cobaltstrike | 78279ac671bb144d058bc59eb5d89a6446ceee2cdcaf3d6bbe00a23e15abf0b2

Resubmissions

18-01-2023 14:25

230118-rrsavsag38 10

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2023 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TA579_20220117/required documents.lnk
Size

2KB
MD5

63406fd9ac6318999606bdf3dee56e59
SHA1

8af67f655ce1b5a1c98a2c3e2dc16b04f524d2ad
SHA256

de6f6037ca98820a57ed73b33a551f33b593ed860e37942c749a1bb1bc12de8d
SHA512

0c287b1a328392bde2560c0afa07119a851788a329bf1f6eceb04f3ea2f56387caac344ff5c8d6f7b3b34e768a16dc67ca637e100da273aa8e1bbf80d3151f61

Score

10^/10

cobaltstrike 1580103814 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103814

http://23.108.57.26:443/gv

http://23.106.215.213:443/ch

http://23.189.202.11:443/gv

http://23.109.27.113:443/gv

Attributes

access_type
512
beacon_type
2048
host
23.108.57.26,/gv,23.106.215.213,/ch,23.189.202.11,/gv,23.109.27.113,/gv
http_header1
AAAAEAAAABRIb3N0OiBvbmNsaWNrYWRzLm5ldAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAJUFjY2VwdC1MYW5ndWFnZTogZW4tR0I7cT0wLjksICo7cT0wLjcAAAAHAAAAAAAAAA0AAAADAAAAAgAAAAVIU0lEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABRIb3N0OiBvbmNsaWNrYWRzLm5ldAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAJUFjY2VwdC1MYW5ndWFnZTogZW4tR0I7cT0wLjksICo7cT0wLjcAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAADAAAAAwAAAAIAAAAEamF4PQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5376
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCE9L8rIKSp4C9FQ/R/7a3ryY4uA9FlvsgnXmTz2sZ9UVfj1lI08Bviwhpc+EnZZqJdTO64CfcMBV4mkNpD0ytsAQM2Exm52NXS+H2o2sCUL/5CEDF69gocbXAWu8TBQBOJ/nigUOIP9axddVsB3u7b3VYu+LeoMTaxlVbzllXwSwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.8457344e+07
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/get
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
watermark
1580103814

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 380	3288	cmd.exe	80
PID 3288 wrote to memory of 380	3288	cmd.exe	80
PID 380 wrote to memory of 3728	380	cmd.exe	81
PID 380 wrote to memory of 3728	380	cmd.exe	81

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TA579_20220117\required documents.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pythonw.exe cradle.py & taskkill /F /IM cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\TA579_20220117\pythonw.exe
    pythonw.exe cradle.py
    3⤵
    PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3728-134-0x000001C010B40000-0x000001C010BC1000-memory.dmp

Filesize
516KB

Download
memory/3728-135-0x000001C011040000-0x000001C011440000-memory.dmp

Filesize
4.0MB

Download
memory/3728-136-0x000001C010B40000-0x000001C010BC1000-memory.dmp

Filesize
516KB

Download
memory/3728-137-0x000001C011040000-0x000001C011440000-memory.dmp

Filesize
4.0MB

Download