cobaltstrike | 3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927

General

Target

3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe
Size

2.7MB
MD5

10a6d0e4221cd751292a89659979f6b7
SHA1

55d9095ed66b636633125f7dc7253343109784d4
SHA256

3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927
SHA512

002f4865517aeb942b9373cc3d6831da8fec193a3ad09ed1b77962ff2d3b791b96efa1ff3c2840641e6d099454c3b502d208634fc0deb1d494f026f36f4a9f40

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://43.142.80.49:443/search

Attributes

access_type
512
beacon_type
2048
host
43.142.80.49,/search
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vd3d3LmNsb3VkLnRlbmNlbnQuY29tAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAHAAAAAAAAAAMAAAACAAAACUpTRVNTSU9OPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
2560
maxdns
255
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.82554112e+09
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/switch
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4936 EXCEL.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe

pid process

4284 3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cmd.exe

pid	process
4284	3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE
4936	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.execmd.exe

description	pid	process	target process
PID 4284 wrote to memory of 4868	4284	3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe	cmd.exe
PID 4284 wrote to memory of 4868	4284	3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe	cmd.exe
PID 4284 wrote to memory of 4868	4284	3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe	cmd.exe
PID 4868 wrote to memory of 4936	4868	cmd.exe	EXCEL.EXE
PID 4868 wrote to memory of 4936	4868	cmd.exe	EXCEL.EXE
PID 4868 wrote to memory of 4936	4868	cmd.exe	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe
"C:\Users\Admin\AppData\Local\Temp\3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\可囤.xlsx
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\可囤.xlsx"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\可囤.xlsx
Filesize
30KB

MD5
719a9d96c596acc3187dbcdf5c3f7e36

SHA1
490bde5317dea08e1aa490cf197419d89fdba992

SHA256
5b71b2d754dd0ddcab59411eabb7941ea46a47bc21b9fdac688524a4d3b14964

SHA512
375292a65c087626b7aa1deebffb1985912a771929777f090fda295ae6ea26cc8930d1565fc30902ea2d6d41d7e5745909af282d93157d525cf1068558bd5724

Download Submit
memory/4284-144-0x0000000033B90000-0x0000000033F90000-memory.dmp

Filesize
4.0MB

Download
memory/4284-143-0x0000000033F90000-0x000000003400D000-memory.dmp

Filesize
500KB

Download
memory/4868-132-0x0000000000000000-mapping.dmp

Download
memory/4936-141-0x00007FF9DE600000-0x00007FF9DE610000-memory.dmp

Filesize
64KB

Download
memory/4936-138-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4936-139-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4936-140-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4936-137-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4936-142-0x00007FF9DE600000-0x00007FF9DE610000-memory.dmp

Filesize
64KB

Download
memory/4936-136-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4936-135-0x0000000000000000-mapping.dmp

Download
memory/4936-146-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4936-147-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4936-148-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4936-149-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads