cobaltstrike | ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972

General

Target

ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe
Size

631KB
MD5

541e27b07599049d7cc41d475da51516
SHA1

f3f165f3a8c8d95c71b20f25d32aa034b54345ad
SHA256

ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972
SHA512

f26eaf65479e36b712f2ad7eeb80c785a0aed46758a890d84d6742f5083f930ff6178f656de998197582929c074025a25e7965c9b2bae49fad40441e9190dff6
SSDEEP

6144:WbdZngUq19UR+8+TbOv5LuyG1TjTYOPi706+qWQhteR5suavI5pkGo:4l+1CwPOvZOXt5VqDk5CITkGo

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q

Attributes

user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://172.67.182.142:8443/messages/xV5GdE

http://104.21.35.254:8443/messages/xV5GdE

http://2606:4700:3032::6815:23fe:8443/messages/xV5GdE

http://2606:4700:3033::ac43:b68e:8443/messages/xV5GdE

Attributes

access_type
512
beacon_type
2048
host
172.67.182.142,/messages/xV5GdE,104.21.35.254,/messages/xV5GdE,2606:4700:3032::6815:23fe,/messages/xV5GdE,2606:4700:3033::ac43:b68e,/messages/xV5GdE
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
10000
port_number
8443
sc_process32
%windir%\syswow64\esentutl.exe
sc_process64
%windir%\sysnative\esentutl.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.092976896e+09
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/messages/96OpFu
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3540 WINWORD.EXE
3540 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE
3540	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.execmd.exe

description	pid	process	target process
PID 3272 wrote to memory of 4596	3272	ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe	cmd.exe
PID 3272 wrote to memory of 4596	3272	ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe	cmd.exe
PID 4596 wrote to memory of 3540	4596	cmd.exe	WINWORD.EXE
PID 4596 wrote to memory of 3540	4596	cmd.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe
"C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\system32\cmd.exe
"cmd" "/c start /b C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.doc"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.doc
Filesize
9KB

MD5
b9f7d2b5f0fbd9ebc1cd5aa73be0bac3

SHA1
14f463c3e784da7048891e8ef918616c961555ca

SHA256
ff0fd5dce9b1b94ad8718994739f5d7b5391eaaa6f44da61d74d25a4dacfd9ee

SHA512
07ef0af8e395d922e22dade0b2420f7b8f3011d3b73af01529a1bcd4d957f8423e434e77bd9fad00176b328822e2fd1771f5cc9bb00b69cb4cd861b82ca7d93c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3272-1-0x000001CFD49F0000-0x000001CFD49F1000-memory.dmp

Filesize
4KB

Download
memory/3272-50-0x000001CFD65D0000-0x000001CFD6732000-memory.dmp

Filesize
1.4MB

Download
memory/3272-29-0x000001CFD65D0000-0x000001CFD6732000-memory.dmp

Filesize
1.4MB

Download
memory/3272-25-0x000001CFD69D0000-0x000001CFD6A31000-memory.dmp

Filesize
388KB

Download
memory/3540-21-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-26-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-10-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-12-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmp

Filesize
64KB

Download
memory/3540-11-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-13-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-14-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-15-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-16-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-17-0x00007FF9FCAD0000-0x00007FF9FCAE0000-memory.dmp

Filesize
64KB

Download
memory/3540-18-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-20-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-6-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmp

Filesize
64KB

Download
memory/3540-19-0x00007FF9FCAD0000-0x00007FF9FCAE0000-memory.dmp

Filesize
64KB

Download
memory/3540-23-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-22-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-9-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmp

Filesize
64KB

Download
memory/3540-8-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-27-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-28-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-7-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-24-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-5-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmp

Filesize
64KB

Download
memory/3540-47-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-48-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-49-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-4-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmp

Filesize
64KB

Download
memory/3540-71-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmp

Filesize
64KB

Download
memory/3540-72-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmp

Filesize
64KB

Download
memory/3540-73-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmp

Filesize
64KB

Download
memory/3540-74-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmp

Filesize
64KB

Download
memory/3540-76-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download
memory/3540-75-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads