cobaltstrike | 6306b20b4b3fc089a7fd0e0b15ea52da879da95463d247d4f0a698207eda2718

General

Target

China's_gray-zone_warfare_against_Taiwan/China's_gray-zone_warfare_against_Taiwan.doc.lnk
Size

1.5MB
MD5

8e2c17040ec78cbcdc07bb2cf9dd7e01
SHA1

89336e16d4f9f5af89e927cb5b64a906588899d8
SHA256

e1b3bdde52fdec917aaa79f8fb1e01186447def36594339bac316a13d84ee667
SHA512

90e0dedc06e729e65238f0586c32ceefa9212afae4e3d70f88bfab0371a0663ab70a630bbde7182401907f5ef1e63cfdf6d2e15793633082626f9478fcfaf13c
SSDEEP

24576:xWGkPK8x3nD7v6hfaMk4HY7rlho/S28f2HCQbuNc0W1w/HiELEVZ7110Yy36ht6E:B

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://upserver.updateservice.store:443/common.html

Attributes

access_type
512
beacon_type
2048
host
upserver.updateservice.store,/common.html
http_header1
AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAACwAAAAMAAAACAAAAA2x1PQAAAAYAAAAGQ29va2llAAAACQAAAAt2ZXJpZnk9dHJ1ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAACJIb3N0OiB1cHNlcnZlci51cGRhdGVzZXJ2aWNlLnN0b3JlAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAhhdXRob3JzPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
58666
port_number
443
sc_process32
%windir%\syswow64\svchost.exe
sc_process64
%windir%\sysnative\svchost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdQ5nVpJ13O9CwiQRtLOdTAwGg6oj4mvtVqZvCbSy9YyU3ngZSDBgmWjSMwrTqMvvKUr5RvigK1N00xTGT4LVtDESUaUvyGU79G24yPaF5rUOJjnAIRazosjB87DvXbI6k45HQsVyZD7wgEXnKFmv3E0Tk9ti5G0eVOKL5tqdS5QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
6.1158912e+08
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/r-arrow
user_agent
Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Microsoft; RM-1152) AppleWebKit/537.36 (KHTML, like Gecko)
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.execmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

360se.exe

pid process

2256 360se.exe
Loads dropped DLL 1 IoCs

Processes:

360se.exe

pid process

2256 360se.exe

pid	process
2256	360se.exe

pid	process
2256	360se.exe

Drops file in Windows directory 2 IoCs

Processes:

expand.exe

description	ioc	process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

Processes:

explorer.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1328 WINWORD.EXE
1328 WINWORD.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXE

pid	process
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

cmd.exeexplorer.exeWScript.execmd.exe

description	pid	process	target process
PID 2472 wrote to memory of 2712	2472	cmd.exe	explorer.exe
PID 2472 wrote to memory of 2712	2472	cmd.exe	explorer.exe
PID 1772 wrote to memory of 4436	1772	explorer.exe	WScript.exe
PID 1772 wrote to memory of 4436	1772	explorer.exe	WScript.exe
PID 4436 wrote to memory of 2356	4436	WScript.exe	cmd.exe
PID 4436 wrote to memory of 2356	4436	WScript.exe	cmd.exe
PID 2356 wrote to memory of 1308	2356	cmd.exe	findstr.exe
PID 2356 wrote to memory of 1308	2356	cmd.exe	findstr.exe
PID 2356 wrote to memory of 1480	2356	cmd.exe	certutil.exe
PID 2356 wrote to memory of 1480	2356	cmd.exe	certutil.exe
PID 2356 wrote to memory of 3388	2356	cmd.exe	expand.exe
PID 2356 wrote to memory of 3388	2356	cmd.exe	expand.exe
PID 2356 wrote to memory of 1328	2356	cmd.exe	WINWORD.EXE
PID 2356 wrote to memory of 1328	2356	cmd.exe	WINWORD.EXE
PID 2356 wrote to memory of 2256	2356	cmd.exe	360se.exe
PID 2356 wrote to memory of 2256	2356	cmd.exe	360se.exe
PID 2356 wrote to memory of 2256	2356	cmd.exe	360se.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\China's_gray-zone_warfare_against_Taiwan.doc.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" __MACOS\_params.cat.js
2⤵
PID:2712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\China's_gray-zone_warfare_against_Taiwan\__MACOS\_params.cat.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp > C:\Users\Admin\AppData\Roaming\sxytyM.tmp&for /r c:\windows\system32\ %i in (*ertu*.exe) do %i -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp&expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\&start C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc&start C:\Users\Admin\AppData\Roaming\360se.exe&del C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp
3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\system32\findstr.exe
findstr 4d534346 C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp
4⤵
PID:1308

\??\c:\windows\system32\certutil.exe
c:\windows\system32\certutil.exe -decodehex C:\Users\Admin\AppData\Roaming\sxytyM.tmp C:\Users\Admin\AppData\Roaming\SfnLzw.tmp
4⤵
PID:1480

C:\Windows\system32\expand.exe
expand -F:* C:\Users\Admin\AppData\Roaming\SfnLzw.tmp C:\Users\Admin\AppData\Roaming\
4⤵
- Drops file in Windows directory
PID:3388

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc" /o ""
4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Users\Admin\AppData\Roaming\360se.exe
C:\Users\Admin\AppData\Roaming\360se.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\360se.exe
Filesize
1.0MB

MD5
f44d91b5ada6238eb2d6e619163cc62a

SHA1
66ef3d305e393c9b4f6bae7f418d4f7fb537ce4d

SHA256
2c9193641261c691300cff1d18f149126036da623b475dfc36fde27fca102b91

SHA512
edea071c90ec67b47ecee3b9913bab4f31bab2f36a4e397a0df801e4034306a77806bf0cb3cfeb1ba5b4272e737eba7ddfcdaf29bf749d0bfdf10cf0c8a329f1

Download Submit
C:\Users\Admin\AppData\Roaming\China's_gray-zone_warfare_against_Taiwan.doc
Filesize
75KB

MD5
16578aeab36f8c8f72d1a858ec21fd9c

SHA1
78f2d46da970d00033a483d0098ba9e106694321

SHA256
156eec85df18e7ff992a5bf35c97938557ac506c2306a8cb6633602d8a6568ed

SHA512
7e5171f365ea40e095dc6431a7598baeca21b46a52ca53a56e8124c4b41b6f3fd6f8f2afc0cf4db6b30da5a71e72a3451c53074681ed0cc5893db4fbf8f6a6e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
87c76c0b82a0b32968f996a89f3be87b

SHA1
0e55d1d8f8adf3178b9c4b963532db11fee466bd

SHA256
8fb5ca421c484c30805dacba38fcf61ea8ccfbe904a3a6bcb599459064b3e031

SHA512
3979e9120374133c03d639ca997902a6fd240c2b7d1839bdfd3cb2a47855cda3b0ba056be671b765300732a64d992de542bdb465da2e00d25b445757eea7014b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
9f99ce656295700be4b7fbbd24410034

SHA1
68f378a501f375b1dccb3ab26ec1e940e2355796

SHA256
dde6f766d8e8123b83d971c65dacbb02d019ca1c3a416309b8cc827031ce1e97

SHA512
c80e9cf2a368eeb4ecafd9f19c8c411afb87a036550681a2b22ee7a33542455f587ae9c7fd6d2a34cba341eb0de25255126599c23bd1abcf18b3a8ca65adbcd0

Download Submit
C:\Users\Admin\AppData\Roaming\chrome_elf.dll
Filesize
221KB

MD5
4f265905d3adad5c9e0d0aa250849404

SHA1
c147c8646a34ae54e4bdbfaffdf44848b78c209f

SHA256
fb6b0ff2da14b6447b21f0fc4ae73724667c8f6d296d707f18a28633b4e59ed0

SHA512
adddbcf8e5b9bc64fe6663911854d37f8dd586cef2dac8749c14faa554e74943021fa340624f49cf8854f70eb159faa9a12570d04d1ffe9686a1abebc8909398

Download Submit
C:\Users\Admin\AppData\Roaming\lFbRwJ.tmp
Filesize
1.4MB

MD5
d214bd09651a5f905ffaf546d3c019a8

SHA1
d3c8e3695dd84610712b0ae1c1b92814b0c2129c

SHA256
cb9527e7f2ad74f4d5e737a19f59e6d01bc1c618e533f0512b0f47e253413e97

SHA512
abb18fa4584f7e5ef29e43558f158ca86ee5d726bc5646f0d0e15f915c993e91689b2ad82949c3b5d1be59c3588104411a0ed9fc1211720cdfa83a92b64ffd19

Download Submit
\??\c:\users\admin\appdata\roaming\sfnlzw.tmp
Filesize
741KB

MD5
4ce61692705f938e7a41556dbf37872c

SHA1
6b66a2729c3444d44bfd82ac76eb0a46eea7638e

SHA256
f32415fab8cc5ce811088b85475d0691815e6ac3ff9a65c1f6a134fa25f05b4f

SHA512
5fb5416b8c1ea4194f3f26883b626d52450676de905d14dd1ee7b76014c3edcaa183b0cb8e7dee6520daf50d0ac180399daaad6c2429daa26a54b6289412b037

Download Submit
memory/1328-23-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

Filesize
64KB

Download
memory/1328-58-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-25-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-22-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-28-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-29-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-30-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-21-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

Filesize
64KB

Download
memory/1328-102-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-103-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-35-0x00007FF89E900000-0x00007FF89E910000-memory.dmp

Filesize
64KB

Download
memory/1328-36-0x00007FF89E900000-0x00007FF89E910000-memory.dmp

Filesize
64KB

Download
memory/1328-101-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-24-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/1328-20-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

Filesize
64KB

Download
memory/1328-19-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

Filesize
64KB

Download
memory/1328-18-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

Filesize
64KB

Download
memory/1328-96-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

Filesize
64KB

Download
memory/1328-97-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

Filesize
64KB

Download
memory/1328-98-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

Filesize
64KB

Download
memory/1328-99-0x00007FF8A0AF0000-0x00007FF8A0B00000-memory.dmp

Filesize
64KB

Download
memory/1328-100-0x00007FF8E0A70000-0x00007FF8E0C65000-memory.dmp

Filesize
2.0MB

Download
memory/2256-38-0x0000000001660000-0x00000000016E8000-memory.dmp

Filesize
544KB

Download
memory/2256-34-0x0000000001660000-0x00000000016E8000-memory.dmp

Filesize
544KB

Download
memory/2256-33-0x00000000014E0000-0x0000000001514000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads