cobaltstrike | 344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b

General

Target

344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe
Size

1.9MB
MD5

198c5c9a3adf296031a79fbb7f541482
SHA1

12bdf8053f0d5f992eb4707246bf57b137c58118
SHA256

344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b
SHA512

4bedd0c34d841d02741b9700754892cebbf90b5126f290696067f515b4546028f1310f1fc8360d33c1bfd132e0cad69fa1d058c9b928c00d818bb3c3456b5cf5
SSDEEP

49152:3yiyM4/Q34urb/TdvO90dL3BmAFd4A64nsfJ9PaCN3gqpVK7ljID1O:Ci73Q9Y7b

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://yuiko.xyz:2096/GAof

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08 Host: yuiko.xyz

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3688	3140	WerFault.exe	84

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-642304425-1816607141-2958861556-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1224	WINWORD.EXE
1224	WINWORD.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1224	WINWORD.EXE
1224	WINWORD.EXE
1224	WINWORD.EXE
1224	WINWORD.EXE
1224	WINWORD.EXE
1224	WINWORD.EXE
1224	WINWORD.EXE
1224	WINWORD.EXE
1224	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3636	3140	344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe	86
PID 3140 wrote to memory of 3636	3140	344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe	86
PID 3636 wrote to memory of 1224	3636	cmd.exe	87
PID 3636 wrote to memory of 1224	3636	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe
"C:\Users\Admin\AppData\Local\Temp\344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\system32\cmd.exe
  cmd /c .\关于windows邮件客户端升级的通知.docx
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\关于windows邮件客户端升级的通知.docx" /o ""
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1224
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3140 -s 1748
  2⤵
  - Program crash
  PID:3688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 3140 -ip 3140
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\关于windows邮件客户端升级的通知.docx

Filesize
11KB

MD5
e8a5d99d14ab493fdb8d3cf6709e6c09

SHA1
94c5d2a9fe81b98a3516063999a79b48d38dcb0f

SHA256
9597aad4fe103931c6bfc2ff03bd9eea4a8aa590b72be55f05e0459b0fb1dfab

SHA512
68e399f94d8c3f6264f5b5c6b78c28bd7acec5146ee7ed355dff72b26837e3ff3a8da68702f07ee2d651c56b2631b2d0d503f829122e435d10833a0ef4e71cec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1224-26-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-28-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-8-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-9-0x00007FFEA5CB0000-0x00007FFEA5CC0000-memory.dmp

Filesize
64KB

Download
memory/1224-10-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-11-0x00007FFEA5CB0000-0x00007FFEA5CC0000-memory.dmp

Filesize
64KB

Download
memory/1224-13-0x00007FFEA5CB0000-0x00007FFEA5CC0000-memory.dmp

Filesize
64KB

Download
memory/1224-15-0x00007FFEA5CB0000-0x00007FFEA5CC0000-memory.dmp

Filesize
64KB

Download
memory/1224-14-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-12-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-16-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-17-0x00007FFEA3400000-0x00007FFEA3410000-memory.dmp

Filesize
64KB

Download
memory/1224-18-0x00007FFEA3400000-0x00007FFEA3410000-memory.dmp

Filesize
64KB

Download
memory/1224-25-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-7-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-72-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-29-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-30-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-27-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-31-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-6-0x00007FFEA5CB0000-0x00007FFEA5CC0000-memory.dmp

Filesize
64KB

Download
memory/1224-71-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-64-0x00007FFEA5CB0000-0x00007FFEA5CC0000-memory.dmp

Filesize
64KB

Download
memory/1224-65-0x00007FFEA5CB0000-0x00007FFEA5CC0000-memory.dmp

Filesize
64KB

Download
memory/1224-66-0x00007FFEA5CB0000-0x00007FFEA5CC0000-memory.dmp

Filesize
64KB

Download
memory/1224-68-0x00007FFEA5CB0000-0x00007FFEA5CC0000-memory.dmp

Filesize
64KB

Download
memory/1224-67-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-69-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/1224-70-0x00007FFEE5C30000-0x00007FFEE5E25000-memory.dmp

Filesize
2.0MB

Download
memory/3140-41-0x000001C461B90000-0x000001C461F90000-memory.dmp

Filesize
4.0MB

Download
memory/3140-2-0x000001C461760000-0x000001C461761000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing