cobaltstrike | 67cbe3781f6f76624b4aa0190e5291be65126c254879bc301727d4407326a32a

General

Target

qwEP718oyT2qxRdKZoUy.js
Size

9.2MB
MD5

63ad6f493f5c59783bc47316ef3b92af
SHA1

c305e179439a10794fdf2f268fe1e3ab645d5983
SHA256

67cbe3781f6f76624b4aa0190e5291be65126c254879bc301727d4407326a32a
SHA512

bde7492e1a50f685158545557e978691055c83152fd6b72f32ac0bf393c727ceba24f6fe705fff632524ef9cd24a7e0f32e9f307387b43d214047b7e0a04f993
SSDEEP

24576:/fG3epi7v1ed2ffe8vB3FG8S0Su9G3LK0UxRxJxzMvPOFzZHpARL37wtb9etQQOP:xfocZQ+ze+iq7lhrr4Rpf

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 1 IoCs

flow	pid	Process
35	988	wscript.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
988	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 988 set thread context of 2864	988	wscript.exe	66

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
988	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	wscript.exe
Token: SeDebugPrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 2864	988	wscript.exe	66

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2864
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\qwEP718oyT2qxRdKZoUy.js
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-144-0x00007FFDDFC70000-0x00007FFDE0731000-memory.dmp

Filesize
10.8MB

Download
memory/988-133-0x000002A6D22A0000-0x000002A6D241E000-memory.dmp

Filesize
1.5MB

Download
memory/988-132-0x00007FFDDFC70000-0x00007FFDE0731000-memory.dmp

Filesize
10.8MB

Download
memory/988-135-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmp

Filesize
2.0MB

Download
memory/988-145-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmp

Filesize
2.0MB

Download
memory/988-137-0x00007FFDFC270000-0x00007FFDFC539000-memory.dmp

Filesize
2.8MB

Download
memory/988-138-0x00007FFDFE150000-0x00007FFDFE1FC000-memory.dmp

Filesize
688KB

Download
memory/988-147-0x00007FFDFE490000-0x00007FFDFE54E000-memory.dmp

Filesize
760KB

Download
memory/988-140-0x00007FFDFC270000-0x00007FFDFC539000-memory.dmp

Filesize
2.8MB

Download
memory/988-141-0x00007FFDDFC70000-0x00007FFDE0731000-memory.dmp

Filesize
10.8MB

Download
memory/988-148-0x00007FFDFC270000-0x00007FFDFC539000-memory.dmp

Filesize
2.8MB

Download
memory/988-143-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmp

Filesize
2.0MB

Download
memory/988-134-0x000002A6DA100000-0x000002A6DA628000-memory.dmp

Filesize
5.2MB

Download
memory/988-136-0x00007FFDFE490000-0x00007FFDFE54E000-memory.dmp

Filesize
760KB

Download
memory/988-139-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmp

Filesize
2.0MB

Download
memory/2864-146-0x00007FFDFE491000-0x00007FFDFE510000-memory.dmp

Filesize
508KB

Download
memory/2864-142-0x0000000008110000-0x000000000831B000-memory.dmp

Filesize
2.0MB

Download
memory/2864-149-0x00007FFDDFC70000-0x00007FFDE0731000-memory.dmp

Filesize
10.8MB

Download
memory/2864-150-0x00007FFDFE5F1000-0x00007FFDFE70A000-memory.dmp

Filesize
1.1MB

Download
memory/2864-151-0x00007FFDFC271000-0x00007FFDFC383000-memory.dmp

Filesize
1.1MB

Download
memory/2864-152-0x0000000006F30000-0x0000000006F71000-memory.dmp

Filesize
260KB

Download
memory/2864-153-0x00000000079C0000-0x0000000007A48000-memory.dmp

Filesize
544KB

Download
memory/2864-154-0x00007FFDDFC70000-0x00007FFDE0731000-memory.dmp

Filesize
10.8MB

Download
memory/2864-155-0x00007FFDFE5F1000-0x00007FFDFE70A000-memory.dmp

Filesize
1.1MB

Download
memory/2864-156-0x0000000006F30000-0x0000000006F71000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing