cobaltstrike | 83c830efbeb6dd41df39ecf0d74bd926419794a6453ab460d08c5b0b5d7865fc

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/02/2023, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

˰ֿָϣ밴ָֿۣ/�.lnk
Size

1KB
MD5

08ae386b3db37884c581fd43899d5ddc
SHA1

afce4c056d86137600d46ef1a776911740d67e80
SHA256

350fa869635ac7ff181650aff76f0f50248a6c38b90f5bc80ac34c1dca8d4b4e
SHA512

32461d4e29b18df7abb3cb9e1348e872d104df1fb26fe5a3a3d851b225cf87965ab26c64342d902e71e841a0eccab0e74e4db012949cbbe67bcb8c74af6c288d

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://103.229.124.219:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
103.229.124.219,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogMTAzLjIyOS4xMjQuMjE5AAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogMTAzLjIyOS4xMjQuMjE5AAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
1000
port_number
443
sc_process32
%windir%\syswow64\Werfault.exe
sc_process64
%windir%\sysnative\Werfault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCju39uea7UP3NS+1fynoWQWZdiRYj8IBWzEXgrWt2Es/KPzNwmqRc1abTxN5F2uKX57pK/zB/VOb2voDec3uNMXKX/guHmC/MsbM0yzLFwc7vL3qML78QVRqadpATTw8UgVE7SZN3bz9dIB8T1wsKqm4A0X8eMrILCJmOBHT5kAwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1468	1008	cmd.exe	29
PID 1008 wrote to memory of 1468	1008	cmd.exe	29
PID 1008 wrote to memory of 1468	1008	cmd.exe	29
PID 1468 wrote to memory of 868	1468	rundll32.exe	30
PID 1468 wrote to memory of 868	1468	rundll32.exe	30
PID 1468 wrote to memory of 868	1468	rundll32.exe	30
PID 1468 wrote to memory of 768	1468	rundll32.exe	31
PID 1468 wrote to memory of 768	1468	rundll32.exe	31
PID 1468 wrote to memory of 768	1468	rundll32.exe	31
PID 868 wrote to memory of 1644	868	cmd.exe	34
PID 868 wrote to memory of 1644	868	cmd.exe	34
PID 868 wrote to memory of 1644	868	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\˰ֿָϣ밴ָֿۣ\�.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" 0.000000fdsfffdddddffddaffffffvvvvaergqh5bqbqv34,HNSJox
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\System32\cmd.exe
    cmd.exe /c start ./tijian/hezuo.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\˰ֿָϣ밴ָֿۣ\tijian\hezuo.exe
      ./tijian/hezuo.exe
      4⤵
      PID:1644
- - C:\Windows\System32\cmd.exe
    cmd.exe /c start ./tijian/¸öÈËËùµÃËæµÖ¿ÛÉê±¨Ö¸ÄÏ£¨Çë°´ÕÕÖ¸ÄÏÉêÇë¸öË°µÖ¿Û£©.docx
    3⤵
    PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/1644-101-0x000007FEBCF60000-0x000007FEBCF70000-memory.dmp

Filesize
64KB

Download
memory/1644-111-0x00000000000D0000-0x0000000000111000-memory.dmp

Filesize
260KB

Download
memory/1644-112-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-113-0x00000000000D0000-0x0000000000111000-memory.dmp

Filesize
260KB

Download
memory/1644-115-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-116-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-117-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-118-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-119-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-120-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-121-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-122-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-123-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-125-0x00000000000D0000-0x0000000000111000-memory.dmp

Filesize
260KB

Download
memory/1644-126-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-128-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-129-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-130-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-131-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-132-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-133-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-134-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-136-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-137-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-138-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-139-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-140-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-141-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-142-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-143-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-144-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-145-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-146-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-147-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-148-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-150-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-151-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-152-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-153-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-154-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-155-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-156-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-157-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-158-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-160-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-161-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-162-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-164-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-165-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-166-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-168-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-169-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-170-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-172-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-173-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-174-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-176-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-177-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-178-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-180-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-181-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download
memory/1644-182-0x0000000000740000-0x0000000000BB2000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads