cobaltstrike | 83c830efbeb6dd41df39ecf0d74bd926419794a6453ab460d08c5b0b5d7865fc

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2023, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

˰ֿָϣ밴ָֿۣ/�.lnk
Size

1KB
MD5

08ae386b3db37884c581fd43899d5ddc
SHA1

afce4c056d86137600d46ef1a776911740d67e80
SHA256

350fa869635ac7ff181650aff76f0f50248a6c38b90f5bc80ac34c1dca8d4b4e
SHA512

32461d4e29b18df7abb3cb9e1348e872d104df1fb26fe5a3a3d851b225cf87965ab26c64342d902e71e841a0eccab0e74e4db012949cbbe67bcb8c74af6c288d

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://103.229.124.219:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
103.229.124.219,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogMTAzLjIyOS4xMjQuMjE5AAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogMTAzLjIyOS4xMjQuMjE5AAAACgAAACBSZWZlcmVyOiBodHRwOi8vY29kZS5qcXVlcnkuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
1000
port_number
443
sc_process32
%windir%\syswow64\Werfault.exe
sc_process64
%windir%\sysnative\Werfault.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCju39uea7UP3NS+1fynoWQWZdiRYj8IBWzEXgrWt2Es/KPzNwmqRc1abTxN5F2uKX57pK/zB/VOb2voDec3uNMXKX/guHmC/MsbM0yzLFwc7vL3qML78QVRqadpATTw8UgVE7SZN3bz9dIB8T1wsKqm4A0X8eMrILCJmOBHT5kAwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2064	1616	cmd.exe	77
PID 1616 wrote to memory of 2064	1616	cmd.exe	77
PID 2064 wrote to memory of 3472	2064	rundll32.exe	78
PID 2064 wrote to memory of 3472	2064	rundll32.exe	78
PID 2064 wrote to memory of 4368	2064	rundll32.exe	81
PID 2064 wrote to memory of 4368	2064	rundll32.exe	81
PID 3472 wrote to memory of 2928	3472	cmd.exe	82
PID 3472 wrote to memory of 2928	3472	cmd.exe	82

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\˰ֿָϣ밴ָֿۣ\�.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" 0.000000fdsfffdddddffddaffffffvvvvaergqh5bqbqv34,HNSJox
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\System32\cmd.exe
    cmd.exe /c start ./tijian/hezuo.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\˰ֿָϣ밴ָֿۣ\tijian\hezuo.exe
      ./tijian/hezuo.exe
      4⤵
      PID:2928
- - C:\Windows\System32\cmd.exe
    cmd.exe /c start ./tijian/¸öÈËËùµÃËæµÖ¿ÛÉê±¨Ö¸ÄÏ£¨Çë°´ÕÕÖ¸ÄÏÉêÇë¸öË°µÖ¿Û£©.docx
    3⤵
    PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2928-136-0x00007FF87D060000-0x00007FF87D070000-memory.dmp

Filesize
64KB

Download
memory/2928-137-0x0000027FC9210000-0x0000027FC9251000-memory.dmp

Filesize
260KB

Download
memory/2928-138-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-139-0x0000027FC9210000-0x0000027FC9251000-memory.dmp

Filesize
260KB

Download
memory/2928-140-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-141-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-142-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-143-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-144-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-145-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-146-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-147-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-148-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-149-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-150-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-151-0x0000027FC9210000-0x0000027FC9251000-memory.dmp

Filesize
260KB

Download
memory/2928-152-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-153-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-154-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-155-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-156-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-157-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-158-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-159-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-160-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-162-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-163-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-164-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-166-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-167-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-168-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-169-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-170-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-171-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-172-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-173-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-174-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-175-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-176-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-177-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-178-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-179-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-180-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-181-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-182-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-183-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-184-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-185-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-186-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-187-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-188-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-189-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-190-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-191-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-192-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-194-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-195-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-196-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download
memory/2928-198-0x0000027FC9260000-0x0000027FC96D2000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads