cobaltstrike | 3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482

General

Target

3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe
Size

1.9MB
MD5

c812ef291c2b9711c3566c44e6a3f143
SHA1

09a6ab08244ae284c7a9b93ae457be1d46bfe40b
SHA256

3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482
SHA512

5e96aa4579e52393478e4b1859be4236eb722882935b6548a288314839bf02a74d3ab9f87b623d6f61eeed6fa28cfe2c45e4f05a0a89f61866acd6af12f5f21b
SSDEEP

24576:UAK38HHY72CcJJF/5bAfUo1veNSFnwohhOcDVK65DjHxYSb1v9WugiXDcqxvg/8n:UUX5oS9UDN5jpvC8b1J

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://43.142.80.49:443/search

Attributes

access_type
512
beacon_type
2048
host
43.142.80.49,/search
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vd3d3LmNsb3VkLnRlbmNlbnQuY29tAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAHAAAAAAAAAAMAAAACAAAACUpTRVNTSU9OPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
2560
maxdns
255
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.82554112e+09
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/switch
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

5036 EXCEL.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe

pid process

1692 3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	cmd.exe

pid	process
1692	3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE

pid	process
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE
5036	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 228	1692	3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe	cmd.exe
PID 1692 wrote to memory of 228	1692	3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe	cmd.exe
PID 1692 wrote to memory of 228	1692	3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe	cmd.exe
PID 228 wrote to memory of 5036	228	cmd.exe	EXCEL.EXE
PID 228 wrote to memory of 5036	228	cmd.exe	EXCEL.EXE
PID 228 wrote to memory of 5036	228	cmd.exe	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe
"C:\Users\Admin\AppData\Local\Temp\3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\账单.xlsx
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\账单.xlsx"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\账单.xlsx
Filesize
30KB

MD5
719a9d96c596acc3187dbcdf5c3f7e36

SHA1
490bde5317dea08e1aa490cf197419d89fdba992

SHA256
5b71b2d754dd0ddcab59411eabb7941ea46a47bc21b9fdac688524a4d3b14964

SHA512
375292a65c087626b7aa1deebffb1985912a771929777f090fda295ae6ea26cc8930d1565fc30902ea2d6d41d7e5745909af282d93157d525cf1068558bd5724

Download Submit
memory/228-132-0x0000000000000000-mapping.dmp

Download
memory/1692-137-0x00000000339F0000-0x0000000033DF0000-memory.dmp

Filesize
4.0MB

Download
memory/1692-136-0x0000000033DF0000-0x0000000033E6D000-memory.dmp

Filesize
500KB

Download
memory/5036-141-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/5036-138-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/5036-139-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/5036-140-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/5036-135-0x0000000000000000-mapping.dmp

Download
memory/5036-142-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/5036-143-0x00007FF80C140000-0x00007FF80C150000-memory.dmp

Filesize
64KB

Download
memory/5036-144-0x00007FF80C140000-0x00007FF80C150000-memory.dmp

Filesize
64KB

Download
memory/5036-146-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/5036-147-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/5036-148-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download
memory/5036-149-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads