cobaltstrike | 470fa92d98853148ff13c260aa181b648744c5995b4e2c9314e342b6523ed104

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2023 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

火绒网络连接查询.exe
Size

2.6MB
MD5

6778f3dced1c151403900b0476611639
SHA1

9b60b0601e269628115ea851cd09e1f79c7b0bdb
SHA256

8debfe89f386834fc0553e65c3b827fc15bb96fc0c329058f818fe0db48dc624
SHA512

15187f442a7814af816d5d8aee6f663cf2fa006705dd4ebdb3a960d83065ebc1870370074f8168a9c65f5ca970c57b525ea5aa0462627d8e1d0454f457b3e72d
SSDEEP

49152:SFXWYr6RKkRu97UW+OSmdjlTCTYaBDV2VO:MXV+DOS5P2VO

Score

10^/10

cobaltstrike 391144938 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

http://38.147.172.99:443/load

http://103.214.168.86:443/ga.js

http://45.136.14.166:443/match

http://38.147.172.99:443/activity

http://134.122.167.72:443/visit.js

Attributes

access_type
512
beacon_type
2048
host
38.147.172.99,/load,103.214.168.86,/ga.js,45.136.14.166,/match,38.147.172.99,/activity,134.122.167.72,/visit.js
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAiU0VTU0lPTklEPXdxZTQ1NHdxZTJkczE1ZHM0ZHNhNWRzNAAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAjSlNFU1NJT049ZHNmNXNkNGY1ZTQ1ZmU0czY1ZDRmODU2ZTQAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5120
polling_time
3000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLkw0kvfeugTUz0AmoVb/lE4jBMEVXSscLbqsILbLQbt0gXKVpDLWmw8u+ySk1wMPysDZiC7DSLdNEhH1tUiRNZfcKoe+OYofwP8EB7AJYsu1JZzVq3wlAzazE2wGXQqZNPPrdYvJUpVw7TijKATT9RT+Pk1mxbYYZqIhx+8TpwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/index.php
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
watermark
391144938

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 1 IoCs

Processes:

360se.exe

pid process

4784 360se.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4784	360se.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3724 WINWORD.EXE
3724 WINWORD.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

3724 WINWORD.EXE
3724 WINWORD.EXE
3724 WINWORD.EXE
3724 WINWORD.EXE
3724 WINWORD.EXE
3724 WINWORD.EXE
3724 WINWORD.EXE
3724 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings	cmd.exe

pid	process
3724	WINWORD.EXE
3724	WINWORD.EXE

pid	process
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE
3724	WINWORD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

火绒网络连接查询.execmd.execmd.exe

description	pid	process	target process
PID 4628 wrote to memory of 1776	4628	火绒网络连接查询.exe	cmd.exe
PID 4628 wrote to memory of 1776	4628	火绒网络连接查询.exe	cmd.exe
PID 4628 wrote to memory of 3976	4628	火绒网络连接查询.exe	cmd.exe
PID 4628 wrote to memory of 3976	4628	火绒网络连接查询.exe	cmd.exe
PID 4628 wrote to memory of 2360	4628	火绒网络连接查询.exe	cmd.exe
PID 4628 wrote to memory of 2360	4628	火绒网络连接查询.exe	cmd.exe
PID 2360 wrote to memory of 4784	2360	cmd.exe	360se.exe
PID 2360 wrote to memory of 4784	2360	cmd.exe	360se.exe
PID 1776 wrote to memory of 3724	1776	cmd.exe	WINWORD.EXE
PID 1776 wrote to memory of 3724	1776	cmd.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\火绒网络连接查询.exe
"C:\Users\Admin\AppData\Local\Temp\火绒网络连接查询.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\system32\cmd.exe
"cmd" /c netstat.docx
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\netstat.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3724

C:\Windows\system32\cmd.exe
"cmd" /c "start C:\Users\Admin\360se.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\360se.exe
C:\Users\Admin\360se.exe
3⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\cmd.exe
"cmd" /c "del netstat.exe"
2⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\360se.exe
Filesize
2.2MB

MD5
d23ce0c784f1ca562a627d24c972d807

SHA1
b2b6fb09a97151192c21476c34fb793db4082200

SHA256
32a48bda3e80e47f46631c4be830b61fc0a28ca2534e0a526891506244367420

SHA512
90a1908b0c7aa7c838f0f813ae01532f24abdd612ea31c0dc54da3406379341d0878831c1f1b8456378065858b9771d85752a3d2ff07f954dfdf99617925547b

Download Submit
C:\Users\Admin\360se.exe
Filesize
2.2MB

MD5
d23ce0c784f1ca562a627d24c972d807

SHA1
b2b6fb09a97151192c21476c34fb793db4082200

SHA256
32a48bda3e80e47f46631c4be830b61fc0a28ca2534e0a526891506244367420

SHA512
90a1908b0c7aa7c838f0f813ae01532f24abdd612ea31c0dc54da3406379341d0878831c1f1b8456378065858b9771d85752a3d2ff07f954dfdf99617925547b

Download Submit
C:\Users\Admin\AppData\Local\Temp\netstat.docx
Filesize
11KB

MD5
591b8a7f1ecf457fae222c62d4a885fe

SHA1
cf5492e70dedc3e04c04d9726f1e9d297f8bd1c4

SHA256
f2258c40af6cddbe7a388157c9938e09d0ef3ae5cd89aa33c153c83cdc999eb2

SHA512
24ebfa7fadff368be89eb00af64d308675032c4f701a4ba38398aa2db139fb5d969f6bd056daa8335b79f54874a7b60a74ba38815c2b53229e28361a0cb1e02c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3724-24-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-12-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-9-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-25-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-11-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmp

Filesize
64KB

Download
memory/3724-14-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-13-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmp

Filesize
64KB

Download
memory/3724-15-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-16-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-17-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-18-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-19-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-20-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-21-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-22-0x00007FFC4FAE0000-0x00007FFC4FAF0000-memory.dmp

Filesize
64KB

Download
memory/3724-23-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-10-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmp

Filesize
64KB

Download
memory/3724-26-0x00007FFC4FAE0000-0x00007FFC4FAF0000-memory.dmp

Filesize
64KB

Download
memory/3724-8-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmp

Filesize
64KB

Download
memory/3724-91-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-90-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-88-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmp

Filesize
64KB

Download
memory/3724-7-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmp

Filesize
64KB

Download
memory/3724-42-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-43-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-53-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-89-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmp

Filesize
2.0MB

Download
memory/3724-87-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmp

Filesize
64KB

Download
memory/3724-86-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmp

Filesize
64KB

Download
memory/3724-85-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmp

Filesize
64KB

Download
memory/4784-61-0x0000021C3A2C0000-0x0000021C3A2C2000-memory.dmp

Filesize
8KB

Download
memory/4784-60-0x0000021C3C1E0000-0x0000021C3C5E0000-memory.dmp

Filesize
4.0MB

Download
memory/4784-57-0x0000021C3BFA0000-0x0000021C3BFB0000-memory.dmp

Filesize
64KB

Download
memory/4784-34-0x0000021C3C1E0000-0x0000021C3C5E0000-memory.dmp

Filesize
4.0MB

Download
memory/4784-33-0x0000021C3A250000-0x0000021C3A2A2000-memory.dmp

Filesize
328KB

Download
memory/4784-30-0x0000021C3BFA0000-0x0000021C3BFB0000-memory.dmp

Filesize
64KB

Download