cobaltstrike | 03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e

General

Target

03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe
Size

5.6MB
MD5

2e73b0ade618cdc967165d1310eec29c
SHA1

b56638a0e6d46f29bb32bcd5274bb9c8d58b56d8
SHA256

03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e
SHA512

264aea5bff72ca246f1b0b5219220a215aa5bbcc0efd716bc65c7c642702050ef87d50c39cf8479a28dfdc4e04624e5c365a7c01791dcfd18f3c8e8d6e5debbb
SSDEEP

98304:XMWfDc9W4i3yiI7HuSjOCf6xD/RRI+iZ7q1zPPXNAjtVa/u:UruyiYHs1xlRI+7NAjtVa/u

Score

10^/10

cobaltstrike 0 666666 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666666

C2

http://css.bustring.com:443/safebrowsing/QVXHQf/QVXHQfXdpinARC06MctcJ4hprcWoBIZaDp2-M

Attributes

access_type
512
beacon_type
2048
host
css.bustring.com,/safebrowsing/QVXHQf/QVXHQfXdpinARC06MctcJ4hprcWoBIZaDp2-M
http_header1
AAAAEAAAAB5Ib3N0OiBhcGkuYWN0aXZlLW1pY3Jvc29mdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAALAAAAAgAAAA9SRUY9SUQ9UVZYSFFmeWYAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAB5Ib3N0OiBhcGkuYWN0aXZlLW1pY3Jvc29mdC5jb20AAAAKAAAAR0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksKi8qO3E9MC44AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAABwAAAAAAAAALAAAAAgAAAA9SRUY9SUQ9UVZYSFFmeWYAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
5120
polling_time
30000
port_number
443
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZFVu69HEHoxtabkylaXLTONOa7sbbaTxinK8LCf7IOw6k9xtHahhn/phltzTgYu9ZYS1ugMrlB8Ik2/F8CTX+o5xgIQJU6is7Dj7ggXGamS89VZdp9f5U58EGa97acrc6Ga9zXeW/q1HBFfSnEuEt7SlJlVZOTgNldOiN5zpXTQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/safebrowsing/QVXHQf/QVXHQfyfH5BrChprcWoBIZaDp2-M
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3943.0 Safari/537.36 Edg/79.0.308.1
watermark
666666

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
2188	dmws.exe

Loads dropped DLL 1 IoCs

pid	Process
1696	03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1696	03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe
1696	03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe
2188	dmws.exe
2188	dmws.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2188	1696	03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe	28
PID 1696 wrote to memory of 2188	1696	03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe	28
PID 1696 wrote to memory of 2188	1696	03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe	28

C:\Users\Admin\AppData\Local\Temp\03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe
"C:\Users\Admin\AppData\Local\Temp\03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Public\dmws.exe
  C:\Users\Public
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\dmws.exe

Filesize
5.6MB

MD5
2e73b0ade618cdc967165d1310eec29c

SHA1
b56638a0e6d46f29bb32bcd5274bb9c8d58b56d8

SHA256
03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e

SHA512
264aea5bff72ca246f1b0b5219220a215aa5bbcc0efd716bc65c7c642702050ef87d50c39cf8479a28dfdc4e04624e5c365a7c01791dcfd18f3c8e8d6e5debbb

Download Submit
\Users\Public\dmws.exe

Filesize
5.6MB

MD5
2e73b0ade618cdc967165d1310eec29c

SHA1
b56638a0e6d46f29bb32bcd5274bb9c8d58b56d8

SHA256
03ccd9ab1ff49b374c233aa89e45b683cbf3b7ee87b3a257421c4e541330ae3e

SHA512
264aea5bff72ca246f1b0b5219220a215aa5bbcc0efd716bc65c7c642702050ef87d50c39cf8479a28dfdc4e04624e5c365a7c01791dcfd18f3c8e8d6e5debbb

Download Submit
memory/2188-5-0x000007FEFDB60000-0x000007FEFDBCC000-memory.dmp

Filesize
432KB

Download
memory/2188-4-0x000007FEBDB50000-0x000007FEBDB60000-memory.dmp

Filesize
64KB

Download
memory/2188-6-0x000007FEFDB60000-0x000007FEFDBCC000-memory.dmp

Filesize
432KB

Download
memory/2188-7-0x00000000030C0000-0x000000000322C000-memory.dmp

Filesize
1.4MB

Download
memory/2188-8-0x000007FEFDB60000-0x000007FEFDBCC000-memory.dmp

Filesize
432KB

Download
memory/2188-9-0x00000000030C0000-0x000000000322C000-memory.dmp

Filesize
1.4MB

Download
memory/2188-11-0x00000000030C0000-0x000000000322C000-memory.dmp

Filesize
1.4MB

Download
memory/2188-12-0x00000000030C0000-0x000000000322C000-memory.dmp

Filesize
1.4MB

Download
memory/2188-14-0x00000000030C0000-0x000000000322C000-memory.dmp

Filesize
1.4MB

Download
memory/2188-16-0x00000000030C0000-0x000000000322C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads