cobaltstrike | 139cdb6becf2a2fa239d1f35acfc2db3f913afa6591b87d44b5e9d9b531dfa86

General

Target

ce8bface0c9e56ab96d4bc06b76083aa.exe
Size

2.7MB
MD5

ce8bface0c9e56ab96d4bc06b76083aa
SHA1

67a648847de158f40ac710dfb90a17d2ff49b9a6
SHA256

635eec28f0b72fb0b6a1542766ec4773559579e37dd7949fa41f57e386c3adfd
SHA512

57a141fd8fff049dad91458d84755a909bb90ccd8c879ce1928897acada96cc06d5c6e63c6a936c8ac9314734acf4b6d28404f67beb0263c883215eb620dc1f9
SSDEEP

49152:hRkjGFXsl3Pza68rb/T3vO90d7HjmAFd4A64nsfJjAKhH4+stNms6zo0qYgNCUOG:Ol3PbstNms6zoSGppTOZ

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://192.168.20.15:801/9Ekt

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 1 IoCs

Processes:

artifact.exe

pid process

364 artifact.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
364	artifact.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3600 EXCEL.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

3600 EXCEL.EXE
3600 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE
3600	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ce8bface0c9e56ab96d4bc06b76083aa.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 2012	2020	ce8bface0c9e56ab96d4bc06b76083aa.exe	cmd.exe
PID 2020 wrote to memory of 2012	2020	ce8bface0c9e56ab96d4bc06b76083aa.exe	cmd.exe
PID 2020 wrote to memory of 364	2020	ce8bface0c9e56ab96d4bc06b76083aa.exe	artifact.exe
PID 2020 wrote to memory of 364	2020	ce8bface0c9e56ab96d4bc06b76083aa.exe	artifact.exe
PID 2012 wrote to memory of 3600	2012	cmd.exe	EXCEL.EXE
PID 2012 wrote to memory of 3600	2012	cmd.exe	EXCEL.EXE
PID 2012 wrote to memory of 3600	2012	cmd.exe	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\ce8bface0c9e56ab96d4bc06b76083aa.exe
"C:\Users\Admin\AppData\Local\Temp\ce8bface0c9e56ab96d4bc06b76083aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\cmd.exe
cmd " /c " C:\Users\Public\202303141145服务器报备.xls
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Public\202303141145服务器报备.xls"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3600

C:\Users\Public\artifact.exe
C:\Users\Public\artifact.exe
2⤵
- Executes dropped EXE
PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
267B

MD5
c1d6ae145462dc687b3b45a0036a68b6

SHA1
ebd661672df2aa6d71c89a8b18053d9a2637e9a0

SHA256
9ae9f1a85a410c0e6380c996deaa6dc21bde1cee26b027460b6193a7ed6f11dc

SHA512
c02076ef5616c2fdef1e80c3fb62aeac15f5d58b85e129f2cf2cddb6440e1c1be113f52623e8236297c0bf67059d0b82ab2255d0a8aa0688724a021ded76f9fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize
975B

MD5
07fbebf7379c4874e32bfad6e6820613

SHA1
7516c77a3c6765098a17d6f3a01fba9f6921b44b

SHA256
33840ee60749dc75f1fce1c520dc49f3e46950989e5fe5f5571102ec0879c65b

SHA512
e2be53d08849b4c2c12e47af005d1d9ad19b48d487c7fc0a7dc33d65b91ad6b800d12e40bc4953c29d9eb81303cca2f2635b926e765979eddeda9401430ed0bb

Download Submit
C:\Users\Public\202303141145服务器报备.xls
Filesize
22KB

MD5
42c5a8424fba34b4156ffb3d46b2842e

SHA1
b9fe363d1c4ef205d1600094834c14f47cdb224b

SHA256
c68995eee773f8a9056e827ba8cc5105a500695568fee7076766dfd0d5ce6a43

SHA512
a533423272399892bce2c4c2e165bedcaab250a73c3dff7d9742e27039dc9492b6e5d1c77561a9f80a3bc491696a5bab7ba256701ddf540c289e58c2a7ba68ab

Download Submit
C:\Users\Public\artifact.exe
Filesize
17KB

MD5
73b99609558c5b59b5a8a1c1b395ac86

SHA1
ed7cf719433928bf68664644e57047f2ca817978

SHA256
ce10ad6ad10f8bab57fca84288487a0da754f63946bece5bea01cb36d83b7779

SHA512
d1d2830ff1521a4c14f7357dd41be44b6c4d8fd8bd56582108d0d4583cf73ed1e5a667446929e1e44889e45e592cb5f4128b1b68010aca74f71a7db422a53c01

Download Submit
C:\Users\Public\artifact.exe
Filesize
17KB

MD5
73b99609558c5b59b5a8a1c1b395ac86

SHA1
ed7cf719433928bf68664644e57047f2ca817978

SHA256
ce10ad6ad10f8bab57fca84288487a0da754f63946bece5bea01cb36d83b7779

SHA512
d1d2830ff1521a4c14f7357dd41be44b6c4d8fd8bd56582108d0d4583cf73ed1e5a667446929e1e44889e45e592cb5f4128b1b68010aca74f71a7db422a53c01

Download Submit
memory/364-140-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/364-165-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3600-142-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmp

Filesize
64KB

Download
memory/3600-146-0x00007FFE7F730000-0x00007FFE7F740000-memory.dmp

Filesize
64KB

Download
memory/3600-147-0x00007FFE7F730000-0x00007FFE7F740000-memory.dmp

Filesize
64KB

Download
memory/3600-145-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmp

Filesize
64KB

Download
memory/3600-144-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmp

Filesize
64KB

Download
memory/3600-143-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmp

Filesize
64KB

Download
memory/3600-141-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads