cobaltstrike | eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d

General

Target

关于集团及子公司开展网络安全攻防演习的通知.exe
Size

4.5MB
MD5

3f2202e24ad0a66c08f88a18dd7b5fb4
SHA1

62df51eb1351279afa4dbe5920758d6974427ac9
SHA256

eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d
SHA512

cd87c99ce09a29a5317343e04bb55fd63cd0b98cebcb08793a9b1dd275a9c6ce09c53fb7f901fc6083d8992360d3fbe02438d4143a907be64e7bdca15567bc27

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://124.221.206.154:1443/submit.php

Attributes

access_type
512
beacon_type
2048
host
124.221.206.154,/submit.php
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAANzaWQAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
1443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.jsp
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)
watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

华陆工程科技有限责任公司.exe

pid process

516 华陆工程科技有限责任公司.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
516	华陆工程科技有限责任公司.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1468 WINWORD.EXE
1468 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE
1468	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

关于集团及子公司开展网络安全攻防演习的通知.execmd.exe

description	pid	process	target process
PID 4504 wrote to memory of 516	4504	关于集团及子公司开展网络安全攻防演习的通知.exe	华陆工程科技有限责任公司.exe
PID 4504 wrote to memory of 516	4504	关于集团及子公司开展网络安全攻防演习的通知.exe	华陆工程科技有限责任公司.exe
PID 4504 wrote to memory of 448	4504	关于集团及子公司开展网络安全攻防演习的通知.exe	cmd.exe
PID 4504 wrote to memory of 448	4504	关于集团及子公司开展网络安全攻防演习的通知.exe	cmd.exe
PID 448 wrote to memory of 1468	448	cmd.exe	WINWORD.EXE
PID 448 wrote to memory of 1468	448	cmd.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\关于集团及子公司开展网络安全攻防演习的通知.exe
"C:\Users\Admin\AppData\Local\Temp\关于集团及子公司开展网络安全攻防演习的通知.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\Temp\华陆工程科技有限责任公司.exe
C:\Windows\Temp\华陆工程科技有限责任公司.exe s96cx2rtm8
2⤵
- Executes dropped EXE
PID:516

C:\Windows\system32\cmd.exe
cmd.exe /c start 关于集团及子公司开展网络安全攻防演习的通知.docx
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\关于集团及子公司开展网络安全攻防演习的通知.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\关于集团及子公司开展网络安全攻防演习的通知.docx
Filesize
16KB

MD5
5f48bbb1aac3b8d63aaae3ec114ba340

SHA1
31fc3508af156d67da4bc6fe8d41206bda5276ee

SHA256
80596668abc2c8c42481ad06713039198f08eb11c543061c3f9657a51248d04f

SHA512
f5c3af4e2269094c5381c512ae2a13c8204a34477dd47db5d7ed4fc7bc986ecb36b2ef17b0a7470d1cb64404b8035cb7d27563c45e7f8e94fa92cfb9e3f6b9e8

Download Submit
C:\Windows\Temp\华陆工程科技有限责任公司.exe
Filesize
2.0MB

MD5
84e3d79da5e503374e61a17351781c14

SHA1
6c4710e5e6bc0f991c6954e64e76ec8bf796a2e1

SHA256
6254e9f7f9e61a1a80e8a3c01757b8d29c9ac0eb0d596236fc0a2944fd44dfd6

SHA512
b287d405b01aaa7b7c35ae1787395cce626a4565b28bb74d2aa715d251d580aab4eee513d29885728b56f0175cb13238b6dcf0ec228db83c6ac90ca7eeecc4d8

Download Submit
C:\Windows\Temp\华陆工程科技有限责任公司.exe
Filesize
2.0MB

MD5
84e3d79da5e503374e61a17351781c14

SHA1
6c4710e5e6bc0f991c6954e64e76ec8bf796a2e1

SHA256
6254e9f7f9e61a1a80e8a3c01757b8d29c9ac0eb0d596236fc0a2944fd44dfd6

SHA512
b287d405b01aaa7b7c35ae1787395cce626a4565b28bb74d2aa715d251d580aab4eee513d29885728b56f0175cb13238b6dcf0ec228db83c6ac90ca7eeecc4d8

Download Submit
memory/448-134-0x0000000000000000-mapping.dmp

Download
memory/516-132-0x0000000000000000-mapping.dmp

Download
memory/516-137-0x0000021D06850000-0x0000021D06891000-memory.dmp

Filesize
260KB

Download
memory/516-138-0x0000021D068A0000-0x0000021D068EE000-memory.dmp

Filesize
312KB

Download
memory/1468-140-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmp

Filesize
64KB

Download
memory/1468-139-0x0000000000000000-mapping.dmp

Download
memory/1468-141-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmp

Filesize
64KB

Download
memory/1468-142-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmp

Filesize
64KB

Download
memory/1468-143-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmp

Filesize
64KB

Download
memory/1468-144-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmp

Filesize
64KB

Download
memory/1468-145-0x00007FFAE60B0000-0x00007FFAE60C0000-memory.dmp

Filesize
64KB

Download
memory/1468-146-0x00007FFAE60B0000-0x00007FFAE60C0000-memory.dmp

Filesize
64KB

Download
memory/1468-148-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmp

Filesize
64KB

Download
memory/1468-149-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmp

Filesize
64KB

Download
memory/1468-150-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmp

Filesize
64KB

Download
memory/1468-151-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads