cobaltstrike | 2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d

General

Target

2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe
Size

511KB
MD5

7b3c8a33a8607c3b1cabd24ba83a9876
SHA1

70a9605990488445f8ae5836b5c92819f93d6355
SHA256

2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d
SHA512

3c71c27fa650c64a1b10220c5bdc42031a3426745f9a4bfbd128fd4dd7e31098c1049884e977a9b2f52f772229fc94ba44781525cade627ce562a6b663cc6c6c
SSDEEP

6144:IeiRWoGu79mhdLRYxJbFP23zKx8t52aXbJdXv+4wNaS:F/oOhdLEwjKx8t52aLJd/3wNaS

Score

10^/10

cobaltstrike 1359593325 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://124.71.184.251:6751/owa/

Attributes

access_type
512
host
124.71.184.251,/owa/
http_header1
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABZIb3N0OiBvdXRsb29rLmxpdmUuY29tAAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
GET
jitter
5120
polling_time
5000
port_number
6751
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgwZtr5WmRWGqXa6bxdqQDUmj+XU+vA4zK2b7Nfzq4qy143458ufxXidOMjoSLVP3BqyJgWamd0KYY7Yt3bDmFbWashi7f+OYdWpDNixd5AvcGOOzQhShEZ/0Uz8CG/gc99swyssnxs0YBg9Hka4Wh0ufxO89KSApuLegLE5i1/QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/OWA/
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
watermark
1359593325

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

word.exe

pid process

268 word.exe

pid	process
268	word.exe

Loads dropped DLL 2 IoCs

Processes:

2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe

pid	process
896	2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe
896	2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

word.exe

pid process

268 word.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

whoami.exe

description pid process

Token: SeDebugPrivilege 1492 whoami.exe

pid	process
268	word.exe

description	pid	process
Token: SeDebugPrivilege	1492	whoami.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exeword.execmd.exe

description	pid	process	target process
PID 896 wrote to memory of 268	896	2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe	word.exe
PID 896 wrote to memory of 268	896	2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe	word.exe
PID 896 wrote to memory of 268	896	2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe	word.exe
PID 268 wrote to memory of 1800	268	word.exe	cmd.exe
PID 268 wrote to memory of 1800	268	word.exe	cmd.exe
PID 268 wrote to memory of 1800	268	word.exe	cmd.exe
PID 1800 wrote to memory of 1492	1800	cmd.exe	whoami.exe
PID 1800 wrote to memory of 1492	1800	cmd.exe	whoami.exe
PID 1800 wrote to memory of 1492	1800	cmd.exe	whoami.exe

C:\Users\Admin\AppData\Local\Temp\2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe
"C:\Users\Admin\AppData\Local\Temp\2d1d71f05b0ab72e85c649e04f4c78f3007741649b9910be4266fde74504456d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896

C:\programdata\word.exe
"C:\programdata\word.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C whoami
3⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\system32\whoami.exe
whoami
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\word.exe
Filesize
273KB

MD5
773295382ac480e8db8fb2c1efad4cda

SHA1
ae7c78724b8e0c946dd12d2ebc61f0f11c911067

SHA256
3823a537e612fe6e0453394242999cabb6d5070d49da22950102490d59fc6681

SHA512
c0116b326fe1a4adf4b0abcccf1cf14aa0ad3f6762c61650002e524c57d0af296dfbb575eca317cbe8ac144e50fd8d198ef4a62bcb49e47cbd4da26813a3c288

Download Submit
\ProgramData\word.exe
Filesize
273KB

MD5
773295382ac480e8db8fb2c1efad4cda

SHA1
ae7c78724b8e0c946dd12d2ebc61f0f11c911067

SHA256
3823a537e612fe6e0453394242999cabb6d5070d49da22950102490d59fc6681

SHA512
c0116b326fe1a4adf4b0abcccf1cf14aa0ad3f6762c61650002e524c57d0af296dfbb575eca317cbe8ac144e50fd8d198ef4a62bcb49e47cbd4da26813a3c288

Download Submit
\ProgramData\word.exe
Filesize
273KB

MD5
773295382ac480e8db8fb2c1efad4cda

SHA1
ae7c78724b8e0c946dd12d2ebc61f0f11c911067

SHA256
3823a537e612fe6e0453394242999cabb6d5070d49da22950102490d59fc6681

SHA512
c0116b326fe1a4adf4b0abcccf1cf14aa0ad3f6762c61650002e524c57d0af296dfbb575eca317cbe8ac144e50fd8d198ef4a62bcb49e47cbd4da26813a3c288

Download Submit
memory/268-57-0x0000000000000000-mapping.dmp

Download
memory/268-60-0x000007FEF7680000-0x000007FEF772C000-memory.dmp

Filesize
688KB

Download
memory/268-61-0x0000000003930000-0x0000000003D30000-memory.dmp

Filesize
4.0MB

Download
memory/268-62-0x0000000003930000-0x0000000003D30000-memory.dmp

Filesize
4.0MB

Download
memory/896-54-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

Filesize
8KB

Download
memory/1492-64-0x0000000000000000-mapping.dmp

Download
memory/1800-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing