cobaltstrike | 983748c25d0701763e2d22718371bc136838148f1d0918778906da5d52617f26

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/【财务部】关于工资调整通知.exe
Size

1.4MB
MD5

a6d9c8a9b440e3479dd3590d9bcde94f
SHA1

7a114ee63b4ce4bff0960cdd880155cb46579bde
SHA256

781a0adab936e9735b324e86cdfac0998c2411ee6e9830841c203510d487a850
SHA512

bcecb32072c263411be1e0852d92b5d9b43da11a849d980f19763a62d5e8e80e661131c99b4e607c56c7910a5a7e4de3deba31ed0044f47dac123aa9e2ff3f7f
SSDEEP

24576:OxY2ohZF25g1IrDSwYVYLncnEDBm8I/owIyPeNcI4rFq:OxY2225onnVLnEIp/UN

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

【财务部】关于工资调整通知.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	【财务部】关于工资调整通知.exe

Executes dropped EXE 1 IoCs

Processes:

baiDun.exe

pid process

2952 baiDun.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

【财务部】关于工资调整通知.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	【财务部】关于工资调整通知.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3460 WINWORD.EXE
3460 WINWORD.EXE

pid	process
3460	WINWORD.EXE
3460	WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

baiDun.exeWINWORD.EXE

pid	process
2952	baiDun.exe
2952	baiDun.exe
3460	WINWORD.EXE
3460	WINWORD.EXE
3460	WINWORD.EXE
3460	WINWORD.EXE
3460	WINWORD.EXE
3460	WINWORD.EXE
3460	WINWORD.EXE
3460	WINWORD.EXE
3460	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

【财务部】关于工资调整通知.exe

description	pid	process	target process
PID 2920 wrote to memory of 2952	2920	【财务部】关于工资调整通知.exe	baiDun.exe
PID 2920 wrote to memory of 2952	2920	【财务部】关于工资调整通知.exe	baiDun.exe
PID 2920 wrote to memory of 3460	2920	【财务部】关于工资调整通知.exe	WINWORD.EXE
PID 2920 wrote to memory of 3460	2920	【财务部】关于工资调整通知.exe	WINWORD.EXE
PID 2920 wrote to memory of 2144	2920	【财务部】关于工资调整通知.exe	cmd.exe
PID 2920 wrote to memory of 2144	2920	【财务部】关于工资调整通知.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1\【财务部】关于工资调整通知.exe
"C:\Users\Admin\AppData\Local\Temp\1\【财务部】关于工资调整通知.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920

\??\c:\programdata\baiDun.exe
c:/programdata/baiDun.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1\附件.docx" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1\08FD~1.EXE >> NUL
2⤵
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1\附件.docx
Filesize
9KB

MD5
53b4b1af878da3dd53be95ff68fa8f05

SHA1
60f5c3be5a2f99f594015a39925a71142a0fe358

SHA256
66999ec379c661a681aeaa18a4aabfc2b6cb221e5948dca9960eda48c224122c

SHA512
4ee43a43d16630ae620d4cbf4b547906c16345cf18d094e4aae772067a5d5ceab640990b2582adbf0c4f554a58e7d9f18f3b905a3a27e0fc0c492aa287d0c153

Download Submit
\??\c:\programdata\baiDun.exe
Filesize
829KB

MD5
3823006c7e1f815b2e36a49b969a4a52

SHA1
3b137ae62df91c1489dd3f631f97bd31803f649a

SHA256
2a24baed4f0d411d3b51d1b5fde4d6f81fbc222e04b697aa8ebfc5b736eda84a

SHA512
a917c5107607983fe3ac9fe4aaf1027b53a832a2d27175be8d82de1773f3b35c92d79c58151969746e698f3746b9d6b9cda352fc6af1b6cb38e3329963735079

Download Submit
memory/2952-5-0x00000232BA190000-0x00000232BA290000-memory.dmp

Filesize
1024KB

Download
memory/2952-6-0x00000232BA290000-0x00000232BA2DE000-memory.dmp

Filesize
312KB

Download
memory/2952-47-0x00000232BA290000-0x00000232BA2DE000-memory.dmp

Filesize
312KB

Download
memory/2952-46-0x00000232BA190000-0x00000232BA290000-memory.dmp

Filesize
1024KB

Download
memory/3460-16-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-30-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-15-0x00007FFA57370000-0x00007FFA57380000-memory.dmp

Filesize
64KB

Download
memory/3460-11-0x00007FFA57370000-0x00007FFA57380000-memory.dmp

Filesize
64KB

Download
memory/3460-17-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-18-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-19-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-20-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-21-0x00007FFA55020000-0x00007FFA55030000-memory.dmp

Filesize
64KB

Download
memory/3460-22-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-23-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-24-0x00007FFA55020000-0x00007FFA55030000-memory.dmp

Filesize
64KB

Download
memory/3460-25-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-26-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-27-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-29-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-28-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-14-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-31-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-32-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-34-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-13-0x00007FFA57370000-0x00007FFA57380000-memory.dmp

Filesize
64KB

Download
memory/3460-12-0x00007FFA57370000-0x00007FFA57380000-memory.dmp

Filesize
64KB

Download
memory/3460-10-0x00007FFA57370000-0x00007FFA57380000-memory.dmp

Filesize
64KB

Download
memory/3460-48-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-49-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-70-0x00007FFA57370000-0x00007FFA57380000-memory.dmp

Filesize
64KB

Download
memory/3460-71-0x00007FFA57370000-0x00007FFA57380000-memory.dmp

Filesize
64KB

Download
memory/3460-72-0x00007FFA57370000-0x00007FFA57380000-memory.dmp

Filesize
64KB

Download
memory/3460-73-0x00007FFA57370000-0x00007FFA57380000-memory.dmp

Filesize
64KB

Download
memory/3460-74-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-75-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download
memory/3460-76-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmp

Filesize
2.0MB

Download