cobaltstrike | 344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b

General

Target

344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe
Size

1.9MB
MD5

198c5c9a3adf296031a79fbb7f541482
SHA1

12bdf8053f0d5f992eb4707246bf57b137c58118
SHA256

344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b
SHA512

4bedd0c34d841d02741b9700754892cebbf90b5126f290696067f515b4546028f1310f1fc8360d33c1bfd132e0cad69fa1d058c9b928c00d818bb3c3456b5cf5
SSDEEP

49152:3yiyM4/Q34urb/TdvO90dL3BmAFd4A64nsfJ9PaCN3gqpVK7ljID1O:Ci73Q9Y7b

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://yuiko.xyz:2096/GAof

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08 Host: yuiko.xyz

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2688	WINWORD.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2688	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	WINWORD.EXE
2688	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2652	2208	344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe	29
PID 2208 wrote to memory of 2652	2208	344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe	29
PID 2208 wrote to memory of 2652	2208	344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe	29
PID 2652 wrote to memory of 2688	2652	cmd.exe	30
PID 2652 wrote to memory of 2688	2652	cmd.exe	30
PID 2652 wrote to memory of 2688	2652	cmd.exe	30
PID 2652 wrote to memory of 2688	2652	cmd.exe	30
PID 2688 wrote to memory of 2832	2688	WINWORD.EXE	33
PID 2688 wrote to memory of 2832	2688	WINWORD.EXE	33
PID 2688 wrote to memory of 2832	2688	WINWORD.EXE	33
PID 2688 wrote to memory of 2832	2688	WINWORD.EXE	33

C:\Users\Admin\AppData\Local\Temp\344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe
"C:\Users\Admin\AppData\Local\Temp\344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\system32\cmd.exe
  cmd /c .\关于windows邮件客户端升级的通知.docx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\关于windows邮件客户端升级的通知.docx"
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\关于windows邮件客户端升级的通知.docx

Filesize
11KB

MD5
e8a5d99d14ab493fdb8d3cf6709e6c09

SHA1
94c5d2a9fe81b98a3516063999a79b48d38dcb0f

SHA256
9597aad4fe103931c6bfc2ff03bd9eea4a8aa590b72be55f05e0459b0fb1dfab

SHA512
68e399f94d8c3f6264f5b5c6b78c28bd7acec5146ee7ed355dff72b26837e3ff3a8da68702f07ee2d651c56b2631b2d0d503f829122e435d10833a0ef4e71cec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
e11a1f3811217da52867c4054afb9260

SHA1
cbf5766e79f16b1fb014739ee75f2c3aaae9380e

SHA256
83427f1f5e997aeaf7478bdfc8e7a622b7d93f8cf7c3fe89b771fd3baec99eaa

SHA512
9ef76b19ab58b1892a36228ec402b319e2ec6152ce181b9c0370b4a13dea0ba643657c3db6650fc2b4d4eb8daa557e34d935bbac26e09d8e80077e823afba3dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2208-10-0x0000000027DC0000-0x0000000027DC1000-memory.dmp

Filesize
4KB

Download
memory/2208-57-0x0000000029B40000-0x0000000029F40000-memory.dmp

Filesize
4.0MB

Download
memory/2688-29-0x000000002F3D0000-0x000000002F52D000-memory.dmp

Filesize
1.4MB

Download
memory/2688-30-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2688-31-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/2688-53-0x000000002F3D0000-0x000000002F52D000-memory.dmp

Filesize
1.4MB

Download
memory/2688-54-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/2688-78-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2688-79-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing