cobaltstrike | 53e261a0864645574be944e7530dee005c6a38dd22d8595aab52959e783385fe

General

Target

绩效考核整改意见/绩效考核整改意见.docx.lnk
Size

809B
MD5

2cec819246244026af2dd3fdcee0b02d
SHA1

0ae1cce41ecd481a97450de5628c1bba0785b94e
SHA256

550c62c18cc9ec6dbd12d1d81e0c5b15b9b3c46d93da23ed518af1e237389364
SHA512

4614d0a99680f414f87ad0a9625b4f901ab961f203d5782b8753389a82f4886a2de73ca45007ee7ad970dd203c1c1ccdf09219963f58ae8558a6f31bee2ca7c0

Score

10^/10

cobaltstrike 100000 backdoor bootkit evasion persistence trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://home.firefoxchina.cn:80/audiencemanager.js

Attributes

access_type
512
host
home.firefoxchina.cn,/audiencemanager.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
30000
port_number
80
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTgtebe0cm7Pcf5k+pJW3oVOtEFdoncgt1GOki7jIZvJzh8gS6c2+z7OnS8tKIifIFd5/wXKn6x8l+/8edmBrk9bAeXpGOAJROS9Vcndwj6au5cO1RsbDAXpv39Pd4XPNRxFGinglpSmd8/s+FiTomD2du2byaq7Ngsd/a+taTcwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.435374848e+09
unknown2
AAAABAAAAAEAAAf+AAAAAgAAIUwAAAACAAAPtQAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/audiencemanager-v2.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ds.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ds.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ds.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ds.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ds.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

ds.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ds.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ds.exe

pid process

4296 ds.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	ds.exe

pid	process
4296	ds.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exeexplorer.exe

description	pid	process	target process
PID 4496 wrote to memory of 2924	4496	cmd.exe	explorer.exe
PID 4496 wrote to memory of 2924	4496	cmd.exe	explorer.exe
PID 2968 wrote to memory of 4296	2968	explorer.exe	ds.exe
PID 2968 wrote to memory of 4296	2968	explorer.exe	ds.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\绩效考核整改意见\绩效考核整改意见.docx.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" ".\其他信息\.__MACOS__\.__MACOS__\._MACOS_\ds.exe"
  2⤵
  PID:2924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\绩效考核整改意见\其他信息\.__MACOS__\.__MACOS__\._MACOS_\ds.exe
  "C:\Users\Admin\AppData\Local\Temp\绩效考核整改意见\其他信息\.__MACOS__\.__MACOS__\._MACOS_\ds.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4296-0-0x00007FFA40540000-0x00007FFA410AA000-memory.dmp

Filesize
11.4MB

Download
memory/4296-1-0x00007FFA5E810000-0x00007FFA5EA05000-memory.dmp

Filesize
2.0MB

Download
memory/4296-3-0x00007FFA40540000-0x00007FFA410AA000-memory.dmp

Filesize
11.4MB

Download
memory/4296-4-0x00007FFA40540000-0x00007FFA410AA000-memory.dmp

Filesize
11.4MB

Download
memory/4296-5-0x00007FFA40540000-0x00007FFA410AA000-memory.dmp

Filesize
11.4MB

Download
memory/4296-6-0x00007FFA40540000-0x00007FFA410AA000-memory.dmp

Filesize
11.4MB

Download
memory/4296-7-0x00007FFA40540000-0x00007FFA410AA000-memory.dmp

Filesize
11.4MB

Download
memory/4296-8-0x0000027F6AF60000-0x0000027F6AFA1000-memory.dmp

Filesize
260KB

Download
memory/4296-9-0x00007FF742EC0000-0x00007FF74356E000-memory.dmp

Filesize
6.7MB

Download
memory/4296-10-0x00007FFA40540000-0x00007FFA410AA000-memory.dmp

Filesize
11.4MB

Download
memory/4296-11-0x00007FFA5E810000-0x00007FFA5EA05000-memory.dmp

Filesize
2.0MB

Download
memory/4296-23-0x00007FFA40540000-0x00007FFA410AA000-memory.dmp

Filesize
11.4MB

Download
memory/4296-24-0x00007FFA40540000-0x00007FFA410AA000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing