cobaltstrike | b6fbd300520e46f761b778cfc7595b43db385c79a1d7e4c4ce40e782f78a1c01

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16-11-2023 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

李志-账号密码记录-解压密码-20231116.exe
Size

13.4MB
MD5

2c8fb8705dbce5899bf596163a9b077a
SHA1

7233623d12b409760193c0be6fbb4b330fc74788
SHA256

ec799e2ed133c709d9eb321b3876c8c3167314ff14ea407f2bffea51322e1ad3
SHA512

22a63989d76dfc48c59f91196759b724ec7ff50bd41f61f5a590381e1563cc1059003e4087a6d65bcd95d50cc3991364d255343658b074193fcc8a949df21f40
SSDEEP

98304:83Xn/gtuU2ICoM6f465FjjnrZ/cfMKpSw6Z5Vc1EboPkywplb:MX/gtuU2IY6PBcfMbN5VcGbo8Z

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://service-ho26i50l-1306669097.bj.apigw.tencentcs.com:443/assets/code-3d7b701fc6eb.css

Attributes

access_type
512
beacon_type
2048
host
service-ho26i50l-1306669097.bj.apigw.tencentcs.com,/assets/code-3d7b701fc6eb.css
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1MYW5ndWFnZTogZGUtREUsIGVuLUNBAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1MYW5ndWFnZTogZGUtREUsIGVuLUNBAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
5
port_number
443
sc_process32
%windir%\syswow64\esentutl.exe
sc_process64
%windir%\sysnative\esentutl.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAjLA3M+TgpQGM45UvhVjbFFxsA/w5baPizJxsN/CASGrNAwDXLRXCu1MHpgNtbbHqHlkqnavFZUT71H1FIeyPxKQz+0CqnrBJuFWXSGn0QTBxjYUUhx2aAcf7BqeLzQ1OgbOg/SahLDHGR6G5XRXQLVj8zXEUj/+3/46p0MqHXwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.702512128e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/qiyi
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 2 IoCs

Processes:

win.exe

pid process

1944 win.exe
1224
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2356 cmd.exe
1224

pid	process
1944	win.exe
1224

pid	process
2356	cmd.exe
1224

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

win.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	win.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

李志-账号密码记录-解压密码-20231116.exe

pid process

2984 李志-账号密码记录-解压密码-20231116.exe

pid	process
2984	李志-账号密码记录-解压密码-20231116.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

李志-账号密码记录-解压密码-20231116.execmd.exe

description	pid	process	target process
PID 2984 wrote to memory of 2356	2984	李志-账号密码记录-解压密码-20231116.exe	cmd.exe
PID 2984 wrote to memory of 2356	2984	李志-账号密码记录-解压密码-20231116.exe	cmd.exe
PID 2984 wrote to memory of 2356	2984	李志-账号密码记录-解压密码-20231116.exe	cmd.exe
PID 2356 wrote to memory of 1944	2356	cmd.exe	win.exe
PID 2356 wrote to memory of 1944	2356	cmd.exe	win.exe
PID 2356 wrote to memory of 1944	2356	cmd.exe	win.exe

C:\Users\Admin\AppData\Local\Temp\李志-账号密码记录-解压密码-20231116.exe
"C:\Users\Admin\AppData\Local\Temp\李志-账号密码记录-解压密码-20231116.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\system32\cmd.exe
cmd /c start C:\ProgramData\win.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356

C:\ProgramData\win.exe
C:\ProgramData\win.exe
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\win.exe
Filesize
405KB

MD5
ac7d9cbf94a9e1ed5cbe640639a488f4

SHA1
1d0baedcb76ae27d62138d5dda11a6f69cb12511

SHA256
6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

SHA512
dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

Download Submit
\ProgramData\win.exe
Filesize
405KB

MD5
ac7d9cbf94a9e1ed5cbe640639a488f4

SHA1
1d0baedcb76ae27d62138d5dda11a6f69cb12511

SHA256
6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

SHA512
dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

Download Submit
\ProgramData\win.exe
Filesize
405KB

MD5
ac7d9cbf94a9e1ed5cbe640639a488f4

SHA1
1d0baedcb76ae27d62138d5dda11a6f69cb12511

SHA256
6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

SHA512
dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

Download Submit
\ProgramData\win.exe
Filesize
405KB

MD5
ac7d9cbf94a9e1ed5cbe640639a488f4

SHA1
1d0baedcb76ae27d62138d5dda11a6f69cb12511

SHA256
6e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c

SHA512
dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e

Download Submit
memory/1944-8-0x0000000000060000-0x0000000000160000-memory.dmp

Filesize
1024KB

Download
memory/1944-9-0x0000000002C00000-0x0000000002C4F000-memory.dmp

Filesize
316KB

Download
memory/1944-10-0x0000000000060000-0x0000000000160000-memory.dmp

Filesize
1024KB

Download
memory/1944-11-0x0000000000060000-0x0000000000160000-memory.dmp

Filesize
1024KB

Download
memory/2984-6-0x000000013F550000-0x000000014031A000-memory.dmp

Filesize
13.8MB

Download