cobaltstrike | a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734

General

Target

a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734.exe
Size

3.6MB
MD5

ce7d60debc5ac0cc90aef9ebf8b8cc01
SHA1

7bea480bd536850bd49e26865c907cf867b9e9d0
SHA256

a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734
SHA512

a22cc0d52c657edba11608adf31d1b722aee0bcdab7ecacd47dc62a53045dc37a276fe1c83dbb456d44d3614d93a9775037afc816e4846cc967ae0490c27aedb
SSDEEP

49152:N5VY3ApdEjL7Jci2w/9MUvGsan4C3MAt6v+jnCVQ3kOsAWKD12u:3V16jLbAU

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://59.42.194.18:1941/UJwG

Attributes

user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727)

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4428	notepd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2576	WINWORD.EXE
2576	WINWORD.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5080	a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2576	WINWORD.EXE
2576	WINWORD.EXE
2576	WINWORD.EXE
2576	WINWORD.EXE
2576	WINWORD.EXE
2576	WINWORD.EXE
2576	WINWORD.EXE
2576	WINWORD.EXE
2576	WINWORD.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2232	5080	a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734.exe	87
PID 5080 wrote to memory of 2232	5080	a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734.exe	87
PID 5080 wrote to memory of 2232	5080	a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734.exe	87
PID 5080 wrote to memory of 4428	5080	a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734.exe	89
PID 5080 wrote to memory of 4428	5080	a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734.exe	89
PID 2232 wrote to memory of 2576	2232	cmd.exe	93
PID 2232 wrote to memory of 2576	2232	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734.exe
"C:\Users\Admin\AppData\Local\Temp\a834e5719f48a4395e41112499245dd821007f623614de089947bbfdc7254734.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\cmd.exe
  cmd " /c " C:\Users\Admin\AppData\Local\Temp\国务院关于提高个人所得税有关专项附加扣除标准的通知.docx
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\国务院关于提高个人所得税有关专项附加扣除标准的通知.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2576
- C:\Users\Public\notepd.exe
  C:\Users\Public\notepd.exe
  2⤵
  - Executes dropped EXE
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\国务院关于提高个人所得税有关专项附加扣除标准的通知.docx

Filesize
12KB

MD5
e40adcd070295fa3e90734470639483f

SHA1
fb46fb5d0ec22cce1ef9b121849fbee33d86eff9

SHA256
b977c3bfe02ce8ebb4d8cd0f0c49ad330b5f663913f6fcd1d85c12def4b5331b

SHA512
5693f9f74bde3267e5b3ecd1eaca7d4d24db8203528d948eb669399192203d7471289ae81f3140e57372f88d9c7e97d79c9181e564030de9eb5bec9134b62bec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Public\notepd.exe

Filesize
1.6MB

MD5
be26a7f28e1259e7a39c15a7312c3baf

SHA1
a3e0ce80c31fae5d0ac8e7e52954151415bbb906

SHA256
5ff4fad88f868dc2747db3df638787aed7209fd4ea04552f8c84ca5e92797be7

SHA512
2c7251d20d0c9c5e14f5fbe731100d1654005d004fa97bc790b1feb42d527b1e7299d1b71955cfe9d2c15ee841e6bae8cbbf18abf08f5c78f92e9e37bb656954

Download Submit
C:\Users\Public\notepd.exe

Filesize
1.6MB

MD5
be26a7f28e1259e7a39c15a7312c3baf

SHA1
a3e0ce80c31fae5d0ac8e7e52954151415bbb906

SHA256
5ff4fad88f868dc2747db3df638787aed7209fd4ea04552f8c84ca5e92797be7

SHA512
2c7251d20d0c9c5e14f5fbe731100d1654005d004fa97bc790b1feb42d527b1e7299d1b71955cfe9d2c15ee841e6bae8cbbf18abf08f5c78f92e9e37bb656954

Download Submit
memory/2576-20-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-23-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-11-0x00007FFC6CCB0000-0x00007FFC6CCC0000-memory.dmp

Filesize
64KB

Download
memory/2576-12-0x00007FFC6CCB0000-0x00007FFC6CCC0000-memory.dmp

Filesize
64KB

Download
memory/2576-10-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-13-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-14-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-15-0x00007FFC6CCB0000-0x00007FFC6CCC0000-memory.dmp

Filesize
64KB

Download
memory/2576-16-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-18-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-17-0x00007FFC6CCB0000-0x00007FFC6CCC0000-memory.dmp

Filesize
64KB

Download
memory/2576-19-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-8-0x00007FFC6CCB0000-0x00007FFC6CCC0000-memory.dmp

Filesize
64KB

Download
memory/2576-21-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-22-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-9-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-24-0x00007FFC6A4B0000-0x00007FFC6A4C0000-memory.dmp

Filesize
64KB

Download
memory/2576-25-0x00007FFC6A4B0000-0x00007FFC6A4C0000-memory.dmp

Filesize
64KB

Download
memory/2576-72-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-43-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-44-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-45-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-46-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-67-0x00007FFC6CCB0000-0x00007FFC6CCC0000-memory.dmp

Filesize
64KB

Download
memory/2576-68-0x00007FFC6CCB0000-0x00007FFC6CCC0000-memory.dmp

Filesize
64KB

Download
memory/2576-69-0x00007FFC6CCB0000-0x00007FFC6CCC0000-memory.dmp

Filesize
64KB

Download
memory/2576-71-0x00007FFCACC30000-0x00007FFCACE25000-memory.dmp

Filesize
2.0MB

Download
memory/2576-70-0x00007FFC6CCB0000-0x00007FFC6CCC0000-memory.dmp

Filesize
64KB

Download
memory/4428-6-0x000001F366B80000-0x000001F366B81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads