cobaltstrike | 00a2ad580b475b5d302483074884a3b02e931fcea5dd54ae94976ae43e475b16

General

Target

price.bat
Size

2KB
MD5

2a677a2e87d30723a7f85db0e68246a0
SHA1

8d6e8fd707166f6989d025b6e47eb32251ddf007
SHA256

b9f0301c363e3e874f0020090db489b4621a7df827aa5202971d789f9762e145
SHA512

fd976416ff65521c01c7c3cb5ccc4a7ce1fe786032868ed58314b5c412fc7dd5f7bd00aaae169adf0a0be0bd6caf6b40aaa91aba6c2945670d4d4e718f0dfe56

Score

10^/10

cobaltstrike 1580103814 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103814

C2

http://23.108.57.161:443/Forums.css

http://157.254.194.123:443/Forums.css

http://182.23.109.22:443/bn.css

http://157.72.142.1:443/Forums.css

Attributes

access_type
512
beacon_type
2048
host
23.108.57.161,/Forums.css,157.254.194.123,/Forums.css,182.23.109.22,/bn.css,157.72.142.1,/Forums.css
http_header1
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAAAwAAAAMAAAACAAAAEG1hZGVfd3JpdGVfY29ubj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
10496
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGR0Qh3y+EUBYe3BK7qolMM8JPwPWG3qSISL7jSnjkuexL5sMHLtzoO5zoQBy+e4TrkofBD2/CsND498lUEN11cFR9Kw1NFw6DnLSlodbOZoq4yAd4rqFrAU7pQXMn+TDas8ZyiZ1Gk0sb29Z3S9pi2fsZj2g4ZLC8cpJipJJRmQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.708806656e+09
unknown2
AAAABAAAAAIAAAPVAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/dz
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
watermark
1580103814

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

cmVhpKJSis23S.exe

pid process

1804 cmVhpKJSis23S.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cmVhpKJSis23S.exe

pid process

1804 cmVhpKJSis23S.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3012 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3012 taskkill.exe

pid	process
1804	cmVhpKJSis23S.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
1804	cmVhpKJSis23S.exe

pid	process
3012	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	3012	taskkill.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1980 wrote to memory of 4244	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 4244	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 4900	1980	cmd.exe	xcopy.exe
PID 1980 wrote to memory of 4900	1980	cmd.exe	xcopy.exe
PID 1980 wrote to memory of 1804	1980	cmd.exe	cmVhpKJSis23S.exe
PID 1980 wrote to memory of 1804	1980	cmd.exe	cmVhpKJSis23S.exe
PID 1980 wrote to memory of 3012	1980	cmd.exe	taskkill.exe
PID 1980 wrote to memory of 3012	1980	cmd.exe	taskkill.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\price.bat"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K copy /y C:\Windows\System32\rundll32.exe C:\ProgramData\cmVhpKJSis23S.exe
2⤵
PID:4244

C:\Windows\system32\xcopy.exe
xcopy /h /y ipchains.dll C:\ProgramData\
2⤵
PID:4900

C:\ProgramData\cmVhpKJSis23S.exe
"C:\ProgramData\cmVhpKJSis23S.exe" ipchains.dll,Sdrpst
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cmVhpKJSis23S.exe
Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
C:\ProgramData\cmVhpKJSis23S.exe
Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
C:\ProgramData\ipchains.dll
Filesize
572KB

MD5
8fdd7858bf72589cafba3e8f98a6730b

SHA1
ee3d8b9e6c4fc004a167d8ad5cfd1b479d009769

SHA256
39cc8085e331d0fbf1122e561472f87611de3df5f70344ac7b160d96b3cf576f

SHA512
0666c91cdf842f5755cffbfb7da8d69a84de024d90d56772e3fe9b71b0c923791205e9215469c96cd3d66f8ba2956fc9d3fc99303481b72eb00ac7de7b97a7ad

Download Submit
C:\ProgramData\ipchains.dll
Filesize
572KB

MD5
8fdd7858bf72589cafba3e8f98a6730b

SHA1
ee3d8b9e6c4fc004a167d8ad5cfd1b479d009769

SHA256
39cc8085e331d0fbf1122e561472f87611de3df5f70344ac7b160d96b3cf576f

SHA512
0666c91cdf842f5755cffbfb7da8d69a84de024d90d56772e3fe9b71b0c923791205e9215469c96cd3d66f8ba2956fc9d3fc99303481b72eb00ac7de7b97a7ad

Download Submit
memory/1804-135-0x0000000000000000-mapping.dmp

Download
memory/1804-140-0x000001FDFFE10000-0x000001FDFFE9B000-memory.dmp

Filesize
556KB

Download
memory/1804-141-0x000001FD81750000-0x000001FD81B50000-memory.dmp

Filesize
4.0MB

Download
memory/1804-142-0x000001FDFFE10000-0x000001FDFFE9B000-memory.dmp

Filesize
556KB

Download
memory/1804-143-0x000001FD81750000-0x000001FD81B50000-memory.dmp

Filesize
4.0MB

Download
memory/3012-137-0x0000000000000000-mapping.dmp

Download
memory/4244-132-0x0000000000000000-mapping.dmp

Download
memory/4900-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing