cobaltstrike | e64165bd9e0c0a723e5a35dcca942c0b83a3c44941279bbf8c93c34a4a924401

General

Target

中国电机工程学会-2022年度新型电力系统创新奖申报表.exe
Size

515KB
MD5

0299feffabdd3815d2249a5643203e3f
SHA1

bdba33cf063fada308e401ab34980c62bc7dacbc
SHA256

ed220a4ab4a9de44a5d1cd380be9dab98e90f820003e38bff4163ff4c881ea30
SHA512

8ff00b998c386bfe96da6c7dce2c1e5cae6b671c0ebcef0d7da7a8f3fd9150af76587c11a3771f4c8e8b3f7301a642691a2d7cf99cc4bac1f052b8486826125d

Score

10^/10

cobaltstrike backdoor suricata trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

10 620 rundll32.exe
18 620 rundll32.exe
34 620 rundll32.exe
58 620 rundll32.exe
60 620 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

f42.exe

pid process

2776 f42.exe

flow	pid	process
10	620	rundll32.exe
18	620	rundll32.exe
34	620	rundll32.exe
58	620	rundll32.exe
60	620	rundll32.exe

pid	process
2776	f42.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

中国电机工程学会-2022年度新型电力系统创新奖申报表.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	中国电机工程学会-2022年度新型电力系统创新奖申报表.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f42.exe

description pid process target process

PID 2776 set thread context of 620 2776 f42.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2776 set thread context of 620	2776	f42.exe	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

中国电机工程学会-2022年度新型电力系统创新奖申报表.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	中国电机工程学会-2022年度新型电力系统创新奖申报表.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

712 WINWORD.EXE
712 WINWORD.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

WINWORD.EXE

pid	process
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE
712	WINWORD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

中国电机工程学会-2022年度新型电力系统创新奖申报表.exef42.exe

description	pid	process	target process
PID 3936 wrote to memory of 2776	3936	中国电机工程学会-2022年度新型电力系统创新奖申报表.exe	f42.exe
PID 3936 wrote to memory of 2776	3936	中国电机工程学会-2022年度新型电力系统创新奖申报表.exe	f42.exe
PID 3936 wrote to memory of 2776	3936	中国电机工程学会-2022年度新型电力系统创新奖申报表.exe	f42.exe
PID 3936 wrote to memory of 712	3936	中国电机工程学会-2022年度新型电力系统创新奖申报表.exe	WINWORD.EXE
PID 3936 wrote to memory of 712	3936	中国电机工程学会-2022年度新型电力系统创新奖申报表.exe	WINWORD.EXE
PID 2776 wrote to memory of 620	2776	f42.exe	rundll32.exe
PID 2776 wrote to memory of 620	2776	f42.exe	rundll32.exe
PID 2776 wrote to memory of 620	2776	f42.exe	rundll32.exe
PID 2776 wrote to memory of 620	2776	f42.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\中国电机工程学会-2022年度新型电力系统创新奖申报表.exe
"C:\Users\Admin\AppData\Local\Temp\中国电机工程学会-2022年度新型电力系统创新奖申报表.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\f42.exe
"C:\Users\Admin\AppData\Local\Temp\f42.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe
3⤵
- Blocklisted process makes network request
PID:620

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2022年度新型电力系统创新项目申报表.doc" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2022年度新型电力系统创新项目申报表.doc
Filesize
37KB

MD5
528a70e3f75240ae5ef6bfa8f10d6191

SHA1
17c312f99a0e365168c80ac6395bf1e163951ba3

SHA256
f0025b863f02d5507f2f83fe9412ee1436320024a5b6ec48bc2700e61accfc7a

SHA512
7cec39187027ab42562c47d1a71da83350792bdcdf7b3b4899a82d742f47ccf4a30cc32086110cfeea03d3f2dccd093fcb2b319b5585a34da6633b614d52f468

Download Submit
C:\Users\Admin\AppData\Local\Temp\f42.exe
Filesize
102KB

MD5
f498abb83b98e85ed154fb22b349589c

SHA1
e30870eda26c1005a6cfc6d76b450bbfaca9dc84

SHA256
f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0

SHA512
1c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f42.exe
Filesize
102KB

MD5
f498abb83b98e85ed154fb22b349589c

SHA1
e30870eda26c1005a6cfc6d76b450bbfaca9dc84

SHA256
f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0

SHA512
1c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b

Download Submit
memory/620-145-0x00000000037B0000-0x00000000037EE000-memory.dmp

Filesize
248KB

Download
memory/620-134-0x0000000000000000-mapping.dmp

Download
memory/620-144-0x00000000037B0000-0x00000000037EE000-memory.dmp

Filesize
248KB

Download
memory/620-143-0x00000000033B0000-0x00000000037B0000-memory.dmp

Filesize
4.0MB

Download
memory/712-135-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmp

Filesize
64KB

Download
memory/712-138-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmp

Filesize
64KB

Download
memory/712-139-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmp

Filesize
64KB

Download
memory/712-140-0x00007FFAECBE0000-0x00007FFAECBF0000-memory.dmp

Filesize
64KB

Download
memory/712-141-0x00007FFAECBE0000-0x00007FFAECBF0000-memory.dmp

Filesize
64KB

Download
memory/712-137-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmp

Filesize
64KB

Download
memory/712-136-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmp

Filesize
64KB

Download
memory/712-133-0x0000000000000000-mapping.dmp

Download
memory/712-147-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmp

Filesize
64KB

Download
memory/712-148-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmp

Filesize
64KB

Download
memory/712-149-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmp

Filesize
64KB

Download
memory/712-150-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmp

Filesize
64KB

Download
memory/2776-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads