cobaltstrike | 14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2023 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe
Size

378KB
MD5

d04eaf025dfec65b50d1ce1960e00583
SHA1

f042cea0283ecb5e487cb69e5790edec221e9c50
SHA256

14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a
SHA512

951fbe9210ee7e9564149e16df00d42f9742b671e3d2624b749faca7fbe0f354178b81bd5827ef3ca802dce3dedd7f541949bb1927f7d01dd57624eb0923f46f
SSDEEP

6144:hdUEUGjKMw8rzAf7KWu1EcTUQROENqP5m3nCWkV7kfL/uJMdzY2BiT2wnfq:hdkMwtlcTUQquXkV7kfLmGdzYr2wnfq

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://106.75.230.14:8443/static/js/jquery-v3.2.0.min.js

Attributes

access_type
512
beacon_type
2048
host
106.75.230.14,/static/js/jquery-v3.2.0.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3RpLnFpYW54aW4uY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3RpLnFpYW54aW4uY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
300000
port_number
8443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCV0crClNlojga1ZUpQePu6yayzfvakcqdlSlnr7I5KDk9dctuhdMuEkf/guDBT3KjCO5FZqP4tHTjnfUoL1E0SKa386QMeXARo+D1lFp5lB5EGoHmTMysDRTx/QDSfGcx0Ni/HO7L2izqdtjFr322yto5WXf6Kwj2P+5EbSqQapwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/static/js/jquery-v3.2.2.min.js
user_agent
Mozilla/9.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation	14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe

Executes dropped EXE 2 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exe

pid process

1040 MicrosoftEdge.exe
852 MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1040	MicrosoftEdge.exe
852	MicrosoftEdge.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings	14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4804 WINWORD.EXE
4804 WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE
4804	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exeMicrosoftEdge.exe

description	pid	process	target process
PID 640 wrote to memory of 1040	640	14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe	MicrosoftEdge.exe
PID 640 wrote to memory of 1040	640	14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe	MicrosoftEdge.exe
PID 1040 wrote to memory of 852	1040	MicrosoftEdge.exe	MicrosoftEdge.exe
PID 1040 wrote to memory of 852	1040	MicrosoftEdge.exe	MicrosoftEdge.exe
PID 640 wrote to memory of 4804	640	14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe	WINWORD.EXE
PID 640 wrote to memory of 4804	640	14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe	WINWORD.EXE
PID 640 wrote to memory of 1812	640	14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe	cmd.exe
PID 640 wrote to memory of 1812	640	14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe
"C:\Users\Admin\AppData\Local\Temp\14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe
3⤵
- Executes dropped EXE
PID:852

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\¸öÈË¼òÀú.doc" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\14d376dfa0f24a09634603c5edd08737974924c59e762fb9d1eb31da7079449a.exe
2⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe
Filesize
462KB

MD5
502868373d7d61ab80b1af3640000086

SHA1
1a5bedf2b45eda97913c2dffb38d388e92441d5f

SHA256
8624a2168a987a8a46c8a15c4ba2add383975fc71d7974303d111f660b1e1e38

SHA512
3227b21162d4d643e5ffe29c38c969d5560023a0669cf952e31b73450e720c3eedd0621ff3f01a67579f93e3a6c3767ec4557aef2e94b486d63f7f189ab4a4e3

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe
Filesize
462KB

MD5
502868373d7d61ab80b1af3640000086

SHA1
1a5bedf2b45eda97913c2dffb38d388e92441d5f

SHA256
8624a2168a987a8a46c8a15c4ba2add383975fc71d7974303d111f660b1e1e38

SHA512
3227b21162d4d643e5ffe29c38c969d5560023a0669cf952e31b73450e720c3eedd0621ff3f01a67579f93e3a6c3767ec4557aef2e94b486d63f7f189ab4a4e3

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe
Filesize
462KB

MD5
502868373d7d61ab80b1af3640000086

SHA1
1a5bedf2b45eda97913c2dffb38d388e92441d5f

SHA256
8624a2168a987a8a46c8a15c4ba2add383975fc71d7974303d111f660b1e1e38

SHA512
3227b21162d4d643e5ffe29c38c969d5560023a0669cf952e31b73450e720c3eedd0621ff3f01a67579f93e3a6c3767ec4557aef2e94b486d63f7f189ab4a4e3

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe
Filesize
462KB

MD5
502868373d7d61ab80b1af3640000086

SHA1
1a5bedf2b45eda97913c2dffb38d388e92441d5f

SHA256
8624a2168a987a8a46c8a15c4ba2add383975fc71d7974303d111f660b1e1e38

SHA512
3227b21162d4d643e5ffe29c38c969d5560023a0669cf952e31b73450e720c3eedd0621ff3f01a67579f93e3a6c3767ec4557aef2e94b486d63f7f189ab4a4e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
249B

MD5
3f6ab44777bd6f4c7646718b8d5aef9d

SHA1
c4b83d03ca16334cb083f7520fcf409abce0aacd

SHA256
99437dc6401bebe0f5d613c4ca94850bce8454c46e4c907390fd995ca6b26a4f

SHA512
0070f814a39cbcfe9748425dd235fc15d1e67189e43c0b0d10d8e99d445de563ccbbe1de19ca3e04a3acf0c107160da07c4e2d3c8af895d9ae7b0f307e8d754b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
5c22e2c64672d124bca9aea93b01e304

SHA1
c13c6253a7367b990ef2ef364f12798c7285cab7

SHA256
66e669bcd87cc0f18d662ec36e0e65ea40db5206ad07201ad9a88f827a1145e5

SHA512
21bf3cf067724cbe0f7ac200ec886f1ce61ebfbdcbb3093975ccf26417246e49c84b5368586c2163bbc90b7894dd454e2c8e36bc640fc13edbfbf671cc33a222

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
155899ac21da36fcd5b7a11687b90a4f

SHA1
41dc617b740e082ca5d9fabba08e3b563b12e626

SHA256
e223c97233a19d8b3f893dcf8565a6ce0db66f2d294209841f84e3bb92df6e15

SHA512
bdb62201f31e509408a2544f802768e5ec1f242ba8c823dad6c69ed2cbca3bae7e2bf9addcdc3ff44513814f31e93a105cdce84e3ea2a83cdadd5d915084b07c

Download Submit
C:\Users\Admin\AppData\Roaming\~index.dat
Filesize
354KB

MD5
8af8165958678a2f54f92697374c5a5b

SHA1
6ac4d09ea9194a563780a29bd156497c343d3205

SHA256
ea8e78b2915430b4e96458388c4748194d70135d529519fadd73c9b0f785f823

SHA512
884b4a524b6a5cce6495fc356b6510268013f8eb8e473c8695741953e2a39b5372b34943df79c8e9f5677492457f935ebfb349e7eb766a6e02a6deb584335c3f

Download Submit
C:\Users\Admin\AppData\Roaming\¸öÈË¼òÀú.doc
Filesize
45KB

MD5
c9161c2c3e8a7d64f5e02f0757062ba1

SHA1
834380faa01c01569ace05a1ae8ec5252ce1a137

SHA256
3f871aa085c3c3ab6f72bd0f04fc1fb81f2ff5125a341d6c9f533ef58694bcc3

SHA512
ad61d43d0e6c0edfb598d3a92ffe0371d4bc7b62dffa748882246259015882ffd9f42fb74b5c53c9af0e916d05862091c8e57b1eac7badc9c49b293a1c348838

Download Submit
C:\Users\Admin\AppData\Roaming\¸öÈË¼òÀú.doc
Filesize
45KB

MD5
c9161c2c3e8a7d64f5e02f0757062ba1

SHA1
834380faa01c01569ace05a1ae8ec5252ce1a137

SHA256
3f871aa085c3c3ab6f72bd0f04fc1fb81f2ff5125a341d6c9f533ef58694bcc3

SHA512
ad61d43d0e6c0edfb598d3a92ffe0371d4bc7b62dffa748882246259015882ffd9f42fb74b5c53c9af0e916d05862091c8e57b1eac7badc9c49b293a1c348838

Download Submit
memory/852-14-0x0000025952DB0000-0x0000025952EB0000-memory.dmp

Filesize
1024KB

Download
memory/852-13-0x0000025954780000-0x0000025954BF2000-memory.dmp

Filesize
4.4MB

Download
memory/4804-25-0x00007FF849E70000-0x00007FF849E80000-memory.dmp

Filesize
64KB

Download
memory/4804-42-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-26-0x00007FF849E70000-0x00007FF849E80000-memory.dmp

Filesize
64KB

Download
memory/4804-30-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-31-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-32-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-33-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-34-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-36-0x00007FF847D80000-0x00007FF847D90000-memory.dmp

Filesize
64KB

Download
memory/4804-35-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-37-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-38-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-39-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-40-0x00007FF847D80000-0x00007FF847D90000-memory.dmp

Filesize
64KB

Download
memory/4804-41-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-29-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-43-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-27-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-28-0x00007FF849E70000-0x00007FF849E80000-memory.dmp

Filesize
64KB

Download
memory/4804-23-0x00007FF849E70000-0x00007FF849E80000-memory.dmp

Filesize
64KB

Download
memory/4804-24-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-22-0x00007FF849E70000-0x00007FF849E80000-memory.dmp

Filesize
64KB

Download
memory/4804-81-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-82-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-83-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-102-0x00007FF849E70000-0x00007FF849E80000-memory.dmp

Filesize
64KB

Download
memory/4804-103-0x00007FF849E70000-0x00007FF849E80000-memory.dmp

Filesize
64KB

Download
memory/4804-105-0x00007FF849E70000-0x00007FF849E80000-memory.dmp

Filesize
64KB

Download
memory/4804-104-0x00007FF849E70000-0x00007FF849E80000-memory.dmp

Filesize
64KB

Download
memory/4804-106-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-107-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download
memory/4804-108-0x00007FF889DF0000-0x00007FF889FE5000-memory.dmp

Filesize
2.0MB

Download