cobaltstrike | 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2023 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Size

494KB
MD5

94b4eb33f72c5df6e7823407e12fa2b5
SHA1

e59fbee36c7604f2fbbb05a13aa2ef6fe2e0f56f
SHA256

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03
SHA512

19539f69b0cbcc7c6be91f347d9289b19331f1def5606dc80600edf6b7d2923eefde62fd996614a22bbd56c8bb49293345d8f824f960220bdb91d56d539eb491
SSDEEP

12288:fzxzTDWikLSb4NS7/dc+tkUXY1AfOY7llq7KKIoYy:dDWHSb4NpnVYPq5Yy

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://85.175.101.203:80/access/

Attributes

access_type
512
host
85.175.101.203,/access/
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAAEAAAACBIb3N0OiBhdWRpby1zdjUtdDEtMy5wYW5kb3JhLmNvbQAAAAoAAABIQ29va2llOiAgX191dG1hPTIxMDA3NzYyMi4xNzMyNDM5OTk1LjE0MzMyMDE0NjIuMTQwMzIwNDM3Mi4xMzg1MjAyNDkzLjI7AAAACQAAAAl2ZXJzaW9uPTQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAABwAAAAAAAAAIAAAABQAAAAV0b2tlbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFUhvc3Q6IHd3dy5wYW5kb3JhLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
1000
port_number
80
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.382016e+08
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/radio/xmlrpc/v35
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

11 4680 rundll32.exe
12 4680 rundll32.exe
13 4680 rundll32.exe
46 4680 rundll32.exe
47 4680 rundll32.exe
56 4680 rundll32.exe

flow	pid	process
11	4680	rundll32.exe
12	4680	rundll32.exe
13	4680	rundll32.exe
46	4680	rundll32.exe
47	4680	rundll32.exe
56	4680	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exeServis.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Servis.exe

Executes dropped EXE 2 IoCs

Processes:

Servis.exeUAC.exe

pid process

4944 Servis.exe
4868 UAC.exe

pid	process
4944	Servis.exe
4868	UAC.exe

Drops file in System32 directory 4 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

UAC.exe

description pid process target process

PID 4868 set thread context of 4680 4868 UAC.exe rundll32.exe

description	pid	process	target process
PID 4868 set thread context of 4680	4868	UAC.exe	rundll32.exe

Drops file in Windows directory 5 IoCs

Processes:

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe

description	ioc	process
File created	C:\Windows\__tmp_rar_sfx_access_check_240544140	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
File created	C:\Windows\Servis.exe	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
File opened for modification	C:\Windows\Servis.exe	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
File created	C:\Windows\UAC.exe	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
File opened for modification	C:\Windows\UAC.exe	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exerundll32.exe

pid	process
1568	powershell.exe
1568	powershell.exe
1592	powershell.exe
1592	powershell.exe
4680	rundll32.exe
4680	rundll32.exe
4680	rundll32.exe
4680	rundll32.exe
4680	rundll32.exe
4680	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3116 Explorer.EXE

pid	process
3116	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exepowershell.exepowershell.exeExplorer.EXE

description	pid	process
Token: SeSecurityPrivilege	2368	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Token: SeRestorePrivilege	2368	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE
Token: SeShutdownPrivilege	3116	Explorer.EXE
Token: SeCreatePagefilePrivilege	3116	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3116 Explorer.EXE
3116 Explorer.EXE

pid	process
3116	Explorer.EXE
3116	Explorer.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exeServis.execmd.exeUAC.exerundll32.exe

description	pid	process	target process
PID 2368 wrote to memory of 4944	2368	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe	Servis.exe
PID 2368 wrote to memory of 4944	2368	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe	Servis.exe
PID 2368 wrote to memory of 4944	2368	7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe	Servis.exe
PID 4944 wrote to memory of 2016	4944	Servis.exe	cmd.exe
PID 4944 wrote to memory of 2016	4944	Servis.exe	cmd.exe
PID 2016 wrote to memory of 1568	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 1568	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 1592	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 1592	2016	cmd.exe	powershell.exe
PID 4868 wrote to memory of 4680	4868	UAC.exe	rundll32.exe
PID 4868 wrote to memory of 4680	4868	UAC.exe	rundll32.exe
PID 4868 wrote to memory of 4680	4868	UAC.exe	rundll32.exe
PID 4868 wrote to memory of 4680	4868	UAC.exe	rundll32.exe
PID 4680 wrote to memory of 3116	4680	rundll32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3116

C:\Users\Admin\AppData\Local\Temp\7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
"C:\Users\Admin\AppData\Local\Temp\7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe"
2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\Servis.exe
"C:\Windows\Servis.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6D45.tmp\6D46.tmp\6D47.bat C:\Windows\Servis.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass -command "New-Service -Name UAC -BinaryPathName C:\Windows\UAC.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -executionpolicy bypass -command "Start-Service -Name UAC -PassThru"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\UAC.exe
C:\Windows\UAC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
92f89789864052cac0862ed6b4f1e706

SHA1
aa6594951427e103fa025c8ebef3ec5a5f85866c

SHA256
73123d6e562b26b1fd2cf4fece67930d95fc4738bad8d1f386345a5311274739

SHA512
71a0261ee6ffcd2e9bb336dde7110f80ac6fa01df5433e77cc170649b7936653d89229255fbeac15692e8736c9f3e5d15d62b2372865fe3d7ab933c511c2894e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
0ff7e1af4cc86e108eef582452b35523

SHA1
c2ccf2811d56c3a3a58dced2b07f95076c6b5b96

SHA256
62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0

SHA512
374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D45.tmp\6D46.tmp\6D47.bat
Filesize
211B

MD5
ceb3c06960136b0e3ebadca62fdf415e

SHA1
8b67ec15381aad2453ad9f78f9ebd469de1a2925

SHA256
d821ecc0208b6fcb11311f7c0abc45f640da48c09a37051da3320676495d5b16

SHA512
9cf6ea5b486b33add21944225e6cc62fd2402628caf43d76ac3dfdb58ea4a3c965489de627c0c11d7a26065ae4d158ff687860ac0d3fe2dd5a502912100fb9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u2ttnzew.qtk.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Servis.exe
Filesize
87KB

MD5
461938519e0d15b209cf0da74d686e05

SHA1
f7a21d413eba8ee1b8c82546cb1d0396aea6dc73

SHA256
013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b

SHA512
33640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e

Download Submit
C:\Windows\Servis.exe
Filesize
87KB

MD5
461938519e0d15b209cf0da74d686e05

SHA1
f7a21d413eba8ee1b8c82546cb1d0396aea6dc73

SHA256
013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b

SHA512
33640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e

Download Submit
C:\Windows\Servis.exe
Filesize
87KB

MD5
461938519e0d15b209cf0da74d686e05

SHA1
f7a21d413eba8ee1b8c82546cb1d0396aea6dc73

SHA256
013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b

SHA512
33640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e

Download Submit
C:\Windows\UAC.exe
Filesize
282KB

MD5
d8c81b67c27140970e704edb6e0faf63

SHA1
43d91226c004d2b5538c4e057cd05eb9b52166be

SHA256
da68308adf531b3dc93d7443669bfe84650c6fea041e3fdb63b4703b1be1cc5b

SHA512
5ec9cb623987ae9ac524a5de02ae1ace0e3cc549cb134fa056d2c257dffafb51fb55c47fbdea29a6c9d215ea6b1b63baf6f3ebba81bc2118dac508d7c68d2268

Download Submit
C:\Windows\UAC.exe
Filesize
282KB

MD5
d8c81b67c27140970e704edb6e0faf63

SHA1
43d91226c004d2b5538c4e057cd05eb9b52166be

SHA256
da68308adf531b3dc93d7443669bfe84650c6fea041e3fdb63b4703b1be1cc5b

SHA512
5ec9cb623987ae9ac524a5de02ae1ace0e3cc549cb134fa056d2c257dffafb51fb55c47fbdea29a6c9d215ea6b1b63baf6f3ebba81bc2118dac508d7c68d2268

Download Submit
memory/1568-158-0x00000227F4CA0000-0x00000227F4CB0000-memory.dmp

Filesize
64KB

Download
memory/1568-159-0x00000227F4CA0000-0x00000227F4CB0000-memory.dmp

Filesize
64KB

Download
memory/1568-153-0x00000227F5600000-0x00000227F5622000-memory.dmp

Filesize
136KB

Download
memory/1592-180-0x0000028D33DD0000-0x0000028D33DE0000-memory.dmp

Filesize
64KB

Download
memory/1592-163-0x0000028D33DD0000-0x0000028D33DE0000-memory.dmp

Filesize
64KB

Download
memory/1592-172-0x0000028D33DD0000-0x0000028D33DE0000-memory.dmp

Filesize
64KB

Download
memory/3116-184-0x00000000006E0000-0x00000000006F5000-memory.dmp

Filesize
84KB

Download
memory/3116-185-0x0000000000750000-0x0000000000769000-memory.dmp

Filesize
100KB

Download
memory/4680-177-0x0000000000110000-0x0000000000144000-memory.dmp

Filesize
208KB

Download
memory/4680-181-0x00000000005F0000-0x000000000062E000-memory.dmp

Filesize
248KB

Download
memory/4680-183-0x00000000005F0000-0x000000000062E000-memory.dmp

Filesize
248KB

Download
memory/4680-187-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/4680-186-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/4680-188-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/4868-179-0x0000000000D30000-0x0000000000D7D000-memory.dmp

Filesize
308KB

Download