cobaltstrike | 7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2023 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
Size

7.6MB
MD5

43debafbb713c0e027d8e50090b89b59
SHA1

696c57d149d06d24447611bfe53bb16ab452d7a5
SHA256

7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5
SHA512

eb18586223b937acf5f46c9b4bcb9f38970d60325c4f856570b25a261ebc87fa7f4b7e74c48c3a316f73c205c4f9528586f18c72e1f9c0add6ba072dcc3cdf11
SSDEEP

196608:CeY0sQOz7iDfyGR21X5Sp6GemDMPw0NHW2+YPnkyR:XY0sl7iDfDspfaMPOA

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://119.3.177.241:8888/Yhf6

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/5.0)

Extracted

Family

cobaltstrike

Botnet

100000

http://119.3.177.241:8888/activity

Attributes

access_type
512
host
119.3.177.241,/activity
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8888
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYWGnCK3yIBrh+3iB1BRTsqIt+Lt6zA8e3Smr9rVXdLrowL/CDbqMAH8bc4oEo810pkFMl4CGIF3KtsM0GwrvtcaPMhYueGoSaxE+VatKRrNdhBmQQ02Av/RmRwKJgXbeOQlxJmw2CPDfOwVbThPai6bO70CaZO27GwhyubAqX7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; ; NCLIENT50_AAPCDA5841E333)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Loads dropped DLL 5 IoCs

Processes:

7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe

pid	process
1068	7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
1068	7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
1068	7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
1068	7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
1068	7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{47BB79F0-B694-4A8A-BB86-7F781212A891}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe

description	pid	process	target process
PID 820 wrote to memory of 1068	820	7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe	7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
PID 820 wrote to memory of 1068	820	7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe	7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
"C:\Users\Admin\AppData\Local\Temp\7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Local\Temp\7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe
"C:\Users\Admin\AppData\Local\Temp\7064244922c5e1f8e345d25137c7e3f69fdf1b9987b1c4870e29f15d01096fa5.exe"
2⤵
- Loads dropped DLL
PID:1068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI8202\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\_ctypes.pyd
Filesize
120KB

MD5
9b344f8d7ce5b57e397a475847cc5f66

SHA1
aff1ccc2608da022ecc8d0aba65d304fe74cdf71

SHA256
b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf

SHA512
2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\_ctypes.pyd
Filesize
120KB

MD5
9b344f8d7ce5b57e397a475847cc5f66

SHA1
aff1ccc2608da022ecc8d0aba65d304fe74cdf71

SHA256
b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf

SHA512
2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\base_library.zip
Filesize
1.7MB

MD5
ca768a72c14315ee7dd60d660a368968

SHA1
50335eee728e9e3f369e9e06972b053776bc8d19

SHA256
2456678e7aff9354b5a5bfbb94ac4e345d434b93ecb035ccbd41cd94369befaa

SHA512
e10f2ffc4a88cfbb9d403464aacb339a438f96c0f4a8cc853e62141911181c7aa626e18af7721344a8ae1d5b50cd69eeac49ea0743d1a420342d8ec9352c9868

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\python311.dll
Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\python311.dll
Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\ucrtbase.dll
Filesize
978KB

MD5
cca4929ef8dd988d7221ef6ba398f1b5

SHA1
1d21e60e56a15038702dc18148be8cecee279890

SHA256
4292c29e74d90aef21bbad50e8fe25858c5990846adb629372ca6fd717cd0ca3

SHA512
d990d1370201541e7a1e1ec9b68e40a984d0195847010919148d0de80d2a2c51bcccfeeca59087fca95ab410c9e170c4585c8daa1383f1383b98500d797a41ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\ucrtbase.dll
Filesize
978KB

MD5
cca4929ef8dd988d7221ef6ba398f1b5

SHA1
1d21e60e56a15038702dc18148be8cecee279890

SHA256
4292c29e74d90aef21bbad50e8fe25858c5990846adb629372ca6fd717cd0ca3

SHA512
d990d1370201541e7a1e1ec9b68e40a984d0195847010919148d0de80d2a2c51bcccfeeca59087fca95ab410c9e170c4585c8daa1383f1383b98500d797a41ca

Download Submit
memory/1068-66-0x000002CA6DD20000-0x000002CA6DD21000-memory.dmp

Filesize
4KB

Download
memory/1068-71-0x000002CA6E970000-0x000002CA6ED70000-memory.dmp

Filesize
4.0MB

Download
memory/1068-72-0x000002CA6ED70000-0x000002CA6EDBF000-memory.dmp

Filesize
316KB

Download
memory/1068-75-0x000002CA6ED70000-0x000002CA6EDBF000-memory.dmp

Filesize
316KB

Download