cobaltstrike | 33c8ee21fb63ede72a217351f7faf1fa81f731dbe8fe46f3e9c9a6dbb6d7a365

General

Target

ea81027eff6d450cb0dbf54052b4408c.exe
Size

2.4MB
MD5

ea81027eff6d450cb0dbf54052b4408c
SHA1

d37c7c31a144f2f00ba1534e08d6dbe608c6d067
SHA256

33c8ee21fb63ede72a217351f7faf1fa81f731dbe8fe46f3e9c9a6dbb6d7a365
SHA512

a18a950e1d79828708fe6d95e37e65ac4b85fe9c3f82ae3228560f96e2964685c11e3a073082784c90f2f01a23a588c9ef4ee3fa020e02c561c7fbd459601b40
SSDEEP

49152:p7SSsBt/DJkmkLbZnXZT3I8DzhtMbbFvQeQl/mlp0SonvNPGhGv:agNnpDIezbObti/mPh8NPGhGv

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://180.97.66.35:80/common/images

http://58.243.203.35:80/common/images

http://219.151.25.35:80/common/images

http://218.93.204.35:80/common/images

http://183.147.138.35:80/common/images

http://183.131.118.35:80/common/images

Attributes

access_type
512
host
180.97.66.35,/common/images,58.243.203.35,/common/images,219.151.25.35,/common/images,218.93.204.35,/common/images,183.147.138.35,/common/images,183.131.118.35,/common/images
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
35000
port_number
80
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbunJ64SQYVl1XCGvqYJ5Ub+secJ6AZ7QA40zOAc5AZp+5PH4RCiViwGwAcdAJKr2GijLoM7k9KCVkHvxepdyn6PE3NclHvnJj44FYxTmNrYJsbLo/Acuge8CRyvLZc7cc2wmZ2owKtdXx1K0uOXTTjFuBnaegSp3kx5MJyk7ROwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/common/imgdata
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	ea81027eff6d450cb0dbf54052b4408c.exe

Executes dropped EXE 1 IoCs

pid	Process
432	ssf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	ea81027eff6d450cb0dbf54052b4408c.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4568	WINWORD.EXE
4568	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE
4568	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 432	1476	ea81027eff6d450cb0dbf54052b4408c.exe	85
PID 1476 wrote to memory of 432	1476	ea81027eff6d450cb0dbf54052b4408c.exe	85
PID 1476 wrote to memory of 4568	1476	ea81027eff6d450cb0dbf54052b4408c.exe	87
PID 1476 wrote to memory of 4568	1476	ea81027eff6d450cb0dbf54052b4408c.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ea81027eff6d450cb0dbf54052b4408c.exe
"C:\Users\Admin\AppData\Local\Temp\ea81027eff6d450cb0dbf54052b4408c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476
- \??\c:\programdata\ssf.exe
  "c:\programdata\ssf.exe"
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\programdata\ea81027eff6d450cb0dbf54052b4408c.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ssf.exe

Filesize
1.9MB

MD5
8564d4b711688d4bc2f39863be02faf1

SHA1
42ee249810035432ea818f75f2e02195dd6e98d8

SHA256
0ddc72a9ee4831b93e2075a5d3a4ea81ac47bdf49fb350c3f60cc0ca59f9301b

SHA512
7c12fc112e0e340c52373a42b51136b84888dd5bd67ccdff7edebf7a4d10fb075591c5b723bf0a6ad95a5ca6bf45a832d865d2cf4ea88091647b38e660443776

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
273B

MD5
e629015d07f7ccf76df0d1642fc21ee1

SHA1
0d5d0fe1cb34cb66489a793d5f6d869af684d65f

SHA256
a55c124fabc57aced77f54c59111943ababe0339a14db71a8f0c48cb07b662a2

SHA512
84b25ab2357f18fd42c452672b4552f1903e45f614053407921fe3c3b011e41ba5d08fc928a10042fe913cf07785acda5f216dde607fec07fc94c725cefeec61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
2a1402972db771a177bc99758db3029d

SHA1
4b575a81eb1b4bf29ae0ddb136b977624c8d7433

SHA256
6cb6c0692e88183fc653d28e3a1b3d5734b2109872b17f745f68fd1feb3cb622

SHA512
f9d4e98e9651e468b5c671598d8653745b783971aa2a8a8dadbb901cbc5ad4ce48329d0976e4aae71d2367287c30e8182ff8737d7cae8d8796f4ddd8ec13f20c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
fc5c5c3c90f188485712d1d78eab972e

SHA1
50a53fa5a4bb326f3898f7eaa413a2bbbe51fad6

SHA256
c03fa79140160c761aee5fa5b2b523454a4b40b8946f6a39715fee7bb960ce50

SHA512
d9b50069937b2feaca2ce2a0d2706a775e4799f9b17afee485b75cb7ee1fb9119b5391d8da058522e9535c207946aa0c528e173e492d5888705c8562a11f94fd

Download Submit
C:\programdata\ea81027eff6d450cb0dbf54052b4408c.docx

Filesize
1KB

MD5
9c7240d7f71dcef3d58134ffd65a4c3d

SHA1
4dd5912973eafb760d7f565715ec88bbb974fce6

SHA256
dd2de014838c93601916fbb7ab459574482ce102ba143a6c95998720e8e89b64

SHA512
b5bd082bd8c9a1a5447714f70884f61906ad10717e0dd7bc228f48c36d86136d56da378348e074155280d6afea70fe24e12d7366067d75537a5e55cbd9ba5489

Download Submit
\??\c:\programdata\ssf.exe

Filesize
1.9MB

MD5
8564d4b711688d4bc2f39863be02faf1

SHA1
42ee249810035432ea818f75f2e02195dd6e98d8

SHA256
0ddc72a9ee4831b93e2075a5d3a4ea81ac47bdf49fb350c3f60cc0ca59f9301b

SHA512
7c12fc112e0e340c52373a42b51136b84888dd5bd67ccdff7edebf7a4d10fb075591c5b723bf0a6ad95a5ca6bf45a832d865d2cf4ea88091647b38e660443776

Download Submit
memory/432-164-0x0000021B65CA0000-0x0000021B65CE1000-memory.dmp

Filesize
260KB

Download
memory/432-165-0x0000021B65CF0000-0x0000021B66162000-memory.dmp

Filesize
4.4MB

Download
memory/1476-141-0x0000000000400000-0x0000000000653000-memory.dmp

Filesize
2.3MB

Download
memory/4568-147-0x00007FFC599A0000-0x00007FFC599B0000-memory.dmp

Filesize
64KB

Download
memory/4568-143-0x00007FFC5C2B0000-0x00007FFC5C2C0000-memory.dmp

Filesize
64KB

Download
memory/4568-142-0x00007FFC5C2B0000-0x00007FFC5C2C0000-memory.dmp

Filesize
64KB

Download
memory/4568-148-0x00007FFC599A0000-0x00007FFC599B0000-memory.dmp

Filesize
64KB

Download
memory/4568-144-0x00007FFC5C2B0000-0x00007FFC5C2C0000-memory.dmp

Filesize
64KB

Download
memory/4568-146-0x00007FFC5C2B0000-0x00007FFC5C2C0000-memory.dmp

Filesize
64KB

Download
memory/4568-145-0x00007FFC5C2B0000-0x00007FFC5C2C0000-memory.dmp

Filesize
64KB

Download
memory/4568-201-0x00007FFC5C2B0000-0x00007FFC5C2C0000-memory.dmp

Filesize
64KB

Download
memory/4568-202-0x00007FFC5C2B0000-0x00007FFC5C2C0000-memory.dmp

Filesize
64KB

Download
memory/4568-203-0x00007FFC5C2B0000-0x00007FFC5C2C0000-memory.dmp

Filesize
64KB

Download
memory/4568-204-0x00007FFC5C2B0000-0x00007FFC5C2C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads