cobaltstrike | 983748c25d0701763e2d22718371bc136838148f1d0918778906da5d52617f26

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe
Size

1.2MB
MD5

ceffa8c757a03596a372f84e733edd16
SHA1

be9898e4cae87a46ca6a9148d36d6bdcf62bb0bc
SHA256

99ee17d3cb68ae7ab2641974c43bf9e78e0dc4ab2bec159fd730abe8386098fd
SHA512

67d56d82ddd0783288ed32c21da5c5f248f3341d6b779c31b930e2a0a54e4849e537ab24e6a00d557fabb3f38288adbfb6e7e7a37885ab21082d7c29fc71e569
SSDEEP

24576:9iIWFSjg4fvUNP4MNaMmMCsmsqMmMCsA7eXcJB5R1gsVtub8R7IevpU4jKXhdk:qEo3I9PRUFs

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q

Attributes

user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

Extracted

Family

cobaltstrike

Botnet

100000

http://img.uioqwea.xyz:8443/messages/xV5GdE

Attributes

access_type
512
beacon_type
2048
host
img.uioqwea.xyz,/messages/xV5GdE
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
10000
port_number
8443
sc_process32
%windir%\syswow64\esentutl.exe
sc_process64
%windir%\sysnative\esentutl.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.092976896e+09
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/messages/96OpFu
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

620 WINWORD.EXE
620 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe

pid	process
2936	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe
2936	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe
2936	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe
2936	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe

pid process

2936 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3596 Explorer.EXE
3596 Explorer.EXE

pid	process
3596	Explorer.EXE
3596	Explorer.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
620	WINWORD.EXE
620	WINWORD.EXE
620	WINWORD.EXE
620	WINWORD.EXE
620	WINWORD.EXE
620	WINWORD.EXE
620	WINWORD.EXE
620	WINWORD.EXE
620	WINWORD.EXE
620	WINWORD.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3596 Explorer.EXE

pid	process
3596	Explorer.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.execmd.exe

description	pid	process	target process
PID 2936 wrote to memory of 2172	2936	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe	cmd.exe
PID 2936 wrote to memory of 2172	2936	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe	cmd.exe
PID 2172 wrote to memory of 620	2172	cmd.exe	WINWORD.EXE
PID 2172 wrote to memory of 620	2172	cmd.exe	WINWORD.EXE
PID 2936 wrote to memory of 3596	2936	【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3596

C:\Users\Admin\AppData\Local\Temp\1\【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe
"C:\Users\Admin\AppData\Local\Temp\1\【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB，请重新上传-202310.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SYSTEM32\cmd.exe
cmd /c4218087.doc
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1\4218087.doc" /o ""
4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1\4218087.doc
Filesize
93KB

MD5
de72533ed8828182ad05d8e7f694548f

SHA1
06c86de28558b5cb22539a077e94884a97804f6a

SHA256
3ae8dd53d8d97d71900ee8f194e6ce2aeab40b2f01ce01f756098facd249eda2

SHA512
ce681b28fd2d3158788399d8c7f81e8b7e31eaceb8885bd4e3209c55b359afd64ef357ffe31c0114aea49ffea2dc7008e6437b863648f54be195edb5fb125c36

Download Submit
memory/620-10-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

Filesize
64KB

Download
memory/620-16-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-5-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-3-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

Filesize
64KB

Download
memory/620-7-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

Filesize
64KB

Download
memory/620-9-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-8-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-13-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-29-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-12-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

Filesize
64KB

Download
memory/620-11-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-14-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-15-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-6-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

Filesize
64KB

Download
memory/620-17-0x00007FFF0EFF0000-0x00007FFF0F000000-memory.dmp

Filesize
64KB

Download
memory/620-18-0x00007FFF0EFF0000-0x00007FFF0F000000-memory.dmp

Filesize
64KB

Download
memory/620-28-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/620-4-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

Filesize
2.0MB

Download
memory/3596-20-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3596-27-0x00000000027D0000-0x0000000002831000-memory.dmp

Filesize
388KB

Download