cobaltstrike | 209a4143f0cea579e6d3acffc2b4d873102932d91abb7514cfa5b7afcdb355ff

General

Target

26570ab9f442065765270e47672f1c486173fced5d1a4b32d4e4997fec9e58ad.ps1
Size

293KB
MD5

049cfba6fd3c0b5b4552916969d1dbec
SHA1

ab3fbce5743b8ce24be1639a8cb802ffc217e8e9
SHA256

26570ab9f442065765270e47672f1c486173fced5d1a4b32d4e4997fec9e58ad
SHA512

55684784efa5eb21eca358f7603c223927d938da4bcc14270108ec9b1d0e71bdfb99c570097e2a27ba79fb843d164c3d2b3b6f2f9b0bd3832cf8e2e4a42d774e
SSDEEP

6144:2ER6mHX+TmLD4eyg16i3RJ3rFI8kHMSTpbJN4aXsxGQZ0:2sr4ey7ihFFI3HTr/Xw0

Score

10^/10

cobaltstrike 391144938 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://b7r.duckdns.org:443/g.pixel

Attributes

access_type
512
beacon_type
2048
host
b7r.duckdns.org,/g.pixel
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVW56XGpbj8qtiqp+9VElpMZo7uTvjGtVF8u4N//Lu2iiPRjAGAh/TRtYH8DN5YTHi04jD+vdqhPt5OiT+T4cqtbpydJD3GU6qXAZfHQ1GkXCTIpaqbQ1TYj4J7Rgmc8kHJq1aiFMuYpT/ewweAnBob2/lyeMEGoG1Ymo671/pqQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MASAJS)
watermark
391144938

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

4 696 powershell.exe
6 696 powershell.exe
7 696 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2004 powershell.exe
696 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2004 powershell.exe
Token: SeDebugPrivilege 696 powershell.exe

flow	pid	process
4	696	powershell.exe
6	696	powershell.exe
7	696	powershell.exe

pid	process
2004	powershell.exe
696	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2004 wrote to memory of 696	2004	powershell.exe	powershell.exe
PID 2004 wrote to memory of 696	2004	powershell.exe	powershell.exe
PID 2004 wrote to memory of 696	2004	powershell.exe	powershell.exe
PID 2004 wrote to memory of 696	2004	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\26570ab9f442065765270e47672f1c486173fced5d1a4b32d4e4997fec9e58ad.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7YHCV59T8BKX4UHHLL2U.temp
Filesize
7KB

MD5
b3a119c5e3ddd85b03312a9ad266a0bc

SHA1
bc3b671e7d0762e7523e16fd2d8a329dffe3172f

SHA256
fa786311df4d018d1a654bde74aaf1b77470142e5d75bf07fea3f7c8fbb08242

SHA512
6452fdc1a41f03a087eda6073d6263e6a451a53d3c289da000284000ae77e9a5fd101504a5627894ba29adce09c5a5db13f04d4bde88e47c07e0bfe446263d65

Download Submit
memory/696-71-0x0000000005230000-0x0000000005271000-memory.dmp

Filesize
260KB

Download
memory/696-77-0x0000000005230000-0x0000000005271000-memory.dmp

Filesize
260KB

Download
memory/696-69-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/696-70-0x0000000004D50000-0x0000000004D87000-memory.dmp

Filesize
220KB

Download
memory/696-68-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/696-76-0x00000000055D0000-0x00000000055D2000-memory.dmp

Filesize
8KB

Download
memory/2004-61-0x000000001B0C0000-0x000000001B0F2000-memory.dmp

Filesize
200KB

Download
memory/2004-59-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2004-65-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2004-60-0x000000001B0C0000-0x000000001B0F2000-memory.dmp

Filesize
200KB

Download
memory/2004-62-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2004-58-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2004-72-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2004-73-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2004-74-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2004-75-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2004-64-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2004-63-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads