cobaltstrike | 9ef8bf8e31a49ab9e3d65bee56f6d51b7045636e8807a8f50bf1217c9b956ea8

Analysis

max time kernel
151s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2023 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023年11月份工资单/2023年11月份工资单.docx.lnk
Size

1KB
MD5

b269bc566dd1be6e488ebfa6460a5a00
SHA1

fd6022f6f4ff0486c05e45c4b7bdb1cbed6bfff3
SHA256

168e93ce546815a5210234961d028945d6f8092764885810391ecbcb1337fde2
SHA512

3efcdf84ff60085eaab641687a31059483f8c4410f565e05f164615b5217507ef19a7218840f90b5c4c34d8b98d970d8d4b7228efd277659830dc4dad6de49a2

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

http://119.84.129.224:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
119.84.129.224,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
12000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrTYWiJ/5CMst9xKN4Qp1M/umCsyBwdCK1jZz+GjtvwrwHGXYIO7orYhmjKeuV3RHc06dqlylaJgqr9pelZ123yWcyV4nDO1DUCfJsmGCZeVGhHZ5nopo4URuQd9z6Qq1YraNH86vrdl37BrYYhRGDkZTQXpCUSclajI8qIfBwLQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/186.911.0.53 Safari/537.36
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2136	WINWORD.EXE
2136	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: 35	3864	pythonw.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE
2136	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4984	4592	cmd.exe	88
PID 4592 wrote to memory of 4984	4592	cmd.exe	88
PID 4984 wrote to memory of 2204	4984	ftp.exe	89
PID 4984 wrote to memory of 2204	4984	ftp.exe	89
PID 2204 wrote to memory of 3864	2204	cmd.exe	90
PID 2204 wrote to memory of 3864	2204	cmd.exe	90
PID 2204 wrote to memory of 3864	2204	cmd.exe	90
PID 4984 wrote to memory of 2288	4984	ftp.exe	91
PID 4984 wrote to memory of 2288	4984	ftp.exe	91
PID 2288 wrote to memory of 2136	2288	cmd.exe	92
PID 2288 wrote to memory of 2136	2288	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2023年11月份工资单\2023年11月份工资单.docx.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\System32\ftp.exe
  "C:\Windows\System32\ftp.exe" -""s:__init__\a.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C start /b __init__\pythonw.exe __init__\main.pyw
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\2023年11月份工资单\__init__\pythonw.exe
      __init__\pythonw.exe __init__\main.pyw
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C start /b __init__\11.docx
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2023年11月份工资单\__init__\11.docx" /o ""
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2136-2-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp

Filesize
64KB

Download
memory/2136-3-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp

Filesize
64KB

Download
memory/2136-4-0x00007FFE53130000-0x00007FFE53325000-memory.dmp

Filesize
2.0MB

Download
memory/2136-6-0x00007FFE53130000-0x00007FFE53325000-memory.dmp

Filesize
2.0MB

Download
memory/2136-7-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp

Filesize
64KB

Download
memory/2136-8-0x00007FFE53130000-0x00007FFE53325000-memory.dmp

Filesize
2.0MB

Download
memory/2136-5-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp

Filesize
64KB

Download
memory/2136-9-0x00007FFE131B0000-0x00007FFE131C0000-memory.dmp

Filesize
64KB

Download
memory/2136-10-0x00007FFE53130000-0x00007FFE53325000-memory.dmp

Filesize
2.0MB

Download
memory/2136-11-0x00007FFE53130000-0x00007FFE53325000-memory.dmp

Filesize
2.0MB

Download
memory/2136-12-0x00007FFE53130000-0x00007FFE53325000-memory.dmp

Filesize
2.0MB

Download
memory/2136-13-0x00007FFE108A0000-0x00007FFE108B0000-memory.dmp

Filesize
64KB

Download
memory/2136-14-0x00007FFE108A0000-0x00007FFE108B0000-memory.dmp

Filesize
64KB

Download
memory/2136-23-0x00007FFE53130000-0x00007FFE53325000-memory.dmp

Filesize
2.0MB

Download
memory/2136-24-0x00007FFE53130000-0x00007FFE53325000-memory.dmp

Filesize
2.0MB

Download
memory/3864-25-0x0000000004460000-0x0000000004495000-memory.dmp

Filesize
212KB

Download
memory/3864-26-0x00000000048D0000-0x0000000004D42000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads