cobaltstrike | 6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953

General

Target

6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe
Size

1.5MB
MD5

951ab6e8be35c4812bd1374b9e45933c
SHA1

9d4b39a0404c959e07accda8c8c3c5fb9dd1b0ae
SHA256

6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953
SHA512

b0fe39f690a4433bc4b6ed37096ff133a421441e721b81b59d9966455654ba503301320b7f9a34edaf191de408082aa3d54ab5e2d79f7708f14065e0c0fa51df

Score

10^/10

cobaltstrike 0 backdoor suricata trojan upx

Malware Config

Extracted

Family

cobaltstrike

C2

http://service-k6z1uk8b-1307545782.sh.apigw.tencentcs.com:443/bootstrap-2.min.js

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata
Executes dropped EXE 1 IoCs

Processes:

edr.exe

pid process

4984 edr.exe

pid	process
4984	edr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Public\edr.exe	upx
C:\Users\Public\edr.exe	upx
behavioral2/memory/4256-136-0x0000000000940000-0x0000000000C42000-memory.dmp	upx
behavioral2/memory/4984-135-0x00007FF7D7C50000-0x00007FF7D7C6E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1512 WINWORD.EXE
1512 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

edr.exe

pid process

4984 edr.exe
4984 edr.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe

pid process

4256 6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings	cmd.exe

pid	process
4984	edr.exe
4984	edr.exe

pid	process
4256	6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXE

pid	process
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE
1512	WINWORD.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exeedr.execmd.exe

description	pid	process	target process
PID 4256 wrote to memory of 4356	4256	6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe	cmd.exe
PID 4256 wrote to memory of 4356	4256	6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe	cmd.exe
PID 4256 wrote to memory of 4984	4256	6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe	edr.exe
PID 4256 wrote to memory of 4984	4256	6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe	edr.exe
PID 4984 wrote to memory of 1252	4984	edr.exe	svchost.exe
PID 4984 wrote to memory of 1252	4984	edr.exe	svchost.exe
PID 4984 wrote to memory of 1252	4984	edr.exe	svchost.exe
PID 4356 wrote to memory of 1512	4356	cmd.exe	WINWORD.EXE
PID 4356 wrote to memory of 1512	4356	cmd.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe
"C:\Users\Admin\AppData\Local\Temp\6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Public\edr.exe
C:\Users\Public\edr.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\system32\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\薪资结构变更通知.docx
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4356

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\薪资结构变更通知.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\System32\svchost.exe
"C:\Windows\System32\svchost.exe"
1⤵
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\薪资结构变更通知.docx
Filesize
20KB

MD5
2ec92a9fd99ed4113590d6a0684a4995

SHA1
d2ca99729fd54c05c6a8855a131d98d5a2aa0b35

SHA256
e178b652fe502be048df8e137a12d2dcc2a295d75909e5565f3dea812c7c784d

SHA512
75efc112ebfde8ea78416a7c1059427be2fb5dd43be4523df6b129cd1ae4116e07d117eefe5de4dc85246be06b1af0f91f585655b6acd852085610fe7c75479e

Download Submit
C:\Users\Public\edr.exe
Filesize
56KB

MD5
ac8493048afc0f9ff1530bbf18f56c81

SHA1
2c975f9da06b964a49b4c4ab98ecac6e6b0c44ff

SHA256
e0aff24581e1fd42c6833ff0c30b3b902f2c9bbdcd7e816bdbe38fa79536a3cf

SHA512
f8b160e95e40a5c2dac04d18b93d86501bc73e3fc0d626a808f0646f03d3879dff1d14c784064f1fc267bd450551a61619d3c650bbf506795dd6dcf0a29a532d

Download Submit
C:\Users\Public\edr.exe
Filesize
56KB

MD5
ac8493048afc0f9ff1530bbf18f56c81

SHA1
2c975f9da06b964a49b4c4ab98ecac6e6b0c44ff

SHA256
e0aff24581e1fd42c6833ff0c30b3b902f2c9bbdcd7e816bdbe38fa79536a3cf

SHA512
f8b160e95e40a5c2dac04d18b93d86501bc73e3fc0d626a808f0646f03d3879dff1d14c784064f1fc267bd450551a61619d3c650bbf506795dd6dcf0a29a532d

Download Submit
memory/1252-154-0x0000011B60590000-0x0000011B605DE000-memory.dmp

Filesize
312KB

Download
memory/1252-148-0x0000011B60590000-0x0000011B605DE000-memory.dmp

Filesize
312KB

Download
memory/1252-134-0x0000000000000000-mapping.dmp

Download
memory/1252-146-0x0000011B60590000-0x0000011B605DE000-memory.dmp

Filesize
312KB

Download
memory/1252-145-0x0000011B60190000-0x0000011B60590000-memory.dmp

Filesize
4.0MB

Download
memory/1512-142-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmp

Filesize
64KB

Download
memory/1512-151-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmp

Filesize
64KB

Download
memory/1512-140-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmp

Filesize
64KB

Download
memory/1512-141-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmp

Filesize
64KB

Download
memory/1512-138-0x0000000000000000-mapping.dmp

Download
memory/1512-143-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmp

Filesize
64KB

Download
memory/1512-144-0x00007FFEF1430000-0x00007FFEF1440000-memory.dmp

Filesize
64KB

Download
memory/1512-153-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmp

Filesize
64KB

Download
memory/1512-147-0x00007FFEF1430000-0x00007FFEF1440000-memory.dmp

Filesize
64KB

Download
memory/1512-139-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmp

Filesize
64KB

Download
memory/1512-150-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmp

Filesize
64KB

Download
memory/1512-152-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmp

Filesize
64KB

Download
memory/4256-136-0x0000000000940000-0x0000000000C42000-memory.dmp

Filesize
3.0MB

Download
memory/4356-130-0x0000000000000000-mapping.dmp

Download
memory/4984-135-0x00007FF7D7C50000-0x00007FF7D7C6E000-memory.dmp

Filesize
120KB

Download
memory/4984-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads