cobaltstrike | 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4

General

Target

88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe
Size

571KB
MD5

0dd4eddc02f1144a3a829b18b303ec1a
SHA1

f8a26ebf852dfd63920cdc98f44eb4e53e29f13b
SHA256

88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4
SHA512

0dda2bda39a322c6f26347b4e3e017954319d0f22bc7ea517db526da464cd7d8d024feb5d0e0ef34f6d971f6a41e73a9c7b98b0fd3d16b3cada71165e8134416
SSDEEP

6144:xrmNILc6DM/D3COXFMk2UwNNVJZc6aoFZe6+jrYGHL8742qI:ZmNI5DMD3CaFZ8NVJZc6fE6ssGHL

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://service-758414h5-1311271430.sh.apigw.tencentcs.com:80/bootstrap-2.min.js

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3412 svchost.exe

pid	process
3412	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exe88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

760 WINWORD.EXE
760 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe

description pid process

Token: SeIncBasePriorityPrivilege 4860 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

760 WINWORD.EXE
760 WINWORD.EXE
760 WINWORD.EXE
760 WINWORD.EXE
760 WINWORD.EXE
760 WINWORD.EXE
760 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	cmd.exe

pid	process
760	WINWORD.EXE
760	WINWORD.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	4860	88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe

pid	process
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE
760	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.execmd.execmd.exe

description	pid	process	target process
PID 4860 wrote to memory of 4212	4860	88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe	cmd.exe
PID 4860 wrote to memory of 4212	4860	88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe	cmd.exe
PID 4860 wrote to memory of 4216	4860	88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe	cmd.exe
PID 4860 wrote to memory of 4216	4860	88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe	cmd.exe
PID 4216 wrote to memory of 3412	4216	cmd.exe	svchost.exe
PID 4216 wrote to memory of 3412	4216	cmd.exe	svchost.exe
PID 4860 wrote to memory of 2908	4860	88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe	cmd.exe
PID 4860 wrote to memory of 2908	4860	88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe	cmd.exe
PID 4212 wrote to memory of 760	4212	cmd.exe	WINWORD.EXE
PID 4212 wrote to memory of 760	4212	cmd.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe
"C:\Users\Admin\AppData\Local\Temp\88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SYSTEM32\cmd.exe
cmd /C "ÄÚ²¿×Ô²âÇëÎðÁ÷´«.docx"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿×Ô²âÇëÎðÁ÷´«.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\SYSTEM32\cmd.exe
cmd /C "C:\Users\Public\Downloads\svchost.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Public\Downloads\svchost.exe
C:\Users\Public\Downloads\svchost.exe
3⤵
- Executes dropped EXE
PID:3412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe
2⤵
PID:2908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿×Ô²âÇëÎðÁ÷´«.docx
Filesize
351KB

MD5
cf0367cede49e99b8ca7c1a3d12e3f3b

SHA1
137f9660787fc106cd16b9e99040299335492009

SHA256
71d40e329eca20223e3e3119d2f08e10f1be2f4c8ed3d72e586b595e31f50d37

SHA512
67818c6dc922736123696e36fe09d2c7b40f476062cad30b2f73349167a0b601d59d063454630955c2c19390a9894b6cdba982024e9075025f184dd94f171e5f

Download Submit
C:\Users\Public\Downloads\svchost.exe
Filesize
19KB

MD5
5cb39016c85da40eabc8a950341281d7

SHA1
d6b7a92de878f212dd241a85891a97237995a93f

SHA256
d2f3cfb42504051a27b3412af312996f47991ffc91be33c1346fe0aec9dc927f

SHA512
9f15a92ee63a6fcfb25e805919bbd324497e082ad59a761f61bd4697dfaf14033537a1c7d57e2ba5243548c4b314e546579714fbf328058d1e63cc45dcfd46be

Download Submit
C:\Users\Public\Downloads\svchost.exe
Filesize
19KB

MD5
5cb39016c85da40eabc8a950341281d7

SHA1
d6b7a92de878f212dd241a85891a97237995a93f

SHA256
d2f3cfb42504051a27b3412af312996f47991ffc91be33c1346fe0aec9dc927f

SHA512
9f15a92ee63a6fcfb25e805919bbd324497e082ad59a761f61bd4697dfaf14033537a1c7d57e2ba5243548c4b314e546579714fbf328058d1e63cc45dcfd46be

Download Submit
memory/760-140-0x0000000000000000-mapping.dmp

Download
memory/760-145-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmp

Filesize
64KB

Download
memory/760-147-0x00007FFB3A6D0000-0x00007FFB3A6E0000-memory.dmp

Filesize
64KB

Download
memory/760-146-0x00007FFB3A6D0000-0x00007FFB3A6E0000-memory.dmp

Filesize
64KB

Download
memory/760-144-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmp

Filesize
64KB

Download
memory/760-143-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmp

Filesize
64KB

Download
memory/760-141-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmp

Filesize
64KB

Download
memory/760-142-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmp

Filesize
64KB

Download
memory/2908-137-0x0000000000000000-mapping.dmp

Download
memory/3412-139-0x000000CBAD30D000-0x000000CBAD310000-memory.dmp

Filesize
12KB

Download
memory/3412-134-0x0000000000000000-mapping.dmp

Download
memory/3412-148-0x000001ECB5FD0000-0x000001ECB63D0000-memory.dmp

Filesize
4.0MB

Download
memory/3412-149-0x000001ECB63D0000-0x000001ECB641E000-memory.dmp

Filesize
312KB

Download
memory/3412-150-0x000001ECB63D0000-0x000001ECB641E000-memory.dmp

Filesize
312KB

Download
memory/4212-132-0x0000000000000000-mapping.dmp

Download
memory/4216-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads