cobaltstrike | eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138

General

Target

金山办公WPS业务系统异常报错信息报告-20231221.exe
Size

5.8MB
MD5

4f85058677837b513f478b43f8f10b58
SHA1

450971c4678f8239c232396f4553ea8841d21669
SHA256

eb30df6f816f94e5d551bfdeb5f54b03b93ff45ff62ff91f602b595008ff8138
SHA512

44cd72a12ebbe7895eac4371d4fbf3d633d40b87870980f5632dafa4710821c3bfa86dface0fdd6da9718c0657d18c78460ab2226a07c61a7d70924658b85ee8
SSDEEP

49152:FaAPYSHwZVArb/TqvO90d7HjmAFd4A64nsfJ4GGMK7206ze3KicAIyjff8YRDof/:fw6U7wz5sb9okuEav

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://127.0.0.1:60001/wps/solution/index

Attributes

access_type
512
host
127.0.0.1,/wps/solution/index
http_header1
AAAABwAAAAAAAAADAAAAAgAAAAZ0ZnN0az0AAAAGAAAABkNvb2tpZQAAAAoAAAALQWNjZXB0OiAqLyoAAAAKAAAAIFgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0AAAAEAAAABRIb3N0OiB3d3cuYWxpeXVuLmNvbQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9qc29uAAAACgAAACBYLVJlcXVlc3RlZC1XaXRoOiBYTUxIdHRwUmVxdWVzdAAAABAAAAAUSG9zdDogd3d3LmFsaXl1bi5jb20AAAAHAAAAAAAAAAUAAAAFb3JkZXIAAAAHAAAAAQAAAAMAAAACAAAACXsiZGF0YSI6IgAAAAEAAAACIn0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
7680
polling_time
5000
port_number
60001
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCh3BRlss3kMAoxpOnFDqBH0SVbtj5CSj61uHgta20DGx8l5roXgtA86epLeD3kP+8DZxHmj/FjaOzqawNmx88AlVDeiEIDadC3Uo7YyN3SZPw7IcHDrm/12jre9OvoGnKdt33qJebD5NsyC4HyQqB/h/jtdT3EpVV/F0/mrq6RYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.66652032e+09
unknown2
AAAABAAAAAEAAAACAAAAAgAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/data/wps/solution/index
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

taskmgr.exe

pid process

1680 taskmgr.exe
1680 taskmgr.exe
1680 taskmgr.exe
1680 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1680	taskmgr.exe
Token: SeSystemProfilePrivilege	1680	taskmgr.exe
Token: SeCreateGlobalPrivilege	1680	taskmgr.exe
Token: 33	1680	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1680	taskmgr.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

taskmgr.exe

pid	process
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

taskmgr.exe

pid	process
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe
1680	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\金山办公WPS业务系统异常报错信息报告-20231221.exe
"C:\Users\Admin\AppData\Local\Temp\金山办公WPS业务系统异常报错信息报告-20231221.exe"
1⤵
PID:3948

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-9-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/1680-3-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/1680-4-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/1680-5-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/1680-10-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/1680-12-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/1680-11-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/1680-14-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/1680-13-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/1680-15-0x0000025C21A50000-0x0000025C21A51000-memory.dmp

Filesize
4KB

Download
memory/3948-1-0x000002DB5D700000-0x000002DB5D741000-memory.dmp

Filesize
260KB

Download
memory/3948-2-0x000002DB5D700000-0x000002DB5D741000-memory.dmp

Filesize
260KB

Download
memory/3948-0-0x000002DB5D750000-0x000002DB5D79F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads