cobaltstrike | 4e7a06b20666a62613cca9f75ae58a35cfc5d721c05c8b435170a4e8024ba87e

Resubmissions

20-07-2023 06:12

230720-gyc5eadf7x 10

07-12-2022 01:02

221207-bdw4wsdf7t 10

Analysis

max time kernel
207s
max time network
211s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

简历.zip
Size

168KB
MD5

f1c56cc405029826cf7a21a1394bf18e
SHA1

1b9080ac30d6fc8963457e90aa9d5e56bb7eace0
SHA256

4e7a06b20666a62613cca9f75ae58a35cfc5d721c05c8b435170a4e8024ba87e
SHA512

31597e85de1b58bfadc88f2b79bc0f7dcaa79d8d63cdb4517cb35f7d99df643ab34b096931af44029e3c16c5ed6a183437009a4dc144c65cbf15034c7c6caa53
SSDEEP

3072:v0qEgiHe4UvUmvUVCn/CudT8opk05O/q9hLLePw/95HMxlvFiqbM9PjX:nQewOv/DqoXQ/q9hvX15HMxl08OjX

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://service-5r35x0x0-1310046338.gz.apigw.tencentcs.com:443/result_78adc45.js

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4940 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1820 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 4940 tasklist.exe
Token: SeDebugPrivilege 1820 NETSTAT.EXE

pid	process
4940	tasklist.exe

pid	process
1820	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	4940	tasklist.exe
Token: SeDebugPrivilege	1820	NETSTAT.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

═╞╣π╫¿╘▒-╒┼┴╓ -║■─╧┤≤╤º .execmd.exe

description	pid	process	target process
PID 2716 wrote to memory of 4320	2716	═╞╣π╫¿╘▒-╒┼┴╓ -║■─╧┤≤╤º .exe	taskhostw.exe
PID 2716 wrote to memory of 4320	2716	═╞╣π╫¿╘▒-╒┼┴╓ -║■─╧┤≤╤º .exe	taskhostw.exe
PID 2716 wrote to memory of 4320	2716	═╞╣π╫¿╘▒-╒┼┴╓ -║■─╧┤≤╤º .exe	taskhostw.exe
PID 2716 wrote to memory of 956	2716	═╞╣π╫¿╘▒-╒┼┴╓ -║■─╧┤≤╤º .exe	taskhostw.exe
PID 2716 wrote to memory of 956	2716	═╞╣π╫¿╘▒-╒┼┴╓ -║■─╧┤≤╤º .exe	taskhostw.exe
PID 2716 wrote to memory of 956	2716	═╞╣π╫¿╘▒-╒┼┴╓ -║■─╧┤≤╤º .exe	taskhostw.exe
PID 4932 wrote to memory of 4940	4932	cmd.exe	tasklist.exe
PID 4932 wrote to memory of 4940	4932	cmd.exe	tasklist.exe
PID 4932 wrote to memory of 1820	4932	cmd.exe	NETSTAT.EXE
PID 4932 wrote to memory of 1820	4932	cmd.exe	NETSTAT.EXE

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\简历.zip
1⤵
PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2392

C:\Users\Admin\Desktop\简历\╝≥└·\═╞╣π╫¿╘▒-╒┼┴╓ -║■─╧┤≤╤º .exe
"C:\Users\Admin\Desktop\简历\╝≥└·\═╞╣π╫¿╘▒-╒┼┴╓ -║■─╧┤≤╤º .exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\System32\taskhostw.exe
"C:\Windows\System32\taskhostw.exe"
2⤵
PID:4320

C:\Windows\System32\taskhostw.exe
"C:\Windows\System32\taskhostw.exe"
2⤵
PID:956

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\NETSTAT.EXE
netstat -ano
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-133-0x0000000000000000-mapping.dmp

Download
memory/956-134-0x00000189A6DF0000-0x00000189A71F0000-memory.dmp

Filesize
4.0MB

Download
memory/956-135-0x00000189A52B0000-0x00000189A52FD000-memory.dmp

Filesize
308KB

Download
memory/956-137-0x00000189A52B0000-0x00000189A52FD000-memory.dmp

Filesize
308KB

Download
memory/1820-140-0x0000000000000000-mapping.dmp

Download
memory/4320-132-0x0000000000000000-mapping.dmp

Download
memory/4320-136-0x000001B5E0EE0000-0x000001B5E0F2D000-memory.dmp

Filesize
308KB

Download
memory/4320-138-0x000001B5E0EE0000-0x000001B5E0F2D000-memory.dmp

Filesize
308KB

Download
memory/4940-139-0x0000000000000000-mapping.dmp

Download