cobaltstrike | 3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7

General

Target

3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe
Size

2.7MB
MD5

3f949ff5e9ff136c8e676bbd280c7be7
SHA1

16ce8d31bd5366ef32ea4a2bf81030acf5fa7e15
SHA256

3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7
SHA512

863a299326bc0d9d6efd874448712ea340effaf8cff33f0474f6669153ad9787dd0cc002d0d44849482df676e583060792d8045d484f18a3d3f9376262580145
SSDEEP

49152:Z56FaD30nrb/TKvO90d7HjmAFd4A64nsfJksChygALNGLo6D1:x30j

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://service-hh51s5hm-1253795072.gz.apigw.tencentcs.com:443/api/auth/poral/log1

Attributes

user_agent
Connection: close Accept: */* Referer: http://www.baidu.com/ Accept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
824	scl.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	forfiles.exe
2248	forfiles.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
956	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
956	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	scl.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
956	AcroRd32.exe
956	AcroRd32.exe
956	AcroRd32.exe
956	AcroRd32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1348	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	28
PID 904 wrote to memory of 1348	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	28
PID 904 wrote to memory of 1348	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	28
PID 904 wrote to memory of 2264	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	29
PID 904 wrote to memory of 2264	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	29
PID 904 wrote to memory of 2264	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	29
PID 904 wrote to memory of 2248	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	34
PID 904 wrote to memory of 2248	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	34
PID 904 wrote to memory of 2248	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	34
PID 904 wrote to memory of 3052	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	32
PID 904 wrote to memory of 3052	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	32
PID 904 wrote to memory of 3052	904	3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe	32
PID 2248 wrote to memory of 824	2248	forfiles.exe	36
PID 2248 wrote to memory of 824	2248	forfiles.exe	36
PID 2248 wrote to memory of 824	2248	forfiles.exe	36
PID 1348 wrote to memory of 956	1348	cmd.exe	37
PID 1348 wrote to memory of 956	1348	cmd.exe	37
PID 1348 wrote to memory of 956	1348	cmd.exe	37
PID 1348 wrote to memory of 956	1348	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe
"C:\Users\Admin\AppData\Local\Temp\3c0c29e603bddaa2a2909be38e18a21846b96d816475ab471d1b7ddce374d8c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\system32\cmd.exe
  cmd.exe /c start 张戚颖-药学-硕士-哈尔滨医科大学-药剂师.pdf
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\张戚颖-药学-硕士-哈尔滨医科大学-药剂师.pdf"
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:956
- C:\Windows\system32\expand.exe
  expand C:\Users\Public\Music\scl.spl C:\Users\Public\Music\scl.exe
  2⤵
  PID:2264
- C:\Windows\system32\cmd.exe
  cmd.exe /c del 张戚颖-药学-硕士-哈尔滨医科大学-药剂师.exe
  2⤵
  PID:3052
- C:\Windows\system32\forfiles.exe
  forfiles /p c:\windows\system32 /m notepad.exe /c C:\Users\Public\Music\scl.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Public\Music\scl.exe
    "C:\Users\Public\Music\scl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\张戚颖-药学-硕士-哈尔滨医科大学-药剂师.pdf

Filesize
384KB

MD5
8e3b720fdb36716ef28664a938a98f13

SHA1
4be11727570026dc6f55cf4b16de1a234c40c135

SHA256
c76ccf6dd159abfda000366575015f52f8e5e7efd8a39bfb7000b70129c3527f

SHA512
9bda431a2079f9d09b2ed8d8a9bbdf0826f07627241fc5c4bbf83ade61f4be0dce3ecc6fc7bf925f973c8815ba778aa08dd4490bc756ecd9db1509906c65d961

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
43fb4bce81823c277abe99d18c09f487

SHA1
ec3a151d75e6179c18bbdbd11818567e477d85fe

SHA256
d654e27e2a4d5cd891db4e40b5e5861ebd20544f3285849ba80c079084d1f795

SHA512
13360bc0c96a7516729b015eda92d436b358227eeb722ab055f6566c9c360cf034679fc06d9589a28357d98bf3529a13a4a5611cc69df12f5038a6a1c148ecbc

Download Submit
C:\Users\Public\Music\scl.exe

Filesize
194KB

MD5
aab912e42641f0d36cd3040879a256ca

SHA1
ea34bda045bf2248d42716436cd1dcfc9f44cabf

SHA256
a739bfc352eb1733c5c19a50a8f2f2a49f61491e11ef6114f2dd104a0afe9497

SHA512
80536e4dfee3cf12a452107d9e8e235f3774278e97ca2ea7469b8ef1a39f5cb77b75a6a2e881426d8acc1e8df9f5c45972f934eeeea244625bb771c16324cb75

Download Submit
C:\Users\Public\Music\scl.exe

Filesize
194KB

MD5
aab912e42641f0d36cd3040879a256ca

SHA1
ea34bda045bf2248d42716436cd1dcfc9f44cabf

SHA256
a739bfc352eb1733c5c19a50a8f2f2a49f61491e11ef6114f2dd104a0afe9497

SHA512
80536e4dfee3cf12a452107d9e8e235f3774278e97ca2ea7469b8ef1a39f5cb77b75a6a2e881426d8acc1e8df9f5c45972f934eeeea244625bb771c16324cb75

Download Submit
\??\c:\users\public\music\scl.spl

Filesize
194KB

MD5
aab912e42641f0d36cd3040879a256ca

SHA1
ea34bda045bf2248d42716436cd1dcfc9f44cabf

SHA256
a739bfc352eb1733c5c19a50a8f2f2a49f61491e11ef6114f2dd104a0afe9497

SHA512
80536e4dfee3cf12a452107d9e8e235f3774278e97ca2ea7469b8ef1a39f5cb77b75a6a2e881426d8acc1e8df9f5c45972f934eeeea244625bb771c16324cb75

Download Submit
\Users\Public\Music\scl.exe

Filesize
194KB

MD5
aab912e42641f0d36cd3040879a256ca

SHA1
ea34bda045bf2248d42716436cd1dcfc9f44cabf

SHA256
a739bfc352eb1733c5c19a50a8f2f2a49f61491e11ef6114f2dd104a0afe9497

SHA512
80536e4dfee3cf12a452107d9e8e235f3774278e97ca2ea7469b8ef1a39f5cb77b75a6a2e881426d8acc1e8df9f5c45972f934eeeea244625bb771c16324cb75

Download Submit
\Users\Public\Music\scl.exe

Filesize
194KB

MD5
aab912e42641f0d36cd3040879a256ca

SHA1
ea34bda045bf2248d42716436cd1dcfc9f44cabf

SHA256
a739bfc352eb1733c5c19a50a8f2f2a49f61491e11ef6114f2dd104a0afe9497

SHA512
80536e4dfee3cf12a452107d9e8e235f3774278e97ca2ea7469b8ef1a39f5cb77b75a6a2e881426d8acc1e8df9f5c45972f934eeeea244625bb771c16324cb75

Download Submit
memory/824-30-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing