cobaltstrike | d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f

Analysis

max time kernel
83s
max time network
86s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04/05/2023, 11:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe
Size

509KB
MD5

dbaca065859d7bf7bb697b0ccafc4648
SHA1

17ffec863ebbd16459c6374b9b44c32e9fceb933
SHA256

d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f
SHA512

0b7508c9e0bef1361304cad0715d66efed3b669a26e25500a15ccc1987b105b5ba56b41db740a2a656582803cd0944a35b6c3998fae7b099d77c63a5bad93763
SSDEEP

12288:ehqxSLo5C1Ps4Xh+NX+tW98W3qm6zq8AXuETktXT:eHLmCiIh4ITu8DCkF

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://47.99.182.25:7025/3vEo

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 3 IoCs

pid	Process
1184	system.exe
1308	Process not Found
1420	FuckMe.exe

Loads dropped DLL 4 IoCs

pid	Process
1048	d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe
1308	Process not Found
1716	cmd.exe
1716	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1048	d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe
Token: SeRestorePrivilege	1048	d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1184	1048	d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe	27
PID 1048 wrote to memory of 1184	1048	d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe	27
PID 1048 wrote to memory of 1184	1048	d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe	27
PID 1048 wrote to memory of 1184	1048	d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe	27
PID 1184 wrote to memory of 1716	1184	system.exe	28
PID 1184 wrote to memory of 1716	1184	system.exe	28
PID 1184 wrote to memory of 1716	1184	system.exe	28
PID 1716 wrote to memory of 1420	1716	cmd.exe	30
PID 1716 wrote to memory of 1420	1716	cmd.exe	30
PID 1716 wrote to memory of 1420	1716	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe
"C:\Users\Admin\AppData\Local\Temp\d1637967a88f046ace84c96c1ba9fba01087dd3a47f567604b572dff6b73828f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\system.exe
  "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c FuckMe.exe 10086 10086.bin && exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\FuckMe.exe
      FuckMe.exe 10086 10086.bin
      4⤵
      Executes dropped EXE
      PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10086.bin

Filesize
926B

MD5
24145d39c941719c645bb7a97e525fcb

SHA1
fe5adc50f93eb11f5d593e6b3182f8a65501f912

SHA256
bd468838b65af3ba45b69c74c4ffbc7117eab57799c67687642f7b8e4d11f4e7

SHA512
212fd461edd72126c41dc8174d2bb6e8a01987d4125ded53292e6f3da7bc8404a1951ebc604fe1669cc8e132021e4cb7a99651524f1be346f4ed5d2d50783450

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuckMe.exe

Filesize
434KB

MD5
dc2395399a2384ad594250d295d90838

SHA1
8abc3e28f556941a2cbbdc7cc39cf92e8086d4eb

SHA256
e20b5bc90f15af69c79164280ab77053ad7494475f7d0a2900a116b0b858aa15

SHA512
e6a3992bc7498cf4fda9a97946b64f941dd0601e76360265ac2c697a0c11bbe0e5cfe74fa11a1f070310e8323d98678c41ac17185829eed415e402b5764f1ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuckMe.exe

Filesize
434KB

MD5
dc2395399a2384ad594250d295d90838

SHA1
8abc3e28f556941a2cbbdc7cc39cf92e8086d4eb

SHA256
e20b5bc90f15af69c79164280ab77053ad7494475f7d0a2900a116b0b858aa15

SHA512
e6a3992bc7498cf4fda9a97946b64f941dd0601e76360265ac2c697a0c11bbe0e5cfe74fa11a1f070310e8323d98678c41ac17185829eed415e402b5764f1ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
11KB

MD5
000351c27a51169f24609a07df2dd0a3

SHA1
6a4c5459ee3e029edbecc6222e41d1d6b7e3b242

SHA256
5453f08327ecd778658b5154711d474f2133e4973820ae35541de9826eb10d20

SHA512
654d65d29e06d6e7654b23ea02d8773d2466e1e671955242ea34680010255e2075109be713d7e445fe1893400e78af767de844d8621991f6b15a59073e4f8826

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
11KB

MD5
000351c27a51169f24609a07df2dd0a3

SHA1
6a4c5459ee3e029edbecc6222e41d1d6b7e3b242

SHA256
5453f08327ecd778658b5154711d474f2133e4973820ae35541de9826eb10d20

SHA512
654d65d29e06d6e7654b23ea02d8773d2466e1e671955242ea34680010255e2075109be713d7e445fe1893400e78af767de844d8621991f6b15a59073e4f8826

Download Submit
\Users\Admin\AppData\Local\Temp\FuckMe.exe

Filesize
434KB

MD5
dc2395399a2384ad594250d295d90838

SHA1
8abc3e28f556941a2cbbdc7cc39cf92e8086d4eb

SHA256
e20b5bc90f15af69c79164280ab77053ad7494475f7d0a2900a116b0b858aa15

SHA512
e6a3992bc7498cf4fda9a97946b64f941dd0601e76360265ac2c697a0c11bbe0e5cfe74fa11a1f070310e8323d98678c41ac17185829eed415e402b5764f1ab3

Download Submit
\Users\Admin\AppData\Local\Temp\FuckMe.exe

Filesize
434KB

MD5
dc2395399a2384ad594250d295d90838

SHA1
8abc3e28f556941a2cbbdc7cc39cf92e8086d4eb

SHA256
e20b5bc90f15af69c79164280ab77053ad7494475f7d0a2900a116b0b858aa15

SHA512
e6a3992bc7498cf4fda9a97946b64f941dd0601e76360265ac2c697a0c11bbe0e5cfe74fa11a1f070310e8323d98678c41ac17185829eed415e402b5764f1ab3

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe

Filesize
11KB

MD5
000351c27a51169f24609a07df2dd0a3

SHA1
6a4c5459ee3e029edbecc6222e41d1d6b7e3b242

SHA256
5453f08327ecd778658b5154711d474f2133e4973820ae35541de9826eb10d20

SHA512
654d65d29e06d6e7654b23ea02d8773d2466e1e671955242ea34680010255e2075109be713d7e445fe1893400e78af767de844d8621991f6b15a59073e4f8826

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe

Filesize
11KB

MD5
000351c27a51169f24609a07df2dd0a3

SHA1
6a4c5459ee3e029edbecc6222e41d1d6b7e3b242

SHA256
5453f08327ecd778658b5154711d474f2133e4973820ae35541de9826eb10d20

SHA512
654d65d29e06d6e7654b23ea02d8773d2466e1e671955242ea34680010255e2075109be713d7e445fe1893400e78af767de844d8621991f6b15a59073e4f8826

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe

Filesize
11KB

MD5
000351c27a51169f24609a07df2dd0a3

SHA1
6a4c5459ee3e029edbecc6222e41d1d6b7e3b242

SHA256
5453f08327ecd778658b5154711d474f2133e4973820ae35541de9826eb10d20

SHA512
654d65d29e06d6e7654b23ea02d8773d2466e1e671955242ea34680010255e2075109be713d7e445fe1893400e78af767de844d8621991f6b15a59073e4f8826

Download Submit
memory/1420-100-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-105-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-91-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-93-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-94-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-95-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-96-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-97-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-98-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-99-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-90-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-101-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-102-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-103-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-104-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-92-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-106-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-107-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-108-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-109-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-110-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-111-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-112-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-113-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-114-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-115-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-116-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-117-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-118-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download
memory/1420-119-0x00000000001C0000-0x00000000002C0000-memory.dmp

Filesize
1024KB

Download