Overview

overview

10

Static

static

7

CobaltStri...on.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    50s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-11-2023 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CobaltStrikeBeacon.exe

  • Size

    283KB

  • MD5

    a62d5c8ef4d626febfcd2c00898c6c27

  • SHA1

    854e020efefbf393e04d897b6b0b83ef92fd2db8

  • SHA256

    5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103

  • SHA512

    3a35487449b985f338473866da4308de760bdd3f52934e786dd28fb0030898a98000c0538159c8e2cb0ac54cda04fd9a73d7dfd1bcfc60be1c397c42730cd6da

  • SSDEEP

    6144:guH8asY3G/Mzhc/Ly9iB036PQ3ouBIkBZ8dRaBvvQD:gz1aG/L/O53jBZcGvvQD

Score
10/10
cobaltstrike1580103824backdoortrojanupx

Malware Config

Extracted

Family

cobaltstrike

Botnet

1580103824

C2

http://109.206.243.59:443/Enable/1998/BPYMMENCN

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    109.206.243.59,/Enable/1998/BPYMMENCN

  • http_header1

    AAAACgAAACxBY2NlcHQ6IGltYWdlLyosIHRleHQvaHRtbCwgYXBwbGljYXRpb24vanNvbgAAAAoAAAATQWNjZXB0LUxhbmd1YWdlOiB1awAAAAoAAAAjQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgY29tcHJlc3MAAAAHAAAAAAAAAA8AAAANAAAAAgAAAAZfQU9pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACtBY2NlcHQ6IGFwcGxpY2F0aW9uL3htbCwgaW1hZ2UvKiwgdGV4dC9odG1sAAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLXphAAAACgAAAB1BY2NlcHQtRW5jb2Rpbmc6IGlkZW50aXR5LCBicgAAAAcAAAAAAAAADwAAAA0AAAAFAAAACV9WR0tDR0FHRAAAAAcAAAABAAAADwAAAAgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    8448

  • polling_time

    92081

  • port_number

    443

  • sc_process32

    %windir%\syswow64\w32tm.exe

  • sc_process64

    %windir%\sysnative\systray.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDjafSAG/t5AV7MoJ0+yfqNVP8VKHTcWG23Xwqeq+bC34ftgavpOGxc90RaJYkBZQfMrMG2vVGWBcJjYS9OpN0RgqnTKV7X386f0joSLS9E/wKAP7GwQKUwjE7xZVlzelWDQBRq7/OaBXAF405hSi4eRWAuEIZeAWk8/irwifE5wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    2.589791488e+09

  • unknown2

    AAAABAAAAAEAAASeAAAAAgAAA6EAAAANAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /Link/configs/Y8JEK5UPLWVZ

  • user_agent

    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36

  • watermark

    1580103824

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CobaltStrikeBeacon.exe
    "C:\Users\Admin\AppData\Local\Temp\CobaltStrikeBeacon.exe"
    1⤵
      PID:4432
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DebugFormat.jpeg" /ForceBootstrapPaint3D
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:5020
    • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
      "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:5072

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
      Filesize

      2B

      MD5

      d751713988987e9331980363e24189ce

      SHA1

      97d170e1550eee4afc0af065b78cda302a97674c

      SHA256

      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

      SHA512

      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
      Filesize

      233B

      MD5

      d30a84cada61d8009ef38c7489fe1917

      SHA1

      68c86234b772bc2abe2e1b184ad43fc64e08ea36

      SHA256

      e7ffc31cce036c81e32156df3001736174be98d133fd705d86b57cc640639d7a

      SHA512

      3d1796e469e884be1fdc148a08ef76e77ea3f4ca6f44822e998eae983cceb93e90c38e5378af956c1086bfad91a51d1555ce920fb202ccacdacf0b3c4187eba8

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
      Filesize

      2KB

      MD5

      404a3ec24e3ebf45be65e77f75990825

      SHA1

      1e05647cf0a74cedfdeabfa3e8ee33b919780a61

      SHA256

      cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

      SHA512

      a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

      Download Submit
    • memory/4432-0-0x00007FF66BB40000-0x00007FF66BE19000-memory.dmp
      Filesize

      2.8MB

      Download
    • memory/4432-1-0x0000023CB8470000-0x0000023CB8570000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/4432-3-0x0000023CB6B40000-0x0000023CB6BC8000-memory.dmp
      Filesize

      544KB

      Download
    • memory/4432-4-0x0000023CB6B40000-0x0000023CB6BC8000-memory.dmp
      Filesize

      544KB

      Download
    • memory/4432-5-0x00007FF66BB40000-0x00007FF66BE19000-memory.dmp
      Filesize

      2.8MB

      Download