cobaltstrike | 983748c25d0701763e2d22718371bc136838148f1d0918778906da5d52617f26

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20-12-2023 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe
Size

1.2MB
MD5

ceffa8c757a03596a372f84e733edd16
SHA1

be9898e4cae87a46ca6a9148d36d6bdcf62bb0bc
SHA256

99ee17d3cb68ae7ab2641974c43bf9e78e0dc4ab2bec159fd730abe8386098fd
SHA512

67d56d82ddd0783288ed32c21da5c5f248f3341d6b779c31b930e2a0a54e4849e537ab24e6a00d557fabb3f38288adbfb6e7e7a37885ab21082d7c29fc71e569
SSDEEP

24576:9iIWFSjg4fvUNP4MNaMmMCsmsqMmMCsA7eXcJB5R1gsVtub8R7IevpU4jKXhdk:qEo3I9PRUFs

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q

Attributes

user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

Extracted

Family

cobaltstrike

Botnet

100000

http://img.uioqwea.xyz:8443/messages/xV5GdE

Attributes

access_type
512
beacon_type
2048
host
img.uioqwea.xyz,/messages/xV5GdE
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
10000
port_number
8443
sc_process32
%windir%\syswow64\esentutl.exe
sc_process64
%windir%\sysnative\esentutl.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.092976896e+09
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/messages/96OpFu
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2604 WINWORD.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

WINWORD.EXE

pid process

2604 WINWORD.EXE

pid	process
2604	WINWORD.EXE

pid	process
2604	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe

pid	process
2540	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe
2540	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe

pid process

2540 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	1252	Explorer.EXE
Token: SeShutdownPrivilege	1252	Explorer.EXE
Token: SeShutdownPrivilege	1252	Explorer.EXE
Token: SeShutdownPrivilege	1252	Explorer.EXE
Token: SeShutdownPrivilege	1252	Explorer.EXE
Token: SeShutdownPrivilege	1252	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXE

pid process

2604 WINWORD.EXE
2604 WINWORD.EXE
2604 WINWORD.EXE
2604 WINWORD.EXE
2604 WINWORD.EXE
2604 WINWORD.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

pid	process
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE

pid	process
1252	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.execmd.exe

description	pid	process	target process
PID 2540 wrote to memory of 2904	2540	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe	cmd.exe
PID 2540 wrote to memory of 2904	2540	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe	cmd.exe
PID 2540 wrote to memory of 2904	2540	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe	cmd.exe
PID 2540 wrote to memory of 1252	2540	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe	Explorer.EXE
PID 2904 wrote to memory of 2604	2904	cmd.exe	WINWORD.EXE
PID 2904 wrote to memory of 2604	2904	cmd.exe	WINWORD.EXE
PID 2904 wrote to memory of 2604	2904	cmd.exe	WINWORD.EXE
PID 2904 wrote to memory of 2604	2904	cmd.exe	WINWORD.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1252

C:\Users\Admin\AppData\Local\Temp\1\【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe
"C:\Users\Admin\AppData\Local\Temp\1\【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\cmd.exe
cmd /c4218087.doc
3⤵
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1\4218087.doc"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1\4218087.doc
Filesize
93KB

MD5
de72533ed8828182ad05d8e7f694548f

SHA1
06c86de28558b5cb22539a077e94884a97804f6a

SHA256
3ae8dd53d8d97d71900ee8f194e6ce2aeab40b2f01ce01f756098facd249eda2

SHA512
ce681b28fd2d3158788399d8c7f81e8b7e31eaceb8885bd4e3209c55b359afd64ef357ffe31c0114aea49ffea2dc7008e6437b863648f54be195edb5fb125c36

Download Submit
memory/1252-18-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/1252-46-0x00000000040E0000-0x0000000004141000-memory.dmp

Filesize
388KB

Download
memory/1252-47-0x000000006FFA0000-0x0000000071180000-memory.dmp

Filesize
17.9MB

Download
memory/1252-49-0x000000006FFA0000-0x0000000071180000-memory.dmp

Filesize
17.9MB

Download
memory/2604-27-0x000000002F151000-0x000000002F152000-memory.dmp

Filesize
4KB

Download
memory/2604-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2604-29-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download
memory/2604-48-0x0000000070F8D000-0x0000000070F98000-memory.dmp

Filesize
44KB

Download