cobaltstrike | 1a4b7466bae2824e11582d7927638906e9b4bfcab29459fedcbb671e02d64fe7

General

Target

1a4b7466bae2824e11582d7927638906e9b4bfcab29459fedcbb671e02d64fe7.exe
Size

1.0MB
MD5

199b6a874e662eed3b4ca58f92209237
SHA1

3f0096a6c8c7e7c06e40cc8d044744571c5c21ce
SHA256

1a4b7466bae2824e11582d7927638906e9b4bfcab29459fedcbb671e02d64fe7
SHA512

0f591a57261cd15109ee5e376ce4e06f1daa9e4212043da564557607ef90b00e33341cbfc1042c74ce1d3ee19f01b4dbb12b952ea9158b76fb4ad1c753ee5fe5

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

explorer.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 4228 explorer.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	4228	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings explorer.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3476 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE
3476	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

explorer.exe

description	pid	process	target process
PID 4196 wrote to memory of 3476	4196	explorer.exe	EXCEL.EXE
PID 4196 wrote to memory of 3476	4196	explorer.exe	EXCEL.EXE
PID 4196 wrote to memory of 3476	4196	explorer.exe	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\1a4b7466bae2824e11582d7927638906e9b4bfcab29459fedcbb671e02d64fe7.exe
"C:\Users\Admin\AppData\Local\Temp\1a4b7466bae2824e11582d7927638906e9b4bfcab29459fedcbb671e02d64fe7.exe"
1⤵
PID:2116

C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\¼ÓÇ¿ÕëÒßÃç×¢ÉäÇé¿öÍ³¼Æ±í.xlsx
1⤵
- Process spawned unexpected child process
PID:1144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4196

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\¼ÓÇ¿ÕëÒßÃç×¢ÉäÇé¿öÍ³¼Æ±í.xlsx"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\¼ÓÇ¿ÕëÒßÃç×¢ÉäÇé¿öÍ³¼Æ±í.xlsx
Filesize
9KB

MD5
3cb2c531829a4fae263a5dc1945e79e8

SHA1
b6c9accd5f0859db86871aea5960fe62475ae0c0

SHA256
a5db6b07325350258d44678a8289d659695270c383851c3ef7903466ae232245

SHA512
d426c5d998d12543872a727e3c46373e7477258b88b1c6cf2a7115d82267d89247ec291f79d58e800467551ffb024ec5f194b29c62aecebbcfbacd32627f6a45

Download Submit
memory/2116-131-0x0000018F6D5B0000-0x0000018F6D6B0000-memory.dmp

Filesize
1024KB

Download
memory/2116-130-0x0000018F6D6F2000-0x0000018F6D6F6000-memory.dmp

Filesize
16KB

Download
memory/2116-133-0x0000000180000000-0x0000000180067000-memory.dmp

Filesize
412KB

Download
memory/2116-139-0x0000000180000000-0x0000000180067000-memory.dmp

Filesize
412KB

Download
memory/2116-141-0x0000018F6D700000-0x0000018F6D800000-memory.dmp

Filesize
1024KB

Download
memory/2116-142-0x0000000180020000-0x0000000180061000-memory.dmp

Filesize
260KB

Download
memory/2116-143-0x0000018F6F000000-0x0000018F6F04E000-memory.dmp

Filesize
312KB

Download
memory/2116-153-0x0000018F6D700000-0x0000018F6D800000-memory.dmp

Filesize
1024KB

Download
memory/2116-152-0x0000018F6D5B0000-0x0000018F6D6B0000-memory.dmp

Filesize
1024KB

Download
memory/3476-146-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/3476-147-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/3476-148-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/3476-149-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/3476-150-0x00007FF89A150000-0x00007FF89A160000-memory.dmp

Filesize
64KB

Download
memory/3476-151-0x00007FF89A150000-0x00007FF89A160000-memory.dmp

Filesize
64KB

Download
memory/3476-145-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/3476-144-0x0000000000000000-mapping.dmp

Download
memory/3476-155-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/3476-156-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/3476-157-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download
memory/3476-158-0x00007FF89C9D0000-0x00007FF89C9E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads