cobaltstrike | b228ab1c794a255e2b655e4f559f60d0f727125e33038a1f717fd50dc978c1d1

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e78cf21e556c3092fd4fd69502d5afec.exe
Size

172KB
MD5

e78cf21e556c3092fd4fd69502d5afec
SHA1

6e07a503ed35db15fe4abe554c262b352e65856a
SHA256

b228ab1c794a255e2b655e4f559f60d0f727125e33038a1f717fd50dc978c1d1
SHA512

09fa20c2527f67a040d8e47e9a7a3c05ab9893e46c749de7232c3bdabfc62ba51fac93f8da9f70f5970aae058f05360aef8f2de52fa4291485fa9bc45812668f
SSDEEP

3072:FiHCy8NpD2VLKivsvnzmsJTUFAUFUd+0JgkibU4jLj8VgRCiyz+Qd3yoWZzb:AHCygULKUsbHJTUFOd+0etbrLj8VfrEo

Score

10^/10

cobaltstrike 972041620 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

972041620

http://52.15.212.124:443/telemetry_1

Attributes

access_type
512
beacon_type
2048
host
52.15.212.124,/telemetry_1
http_header1
AAAACgAAADFBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsKi8qLHE9MC44AAAACgAAABlBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuAAAACgAAABZDb25uZWN0aW9uOiBrZWVwLWFsaXZlAAAABwAAAAAAAAAPAAAADQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAABdDYWNoZS1jb250cm9sOiBuby1jYWNoZQAAAAoAAAAWQ29udGVudC1FbmNvZGluZzogZ3ppcAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAQAAAAQAAAAHAAAAAAAAAA0AAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
8448
polling_time
300000
port_number
443
sc_process32
%windir%\syswow64\backgroundTaskHost.exe
sc_process64
%windir%\sysnative\mobsync.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCXy7bqekll06mHUWMDlxK9wwJZzgn71reF9u1pCbTVBkBDJPWLpN8yrjpaxz9tsvKdAwjuiIi8OpKuFrHOfJey6nFg+KbGTmpO0JoW//BQlPWpfYYmJfnS+kvpZMEg+tKDndK1Klq16qAF/f0eCLlFqxketa5EvbyrIfOnvr5IrQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.700074752e+09
unknown2
AAAABAAAAAIAAAAJAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit/telemetry/
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:63.0) Gecko/20100101 Firefox/63.0
watermark
972041620

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

e78cf21e556c3092fd4fd69502d5afec.exe

description pid process target process

PID 4040 created 3492 4040 e78cf21e556c3092fd4fd69502d5afec.exe Explorer.EXE

description	pid	process	target process
PID 4040 created 3492	4040	e78cf21e556c3092fd4fd69502d5afec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e78cf21e556c3092fd4fd69502d5afec.exe

pid	process
4040	e78cf21e556c3092fd4fd69502d5afec.exe
4040	e78cf21e556c3092fd4fd69502d5afec.exe
4040	e78cf21e556c3092fd4fd69502d5afec.exe
4040	e78cf21e556c3092fd4fd69502d5afec.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e78cf21e556c3092fd4fd69502d5afec.exe

description pid process

Token: SeDebugPrivilege 4040 e78cf21e556c3092fd4fd69502d5afec.exe

description	pid	process
Token: SeDebugPrivilege	4040	e78cf21e556c3092fd4fd69502d5afec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e78cf21e556c3092fd4fd69502d5afec.exe

description	pid	process	target process
PID 4040 wrote to memory of 4672	4040	e78cf21e556c3092fd4fd69502d5afec.exe	backgroundTaskHost.exe
PID 4040 wrote to memory of 4672	4040	e78cf21e556c3092fd4fd69502d5afec.exe	backgroundTaskHost.exe
PID 4040 wrote to memory of 4672	4040	e78cf21e556c3092fd4fd69502d5afec.exe	backgroundTaskHost.exe

C:\Users\Admin\AppData\Local\Temp\e78cf21e556c3092fd4fd69502d5afec.exe
"C:\Users\Admin\AppData\Local\Temp\e78cf21e556c3092fd4fd69502d5afec.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492

C:\windows\system32\backgroundTaskHost.exe
"C:\windows\system32\backgroundTaskHost.exe"
2⤵
PID:4672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4040-0-0x00000000003C0000-0x00000000003F2000-memory.dmp

Filesize
200KB

Download
memory/4040-4-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

Filesize
10.8MB

Download
memory/4040-6-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

Filesize
10.8MB

Download
memory/4672-1-0x0000024DC75F0000-0x0000024DC7630000-memory.dmp

Filesize
256KB

Download
memory/4672-2-0x0000024DC7900000-0x0000024DC7A28000-memory.dmp

Filesize
1.2MB

Download
memory/4672-5-0x0000024DC7900000-0x0000024DC7A28000-memory.dmp

Filesize
1.2MB

Download