cobaltstrike | 09233ec1998287e1addfde586c10fe3493ac90fa51d2bb0ed95a5bf685f258fe

General

Target

Note .exe
Size

1.6MB
MD5

83863beee3502e42ced7e4b6dacb9eac
SHA1

d9d40cb3e2fe05cf223dc0b592a592c132340042
SHA256

cb470d77087518ed7bc53ca624806c265ae2485d40ec212acc2559720940fb27
SHA512

7412dd1d752d73018bbd3eb1df637674a8be0b82ab608155b35ab3b728f7dae8c8d5420eac69fda8e7054a99628bed8adce7ab9236af0ce138758a51b50d4561
SSDEEP

6144:lkxsldgbztkAzkAZqrEdrEAZUCwFjNNJKa:lkxsluNPqrEdrEBd

Score

10^/10

cobaltstrike 1359593325 backdoor persistence trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://communitypowersports.com:443/owa/L7k2NQpwPNLq4C2dHD6TRv00GCH1axhaWv

Attributes

access_type
512
beacon_type
2048
host
communitypowersports.com,/owa/L7k2NQpwPNLq4C2dHD6TRv00GCH1axhaWv
http_header1
AAAAEAAAAB5Ib3N0OiBjb21tdW5pdHlwb3dlcnNwb3J0cy5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAIFDb29raWU6IE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7Q2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTtNU1BBdXRoPTNFa0FqREtqSTt4aWQ9NzMwYmY3O3dsYTQyPVRjbjRneEYAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAB5Ib3N0OiBjb21tdW5pdHlwb3dlcnNwb3J0cy5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAABwAAAAAAAAANAAAAAgAAAAZ3bGE0Mj0AAAACAAAAC3hpZD03MzBiZjc7AAAAAgAAABJNU1BBdXRoPTNFa0FqREtqSTsAAAACAAAAF0NsaWVudElkPTFDMEY2QzVEOTEwRjk7AAAAAgAAADhNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0OwAAAAYAAAAGQ29va2llAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
4608
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\powercfg.exe
sc_process64
%windir%\sysnative\powercfg.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChORoRab4XO67pj8I4W5dFIKj5UO6AYl1yopRsh5SeYN9Lp9iGQj0lmOSGykZioM7hXD6GM6XjpjhvS0sUa5/3ApIhS8XosTs2Tk7iHNQJJuFsIIwpWSCHO3GM6HEJxqgeFIRN5UY+oOcg/JJJJZaG8kJoo4dDeMtF7kD12wViTQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/owa/o9besAWTTVJKNeyrfOOy2tn-epXE7f
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.0 Safari/537.36 Edg/80.0.361.0
watermark
1359593325

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsWordHostService = "C:\\Users\\Admin\\AppData\\Local\\MsWordHostService\\Note .exe"	svchost.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Note .exe

pid	process
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe
4864	Note .exe

Suspicious use of UnmapMainImage 3 IoCs

Processes:

svchost.exetaskhostw.exeApplicationFrameHost.exe

pid process

2684 svchost.exe
2888 taskhostw.exe
4592 ApplicationFrameHost.exe

pid	process
2684	svchost.exe
2888	taskhostw.exe
4592	ApplicationFrameHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Note .exe

description	pid	process	target process
PID 4864 wrote to memory of 2684	4864	Note .exe	svchost.exe
PID 4864 wrote to memory of 2888	4864	Note .exe	taskhostw.exe
PID 4864 wrote to memory of 4592	4864	Note .exe	ApplicationFrameHost.exe
PID 4864 wrote to memory of 3768	4864	Note .exe	RuntimeBroker.exe

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4592

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3768

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of UnmapMainImage
PID:2888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Adds Run key to start application
- Suspicious use of UnmapMainImage
PID:2684

C:\Users\Admin\AppData\Local\Temp\Note .exe
"C:\Users\Admin\AppData\Local\Temp\Note .exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2684-70-0x00000217C3A70000-0x00000217C3B1A000-memory.dmp

Filesize
680KB

Download
memory/2684-60-0x00007FF90A500000-0x00007FF90A51B000-memory.dmp

Filesize
108KB

Download
memory/2684-81-0x00000217C3A70000-0x00000217C3B47000-memory.dmp

Filesize
860KB

Download
memory/2684-79-0x00000217C3A70000-0x00000217C3B11000-memory.dmp

Filesize
644KB

Download
memory/2684-77-0x00000217C3A70000-0x00000217C3B2F000-memory.dmp

Filesize
764KB

Download
memory/2684-72-0x00000217C3A70000-0x00000217C3BBA000-memory.dmp

Filesize
1.3MB

Download
memory/2684-54-0x00007FF913171000-0x00007FF91327F000-memory.dmp

Filesize
1.1MB

Download
memory/2684-61-0x00007FF90F9C0000-0x00007FF9100B2000-memory.dmp

Filesize
6.9MB

Download
memory/2684-53-0x00007FF8F8B70000-0x00007FF8F8E9E000-memory.dmp

Filesize
3.2MB

Download
memory/2684-59-0x00007FF90F600000-0x00007FF90F615000-memory.dmp

Filesize
84KB

Download
memory/2684-58-0x00007FF9106D0000-0x00007FF910721000-memory.dmp

Filesize
324KB

Download
memory/2684-57-0x00007FF910D90000-0x00007FF9121C7000-memory.dmp

Filesize
20.2MB

Download
memory/2684-56-0x00007FF910381000-0x00007FF910464000-memory.dmp

Filesize
908KB

Download
memory/2684-55-0x00007FF9121D1000-0x00007FF912244000-memory.dmp

Filesize
460KB

Download
memory/2888-130-0x000002B8D5C20000-0x000002B8D5C60000-memory.dmp

Filesize
256KB

Download
memory/4864-13-0x00007FF90F690000-0x00007FF90F819000-memory.dmp

Filesize
1.5MB

Download
memory/4864-15-0x00007FF910CE0000-0x00007FF910D81000-memory.dmp

Filesize
644KB

Download
memory/4864-19-0x00007FF912770000-0x00007FF91280D000-memory.dmp

Filesize
628KB

Download
memory/4864-20-0x00007FF910310000-0x00007FF91037A000-memory.dmp

Filesize
424KB

Download
memory/4864-21-0x00007FF90F820000-0x00007FF90F8BA000-memory.dmp

Filesize
616KB

Download
memory/4864-22-0x00007FF90F600000-0x00007FF90F615000-memory.dmp

Filesize
84KB

Download
memory/4864-23-0x00007FF90F640000-0x00007FF90F68C000-memory.dmp

Filesize
304KB

Download
memory/4864-25-0x00007FF912FE0000-0x00007FF913039000-memory.dmp

Filesize
356KB

Download
memory/4864-24-0x00007FF90A500000-0x00007FF90A51B000-memory.dmp

Filesize
108KB

Download
memory/4864-26-0x00007FF90F9C0000-0x00007FF9100B2000-memory.dmp

Filesize
6.9MB

Download
memory/4864-28-0x00007FF913170000-0x00007FF91334B000-memory.dmp

Filesize
1.9MB

Download
memory/4864-33-0x00007FF90F8C0000-0x00007FF90F9B6000-memory.dmp

Filesize
984KB

Download
memory/4864-45-0x00007FF912770000-0x00007FF91280D000-memory.dmp

Filesize
628KB

Download
memory/4864-17-0x00007FF90F4B0000-0x00007FF90F4D5000-memory.dmp

Filesize
148KB

Download
memory/4864-16-0x00007FF910D90000-0x00007FF9121C7000-memory.dmp

Filesize
20.2MB

Download
memory/4864-18-0x00007FF9106D0000-0x00007FF910721000-memory.dmp

Filesize
324KB

Download
memory/4864-14-0x00007FF912C70000-0x00007FF912C9D000-memory.dmp

Filesize
180KB

Download
memory/4864-1-0x00007FF913170000-0x00007FF91334B000-memory.dmp

Filesize
1.9MB

Download
memory/4864-12-0x00007FF912E10000-0x00007FF912E37000-memory.dmp

Filesize
156KB

Download
memory/4864-11-0x00007FF9102F0000-0x00007FF91030E000-memory.dmp

Filesize
120KB

Download
memory/4864-10-0x00007FF912B20000-0x00007FF912C6A000-memory.dmp

Filesize
1.3MB

Download
memory/4864-8-0x00007FF913040000-0x00007FF913165000-memory.dmp

Filesize
1.1MB

Download
memory/4864-9-0x00007FF912810000-0x00007FF9128BA000-memory.dmp

Filesize
680KB

Download
memory/4864-7-0x00007FF90F8C0000-0x00007FF90F9B6000-memory.dmp

Filesize
984KB

Download
memory/4864-6-0x00007FF912280000-0x00007FF912579000-memory.dmp

Filesize
3.0MB

Download
memory/4864-5-0x00007FF910380000-0x00007FF9105C9000-memory.dmp

Filesize
2.3MB

Download
memory/4864-4-0x00007FF8F8B70000-0x00007FF8F8E9E000-memory.dmp

Filesize
3.2MB

Download
memory/4864-108-0x00007FF913170000-0x00007FF91334B000-memory.dmp

Filesize
1.9MB

Download
memory/4864-3-0x00007FF9121D0000-0x00007FF91227E000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads