cobaltstrike | ee17c806a1c41f64ab9b68bbdab802c06a9da8890afb5cea2f66b544b88eaed9

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads/cde34053c215372ba47c1c8fbd6b25a7.exe
Size

586KB
MD5

cde34053c215372ba47c1c8fbd6b25a7
SHA1

6958eea76c1097ef9c205e734c4baf93b0f47e04
SHA256

c243a13a3604d8c29d04b46eebbbd590f1d5b1d39ae5be93f800763a5a592a6e
SHA512

f6e018d9454c206a6b3449d4a6162c59c21cef8a832270b66b6a125e5bd1dca2f1048e0e85b4da594403b9c2218908d42f61d7593aa79f009486b7f927a77f14
SSDEEP

12288:/k5L2FqPvuuuuuuuuuz95QRuLtH/J2IW+xItN7dmqJCt4I3U:/2yQPK3COHEvhVaK/

Score

10^/10

cobaltstrike 666666 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666666

http://43.143.225.146:8443/level/v5.7/AZF0ZH83YKV

Attributes

access_type
512
beacon_type
2048
host
43.143.225.146,/level/v5.7/AZF0ZH83YKV
http_header1
AAAACgAAACxBY2NlcHQ6IGltYWdlLyosIGFwcGxpY2F0aW9uL2pzb24sIHRleHQvaHRtbAAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiByby1tZAAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgZ3ppcAAAAAcAAAAAAAAADwAAAAsAAAACAAAAJDlZX0dZQlBXNVNTU1FZNVFZSUNXTDdTMVpKOU1VTFdBVjE0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAADFBY2NlcHQ6IHRleHQvaHRtbCwgYXBwbGljYXRpb24veGh0bWwreG1sLCBpbWFnZS8qAAAACgAAABNBY2NlcHQtTGFuZ3VhZ2U6IGJlAAAACgAAABxBY2NlcHQtRW5jb2Rpbmc6ICosIGNvbXByZXNzAAAABwAAAAAAAAAPAAAADQAAAAUAAAAJX05QSFZUVkVaAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
8704
polling_time
63580
port_number
8443
sc_process32
%windir%\syswow64\getmac.exe /V
sc_process64
%windir%\sysnative\systray.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC53EG450Ux+rh7A05/O3iLUyU7CVL1EdIDVu98Sx0RIOam+KhO+TQPZ27BfnYKRCivOu0kxd6A+2eI4PMO4M17etouh/qiRyb2csLTbLWMO5p2AmGCFMaEsm7ZkuCtw1SIb72SbhCAWZCwug9MHsoddP+uDk/GzLZuB1BUJ8MLWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.241980928e+09
unknown2
AAAABAAAAAEAAAOhAAAAAgAAA6EAAAALAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/sub/developement/ZPC8QJVNZBY
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
watermark
666666

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

poso.exe

pid process

272 poso.exe
Loads dropped DLL 2 IoCs

Processes:

cde34053c215372ba47c1c8fbd6b25a7.exeposo.exe

pid process

1724 cde34053c215372ba47c1c8fbd6b25a7.exe
272 poso.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
272	poso.exe

pid	process
1724	cde34053c215372ba47c1c8fbd6b25a7.exe
272	poso.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cde34053c215372ba47c1c8fbd6b25a7.exe

description	pid	process	target process
PID 1724 wrote to memory of 272	1724	cde34053c215372ba47c1c8fbd6b25a7.exe	poso.exe
PID 1724 wrote to memory of 272	1724	cde34053c215372ba47c1c8fbd6b25a7.exe	poso.exe
PID 1724 wrote to memory of 272	1724	cde34053c215372ba47c1c8fbd6b25a7.exe	poso.exe
PID 1724 wrote to memory of 272	1724	cde34053c215372ba47c1c8fbd6b25a7.exe	poso.exe

C:\Users\Admin\AppData\Local\Temp\Downloads\cde34053c215372ba47c1c8fbd6b25a7.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads\cde34053c215372ba47c1c8fbd6b25a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Public\Libraries\poso.exe
"C:\Users\Public\Libraries\poso.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45B0.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Public\Libraries\Public.avi
Filesize
259KB

MD5
42717fabe6bd5bc3ad0525b4e2f798cb

SHA1
a375801df689de89ccf76d3809d4c0312ae9b6b4

SHA256
208f27df0b90098d7034c5b1525db5955abf56add5a7392f77bc1d1b63fc6044

SHA512
bcd8f51e054d1b5723ceb34e76d6f2c43c470c99eeac6e4be7a2064cf970f1f7d01b639880a4463a1e53d6391d5d6fa3e93f0bb88052eb1cba1867726c256bb5

Download Submit
C:\Users\Public\Libraries\calibre-launcher.dll
Filesize
263KB

MD5
c7ce5c2433a4611b178b9a96fd9fee51

SHA1
2d4a3820be3a714e054249cc08de9262f6015f27

SHA256
7bad55073d046baba4e9a9e1ac4167c096e9577d6e7b2edd3ae79e1ce13e4681

SHA512
7b732c013a9f58547a75f58a8f49de2f454a926b05518e57971e3d8e799994fdc2d481d85deb072fb347f3d318a913fb4a45176e514370c9e2b9ad3b37991d06

Download Submit
C:\Users\Public\Libraries\poso.exe
Filesize
85KB

MD5
0cefb63147949f535c5a13714609fa81

SHA1
1f3bd5fdb7a4694e9842a59a2ce014bd00268c3b

SHA256
eb0677c279e0ba23d3cdef33a4f8abc2e1018884647908fa8e1a97ed63752803

SHA512
456e4d9e6c56a14ad6cbe1a059b43ac13c26a487bb78492dc33d24d86e388f24b0c8d5f5ffa9aec3f643bbf4efb7da15ed2acd5fb51ea7ea03f25f0a1a9c9138

Download Submit
\Users\Public\Libraries\calibre-launcher.dll
Filesize
263KB

MD5
c7ce5c2433a4611b178b9a96fd9fee51

SHA1
2d4a3820be3a714e054249cc08de9262f6015f27

SHA256
7bad55073d046baba4e9a9e1ac4167c096e9577d6e7b2edd3ae79e1ce13e4681

SHA512
7b732c013a9f58547a75f58a8f49de2f454a926b05518e57971e3d8e799994fdc2d481d85deb072fb347f3d318a913fb4a45176e514370c9e2b9ad3b37991d06

Download Submit
\Users\Public\Libraries\poso.exe
Filesize
85KB

MD5
0cefb63147949f535c5a13714609fa81

SHA1
1f3bd5fdb7a4694e9842a59a2ce014bd00268c3b

SHA256
eb0677c279e0ba23d3cdef33a4f8abc2e1018884647908fa8e1a97ed63752803

SHA512
456e4d9e6c56a14ad6cbe1a059b43ac13c26a487bb78492dc33d24d86e388f24b0c8d5f5ffa9aec3f643bbf4efb7da15ed2acd5fb51ea7ea03f25f0a1a9c9138

Download Submit
memory/272-70-0x0000000000110000-0x0000000000151000-memory.dmp

Filesize
260KB

Download
memory/272-69-0x0000000077830000-0x000000007792A000-memory.dmp

Filesize
1000KB

Download
memory/272-68-0x0000000077930000-0x0000000077A4F000-memory.dmp

Filesize
1.1MB

Download
memory/272-73-0x000007FEBD8F0000-0x000007FEBD900000-memory.dmp

Filesize
64KB

Download
memory/272-72-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/272-74-0x0000000001C50000-0x0000000001CD2000-memory.dmp

Filesize
520KB

Download
memory/272-76-0x000007FEBD8F0000-0x000007FEBD900000-memory.dmp

Filesize
64KB

Download
memory/272-67-0x000007FEFD900000-0x000007FEFD96C000-memory.dmp

Filesize
432KB

Download
memory/272-66-0x0000000077A50000-0x0000000077BF9000-memory.dmp

Filesize
1.7MB

Download