cobaltstrike | 09233ec1998287e1addfde586c10fe3493ac90fa51d2bb0ed95a5bf685f258fe

General

Target

Note.iso
Size

2.6MB
MD5

0e5ed33778ee9c020aa067546384abcb
SHA1

fbb482415f5312ed64b3a0ebee7fed5e6610c21a
SHA256

d1455c42553fab54e78c874525c812aaefb1f3cc69f9c314649bd6e4e57b9fa9
SHA512

bc834be05fcd8095e283169397d4deacba3b5cc8dcd41c1ec173fbbe32c52ab1308fb536c0679712c1586b462a628b736b2ea1797bff2133718fd70d55920dfa
SSDEEP

12288:3syCEokhlQEyYVxErQPpQWkxsluNPqrEdrEB:cyCLkByL8pQWTluNCodoB

Score

10^/10

cobaltstrike 1359593325 backdoor persistence trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1359593325

C2

http://communitypowersports.com:443/owa/L7k2NQpwPNLq4C2dHD6TRv00GCH1axhaWv

Attributes

access_type
512
beacon_type
2048
host
communitypowersports.com,/owa/L7k2NQpwPNLq4C2dHD6TRv00GCH1axhaWv
http_header1
AAAAEAAAAB5Ib3N0OiBjb21tdW5pdHlwb3dlcnNwb3J0cy5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAACgAAAIFDb29raWU6IE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7Q2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTtNU1BBdXRoPTNFa0FqREtqSTt4aWQ9NzMwYmY3O3dsYTQyPVRjbjRneEYAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAB5Ib3N0OiBjb21tdW5pdHlwb3dlcnNwb3J0cy5jb20AAAAKAAAAC0FjY2VwdDogKi8qAAAABwAAAAAAAAANAAAAAgAAAAZ3bGE0Mj0AAAACAAAAC3hpZD03MzBiZjc7AAAAAgAAABJNU1BBdXRoPTNFa0FqREtqSTsAAAACAAAAF0NsaWVudElkPTFDMEY2QzVEOTEwRjk7AAAAAgAAADhNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0OwAAAAYAAAAGQ29va2llAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
4608
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\powercfg.exe
sc_process64
%windir%\sysnative\powercfg.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChORoRab4XO67pj8I4W5dFIKj5UO6AYl1yopRsh5SeYN9Lp9iGQj0lmOSGykZioM7hXD6GM6XjpjhvS0sUa5/3ApIhS8XosTs2Tk7iHNQJJuFsIIwpWSCHO3GM6HEJxqgeFIRN5UY+oOcg/JJJJZaG8kJoo4dDeMtF7kD12wViTQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/owa/o9besAWTTVJKNeyrfOOy2tn-epXE7f
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.0 Safari/537.36 Edg/80.0.361.0
watermark
1359593325

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

taskhostw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsWordHostService = "C:\\Users\\Admin\\AppData\\Local\\MsWordHostService\\Note .exe"	taskhostw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Note .exe

pid	process
5116	Note .exe
5116	Note .exe
5116	Note .exe
5116	Note .exe
5116	Note .exe
5116	Note .exe
5116	Note .exe
5116	Note .exe
5116	Note .exe
5116	Note .exe
5116	Note .exe
5116	Note .exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 3636 cmd.exe
Token: SeManageVolumePrivilege 3636 cmd.exe
Suspicious use of UnmapMainImage 3 IoCs

Processes:

taskhostw.exesvchost.exeRuntimeBroker.exe

pid process

2664 taskhostw.exe
3276 svchost.exe
4804 RuntimeBroker.exe

description	pid	process
Token: SeManageVolumePrivilege	3636	cmd.exe
Token: SeManageVolumePrivilege	3636	cmd.exe

pid	process
2664	taskhostw.exe
3276	svchost.exe
4804	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Note .exe

description	pid	process	target process
PID 5116 wrote to memory of 2664	5116	Note .exe	taskhostw.exe
PID 5116 wrote to memory of 3276	5116	Note .exe	svchost.exe
PID 5116 wrote to memory of 3772	5116	Note .exe	RuntimeBroker.exe
PID 5116 wrote to memory of 4804	5116	Note .exe	RuntimeBroker.exe
PID 5116 wrote to memory of 2476	5116	Note .exe	svchost.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious use of UnmapMainImage
PID:3276

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Adds Run key to start application
- Suspicious use of UnmapMainImage
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2476

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Note.iso
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4856

\??\E:\Note .exe
"E:\Note .exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-464-0x00007FFEEAAC0000-0x00007FFEEAADB000-memory.dmp

Filesize
108KB

Download
memory/2476-457-0x00007FFEFCFE0000-0x00007FFEFD71F000-memory.dmp

Filesize
7.2MB

Download
memory/2476-456-0x000001D735540000-0x000001D735A10000-memory.dmp

Filesize
4.8MB

Download
memory/2476-451-0x000001D735540000-0x000001D735735000-memory.dmp

Filesize
2.0MB

Download
memory/2476-450-0x00007FFEEF9B0000-0x00007FFEEFE80000-memory.dmp

Filesize
4.8MB

Download
memory/2664-34-0x00007FFEEF9B0000-0x00007FFEEFE80000-memory.dmp

Filesize
4.8MB

Download
memory/2664-35-0x00007FFEFCFE0000-0x00007FFEFD71F000-memory.dmp

Filesize
7.2MB

Download
memory/2664-39-0x00007FFEEAAC0000-0x00007FFEEAADB000-memory.dmp

Filesize
108KB

Download
memory/3276-207-0x00000294EADC0000-0x00000294EAE00000-memory.dmp

Filesize
256KB

Download
memory/3276-232-0x00000294EB990000-0x00000294EB9DB000-memory.dmp

Filesize
300KB

Download
memory/3276-105-0x00007FFEEAAC0000-0x00007FFEEAADB000-memory.dmp

Filesize
108KB

Download
memory/3276-102-0x00007FFEFCFE0000-0x00007FFEFD71F000-memory.dmp

Filesize
7.2MB

Download
memory/3276-90-0x00007FFEEF9B0000-0x00007FFEEFE80000-memory.dmp

Filesize
4.8MB

Download
memory/3276-251-0x00000294EADC0000-0x00000294EADC1000-memory.dmp

Filesize
4KB

Download
memory/4804-278-0x00007FFEEAAC0000-0x00007FFEEAADB000-memory.dmp

Filesize
108KB

Download
memory/5116-8-0x00007FFEFCAA0000-0x00007FFEFCACB000-memory.dmp

Filesize
172KB

Download
memory/5116-11-0x00007FFEFCD10000-0x00007FFEFCDBC000-memory.dmp

Filesize
688KB

Download
memory/5116-17-0x00007FFEFD7F0000-0x00007FFEFD9E5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-21-0x00007FFEFB150000-0x00007FFEFB250000-memory.dmp

Filesize
1024KB

Download
memory/5116-30-0x00007FFEFC050000-0x00007FFEFC0EE000-memory.dmp

Filesize
632KB

Download
memory/5116-15-0x00007FFEEAAC0000-0x00007FFEEAADB000-memory.dmp

Filesize
108KB

Download
memory/5116-14-0x00007FFEFB5B0000-0x00007FFEFB64D000-memory.dmp

Filesize
628KB

Download
memory/5116-13-0x00007FFEFC050000-0x00007FFEFC0EE000-memory.dmp

Filesize
632KB

Download
memory/5116-12-0x00007FFEFCFE0000-0x00007FFEFD71F000-memory.dmp

Filesize
7.2MB

Download
memory/5116-16-0x00007FFEFBD40000-0x00007FFEFBDDB000-memory.dmp

Filesize
620KB

Download
memory/5116-10-0x00007FFEFD720000-0x00007FFEFD750000-memory.dmp

Filesize
192KB

Download
memory/5116-9-0x00007FFEFB010000-0x00007FFEFB11B000-memory.dmp

Filesize
1.0MB

Download
memory/5116-0-0x00007FFEFD7F0000-0x00007FFEFD9E5000-memory.dmp

Filesize
2.0MB

Download
memory/5116-7-0x00007FFEFB120000-0x00007FFEFB142000-memory.dmp

Filesize
136KB

Download
memory/5116-6-0x00007FFEFC800000-0x00007FFEFC9A1000-memory.dmp

Filesize
1.6MB

Download
memory/5116-5-0x00007FFEFBF20000-0x00007FFEFC04A000-memory.dmp

Filesize
1.2MB

Download
memory/5116-4-0x00007FFEFB150000-0x00007FFEFB250000-memory.dmp

Filesize
1024KB

Download
memory/5116-3-0x00007FFEFB2E0000-0x00007FFEFB5A9000-memory.dmp

Filesize
2.8MB

Download
memory/5116-2-0x00007FFEEF9B0000-0x00007FFEEFE80000-memory.dmp

Filesize
4.8MB

Download
memory/5116-1-0x00007FFEFCE50000-0x00007FFEFCF0E000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads