cobaltstrike | 751b8ab3828a9f3a67d511c8b376cffa895807a7ea39e4e98cc9bec04f06949a

Analysis

max time kernel
296s
max time network
309s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16-08-2023 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4.exe
Size

2.6MB
MD5

a14a70c9382dafae8082b96692fb6126
SHA1

703b869b3d102c18bc1ea7f8ebe9732049cbd710
SHA256

7a54e2ff0dd51979498b05c96e134b5e08bfa3a6c470c31590b6dfb7467e9ea4
SHA512

e72a8731ab0a9ea180a8b9c00d3d015a18a28434daec01a365fb47ef906ce3c8f7e03dda133769204f4b387f1eae882d3ff541d6d4566e66e26f3c6dd3b5d532
SSDEEP

49152:sylqBU83Orb/TKvO90d7HjmAFd4A64nsfJ2U4OOiTXg4tpqbCAb1qQz7eVJiyvpE:Y3MJQuVJws

Score

10^/10

cobaltstrike 391144938 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

http://ngcdn010.cnr.cn:443/dist/css/bootstrap.min.css

Attributes

access_type
512
beacon_type
2048
host
ngcdn010.cnr.cn,/dist/css/bootstrap.min.css
http_header1
AAAACgAAADhBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sOwAAABAAAAAWSG9zdDogZ2V0Ym9vdHN0cmFwLmNvbQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IHpoLUNOLHpoO3E9MC45AAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAADhBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sOwAAABAAAAAWSG9zdDogZ2V0Ym9vdHN0cmFwLmNvbQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IHpoLUNOLHpoO3E9MC45AAAABwAAAAAAAAANAAAABQAAAAVzZXJ2ZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
POST
http_method2
POST
jitter
9472
polling_time
10000
port_number
443
sc_process32
%windir%\syswow64\svchost.exe -k netsvcs
sc_process64
%windir%\sysnative\svchost.exe -k netsvcs
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCKcWx/iIALKK+Wqxrt0P8S4XJtcRnSAf5fAQwMxEIGOYvVt8Tq78HkENt9asoKfJRmt5JW1EB3rAiP1oJ/ZNapQHEP1bgG8lxwp1UPeqqySUJfA03aR4Tx2e/S3fou3yageDPjW3MjI2h0mHAbvYbB2dXXsX10eC8EWXhsAHaqdQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.462927616e+09
unknown2
AAAABAAAAAEAAAAtAAAAAQAABsMAAAACAAAAFAAAAAIAAAA1AAAAAgAAACwAAAACAAAAJAAAAAIAAABLAAAAAgAAC6IAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/dist/js/bootstrap.bundle.min.js
user_agent
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+
watermark
391144938

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4332 PING.EXE

pid	process
4332	PING.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

4.execmd.exe

description	pid	process	target process
PID 4160 wrote to memory of 2848	4160	4.exe	explorer.exe
PID 4160 wrote to memory of 2848	4160	4.exe	explorer.exe
PID 4160 wrote to memory of 2848	4160	4.exe	explorer.exe
PID 4160 wrote to memory of 2364	4160	4.exe	cmd.exe
PID 4160 wrote to memory of 2364	4160	4.exe	cmd.exe
PID 2364 wrote to memory of 4332	2364	cmd.exe	PING.EXE
PID 2364 wrote to memory of 4332	2364	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4160

\??\c:\windows\explorer.exe
"c:\windows\explorer.exe"
2⤵
PID:2848

C:\Windows\system32\cmd.exe
cmd /c "ping 127.0.0.1 -n 4 > nul & del" C:\Users\Admin\AppData\Local\Temp\4.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 4
3⤵
- Runs ping.exe
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2848-122-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/2848-124-0x0000000001FA0000-0x0000000001FF2000-memory.dmp

Filesize
328KB

Download
memory/2848-125-0x0000000002860000-0x0000000002862000-memory.dmp

Filesize
8KB

Download