cobaltstrike | 07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a

General

Target

07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe
Size

651KB
MD5

aba2b3ab5fefecbab8b28a8fdce0c0d0
SHA1

5ac23d773992a2b6564583bc9622c3d56ec7d526
SHA256

07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a
SHA512

5270e517b5f6ad94239808a09b2f07115a399db19c1cfe207b874bdff9b571cd5251ec8d92b02a6eb9efa9d5735818ba2dc9c2b38b3e786c55af31a4e6ac6a25
SSDEEP

12288:BubsNSOetfARQAPyXUzX+tLfLzE3h6aRyaGt2:BubsnafAPykyfLYEiGc

Score

10^/10

cobaltstrike 0 1234567890 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

1234567890

C2

http://59.42.194.18:7777/pixel

Attributes

access_type
512
host
59.42.194.18,/pixel
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
7777
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJBl3JeZjFQGCzw3ZcefRHfn6pHEp+iRk4bh00wquUQwUGTjd6Ll2I61mHcfa97MjSS0LRsq6+Os3du6P6i79Q54x2IE++G5ptyJGl89HPNj4IF2j9jIrDqoCIrwf09JPz/Zd+PbB0lcsaXsH6CiLsdSk/zw35Czm/wjUkfQUS/wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
watermark
1234567890

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe

Executes dropped EXE 1 IoCs

Processes:

notepd.exe

pid process

2224 notepd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2224	notepd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings	07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2856 WINWORD.EXE
2856 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

2856 WINWORD.EXE
2856 WINWORD.EXE
2856 WINWORD.EXE
2856 WINWORD.EXE
2856 WINWORD.EXE
2856 WINWORD.EXE
2856 WINWORD.EXE

pid	process
2856	WINWORD.EXE
2856	WINWORD.EXE

pid	process
2856	WINWORD.EXE
2856	WINWORD.EXE
2856	WINWORD.EXE
2856	WINWORD.EXE
2856	WINWORD.EXE
2856	WINWORD.EXE
2856	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe

description	pid	process	target process
PID 1812 wrote to memory of 2224	1812	07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe	notepd.exe
PID 1812 wrote to memory of 2224	1812	07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe	notepd.exe
PID 1812 wrote to memory of 2856	1812	07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe	WINWORD.EXE
PID 1812 wrote to memory of 2856	1812	07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe
"C:\Users\Admin\AppData\Local\Temp\07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Public\notepd.exe
"C:\Users\Public\notepd.exe"
2⤵
- Executes dropped EXE
PID:2224

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\体检表.docx" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
215B

MD5
dc162c68216d436a73b30694cf71770e

SHA1
3fe2cca295fc062de690455405b5a6c3fa785cbe

SHA256
4b491b95a3701955f55a266f82264a227e7a97876bbea35a392ea677a609848b

SHA512
4c937bf8bfbdc1e3d01d32b9240767e93de1a589709939ab4af78e5574319355461ee42a1fa33af6e92125a0d7de64e2ea14230212956b4f5e85b9d2c6a41647

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
f07452bee06c2edfbf28e93c2f9a3e94

SHA1
8d19bbae45bb29492ea50f39e08bfec05cee4f1e

SHA256
d7d3532ea7eacfbc66948d761f0d3deeceb0df58d97a52412460181186a663ac

SHA512
9cb6030cd2afd9cffadb3a815becccaa507f88158b3b267cec76978abbb331bfeb6100dad51690f0300eee0dca91b7de842efbf09051f808d86a6c96d758be0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
ae0c8f6592c18003c8487063c38ad851

SHA1
543efcf1f02dcc8c3e559747f206f761625deba1

SHA256
a384f63d35caecdb0f337c73f277791eb60902b6747e11343b3dcddbf4438538

SHA512
1e947791909df3b6391d451e9209e41bac134d0b325fa3bcd656bf70400366e92470e135b504f5844061293d78f2f7729cbafa4481d3d628957ce5130894e6eb

Download Submit
C:\Users\Public\notepd.exe
Filesize
281KB

MD5
4a1f0da992ae0f3b1e9ddf53fa8dfc1a

SHA1
eef6892c9946545f0d66b4dfe9a744ba6c503b19

SHA256
f8a9baa5f5ec6da0bae2e778094622caabc8836e692a2d0d05c5ccb6df1deb19

SHA512
33ddd5eb9548c64f68e0588c3f8091b9fef99416b09894e8b9e67da83b19d7e91dfd51234d48018e3085ff345739ba89c6100f761c1b84a4644736a839765e75

Download Submit
C:\Users\Public\notepd.exe
Filesize
281KB

MD5
4a1f0da992ae0f3b1e9ddf53fa8dfc1a

SHA1
eef6892c9946545f0d66b4dfe9a744ba6c503b19

SHA256
f8a9baa5f5ec6da0bae2e778094622caabc8836e692a2d0d05c5ccb6df1deb19

SHA512
33ddd5eb9548c64f68e0588c3f8091b9fef99416b09894e8b9e67da83b19d7e91dfd51234d48018e3085ff345739ba89c6100f761c1b84a4644736a839765e75

Download Submit
C:\Users\Public\notepd.exe
Filesize
281KB

MD5
4a1f0da992ae0f3b1e9ddf53fa8dfc1a

SHA1
eef6892c9946545f0d66b4dfe9a744ba6c503b19

SHA256
f8a9baa5f5ec6da0bae2e778094622caabc8836e692a2d0d05c5ccb6df1deb19

SHA512
33ddd5eb9548c64f68e0588c3f8091b9fef99416b09894e8b9e67da83b19d7e91dfd51234d48018e3085ff345739ba89c6100f761c1b84a4644736a839765e75

Download Submit
memory/2224-26-0x0000000000750000-0x0000000000791000-memory.dmp

Filesize
260KB

Download
memory/2224-67-0x00000000007A0000-0x00000000007EE000-memory.dmp

Filesize
312KB

Download
memory/2224-51-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2224-31-0x00000000007A0000-0x00000000007EE000-memory.dmp

Filesize
312KB

Download
memory/2856-15-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmp

Filesize
64KB

Download
memory/2856-22-0x00007FFF59C30000-0x00007FFF59C40000-memory.dmp

Filesize
64KB

Download
memory/2856-19-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-18-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-20-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-21-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-23-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-24-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-25-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-27-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-17-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-28-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-29-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-16-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-30-0x00007FFF59C30000-0x00007FFF59C40000-memory.dmp

Filesize
64KB

Download
memory/2856-12-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-14-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-13-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmp

Filesize
64KB

Download
memory/2856-11-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmp

Filesize
64KB

Download
memory/2856-10-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmp

Filesize
64KB

Download
memory/2856-65-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-66-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-9-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmp

Filesize
64KB

Download
memory/2856-94-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmp

Filesize
64KB

Download
memory/2856-95-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmp

Filesize
64KB

Download
memory/2856-96-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmp

Filesize
64KB

Download
memory/2856-97-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmp

Filesize
64KB

Download
memory/2856-98-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2856-99-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads