644bfa6bf5acf14ddd379e4b253c9db1ddddbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recyclc.exe
Filesize
86KB

MD5
af3d2135fafa04df6017dbdb53bee5df

SHA1
b0a774d69536ddd1ed844e9ed63a970df3a92127

SHA256
a53c500f89a269f0c3b962de22a1960c6067c9e929bb21337563d9de44b84692

SHA512
2f79597d4af0911bd94e0354c2dc8986098a9d054d0300ea1480b428b50a3903736c357f25f090585354fecdb3644bfa6bf5acf14ddd379e4b253c9db1ddddbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\个人简历.doc
Filesize
449KB

MD5
34c8c172c0991aca090b557c3e254955

SHA1
fd4e7302caf556d260e538dc529550ca87ab4017

SHA256
32d9dbea47e89865435394ec1ea688bb0e1e527a521d18f7f193a8346a710ab9

SHA512
dfb9301408ebd5e80e6e8bba5547859cd82a74c4e797017e0e8d9548454d2c1786825c64527c96635411f6a2cf58ddca22205af5088ae7107a77c76b4af618e2

Download Submit
memory/904-130-0x0000000000000000-mapping.dmp

Download
memory/2356-145-0x00000000031D0000-0x000000000320E000-memory.dmp

Filesize
248KB

Download
memory/2356-134-0x0000000000000000-mapping.dmp

Download
memory/2356-144-0x00000000031D0000-0x000000000320E000-memory.dmp

Filesize
248KB

Download
memory/2356-143-0x0000000002DD0000-0x00000000031D0000-memory.dmp

Filesize
4.0MB

Download
memory/2588-135-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmp

Filesize
64KB

Download
memory/2588-139-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmp

Filesize
64KB

Download
memory/2588-140-0x00007FF9D41F0000-0x00007FF9D4200000-memory.dmp

Filesize
64KB

Download
memory/2588-141-0x00007FF9D41F0000-0x00007FF9D4200000-memory.dmp

Filesize
64KB

Download
memory/2588-138-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmp

Filesize
64KB

Download
memory/2588-137-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmp

Filesize
64KB

Download
memory/2588-136-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmp

Filesize
64KB

Download
memory/2588-133-0x0000000000000000-mapping.dmp

Download
memory/2588-147-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmp

Filesize
64KB

Download
memory/2588-148-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmp

Filesize
64KB

Download
memory/2588-149-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmp

Filesize
64KB

Download
memory/2588-150-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads