cobaltstrike | b94be764e5eb87917b37e4940d10782e78b8c7b097cd344019e279199b506d13

General

Target

573e3d2fcde58ae09638709e78e394c8.exe
Size

906KB
MD5

573e3d2fcde58ae09638709e78e394c8
SHA1

ab32f2bd40209a61567111dd6569bcde8501469c
SHA256

b94be764e5eb87917b37e4940d10782e78b8c7b097cd344019e279199b506d13
SHA512

cb321d8a62cbe499827e79b934a207d4fe5c755b9561587fa1aff2252bd1e69bbbe3c79af5117b6ea0ea190aa14d21c15b5247824a08d7526557830adbcb1c41
SSDEEP

12288:mlalun4QO0ONLVUL4TEtZvAcp2QGh64J6JgL3j7CzyAdlAUhCp5f7VqF:QalyO+4TEvASTGPJ6jOzU83

Score

10^/10

cobaltstrike 0 426352781 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://5.133.109.104:81/activity

Attributes

access_type
512
host
5.133.109.104,/activity
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
81
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrsjeqVfPwUMvPnbo+bT2xEGxtknCsC2Ujlv+sXxLyCjlJQt0eAuPnIYwS0cknvO0bO/Jh82BaxPVuCw3fkHupUnYhJmr0yCUBQ0NNeeMj9kSltQwhv2Ir+5ru2gLq3dWq9RIafqxY5XqdBErhhOzmAM52RGoCaDQKnSpLPOAIbQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET4.0C)
watermark
426352781

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2120 created 1224	2120	573e3d2fcde58ae09638709e78e394c8.exe	14

Executes dropped EXE 1 IoCs

pid	Process
2196	Update.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	573e3d2fcde58ae09638709e78e394c8.exe
2120	573e3d2fcde58ae09638709e78e394c8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2240	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2120	573e3d2fcde58ae09638709e78e394c8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2240	WINWORD.EXE
2240	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2196	2120	573e3d2fcde58ae09638709e78e394c8.exe	28
PID 2120 wrote to memory of 2196	2120	573e3d2fcde58ae09638709e78e394c8.exe	28
PID 2120 wrote to memory of 2196	2120	573e3d2fcde58ae09638709e78e394c8.exe	28
PID 2120 wrote to memory of 2240	2120	573e3d2fcde58ae09638709e78e394c8.exe	29
PID 2120 wrote to memory of 2240	2120	573e3d2fcde58ae09638709e78e394c8.exe	29
PID 2120 wrote to memory of 2240	2120	573e3d2fcde58ae09638709e78e394c8.exe	29
PID 2120 wrote to memory of 2240	2120	573e3d2fcde58ae09638709e78e394c8.exe	29
PID 2240 wrote to memory of 2672	2240	WINWORD.EXE	30
PID 2240 wrote to memory of 2672	2240	WINWORD.EXE	30
PID 2240 wrote to memory of 2672	2240	WINWORD.EXE	30
PID 2240 wrote to memory of 2672	2240	WINWORD.EXE	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\573e3d2fcde58ae09638709e78e394c8.exe
  "C:\Users\Admin\AppData\Local\Temp\573e3d2fcde58ae09638709e78e394c8.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\刘宇简历-2021.doc"
    3⤵
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:2672
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  C:\Users\Admin\AppData\Local\Temp\Update.exe
  2⤵
  - Executes dropped EXE
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\office_48.bin

Filesize
256KB

MD5
07c7da45631f96d77177f6079134faf2

SHA1
ea6415e23a62d4c55c60800b9f28ecc0c39d40d0

SHA256
1a1da3e130be87974360bc56af67fcb0ef21472b2fae39dc7ee4d064f1bbdf46

SHA512
28aedb5e1178421557398fd7a183b1308a3766c78a866c33b59bc1ef876f8a5ad8817c06968a53c05237c401dc2453110dd272ef74d52e956aa1cc4a8c452d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\刘宇简历-2021.doc

Filesize
92KB

MD5
36da2ba355480364845dd545a1a2e2c9

SHA1
a0395396105ae9bdddb6fe4734a0b44e07aff30b

SHA256
ffb7faccd6175d7d401de95a0b5f5813b70eadf25b4672b46659b1229f27d985

SHA512
ef6668ab85a9169b34e6885b41d8ef6d7dadf75bc7eb8c8dc95cabafe1d14840dde8d9a93275c458e61f12a737c460fd4f6a0149d065a1725d10f36a7d16b318

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
f1677820f24cbf0973660fbbfd7090fd

SHA1
cce71af508678bd649c1fb1141db8eaae3608f90

SHA256
2fa326baa773e6b83b8e149013064ca29dc453c8f580789ff547b4b5fe5b1288

SHA512
25b5662df71d532102506cd641f30bc6e13cbf0b61a3bca4c8d4b849b18d8c4591d2f0ff1369f3103b1fab0c1a2bf4335f13986070410a4027a4bc1401f0b6c4

Download Submit
\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
124KB

MD5
695ec60a6cf76f52c09692434581d111

SHA1
3e2e30c20f0558c51d93b6f1dddbb6e4c08c6608

SHA256
1a51542848954b016e9f52caa4367eb1759e03d0318f17ccf89474b928f351aa

SHA512
faf567b682d6ba4ec22a923deca33813f4bacaee91891d4939945dc93c8df0416375521c5fd92c74aa13ad78ad21d0ea5f8f90f7099d3b9d197fb1efb9fd0a36

Download Submit
memory/2196-25-0x0000000000110000-0x000000000015E000-memory.dmp

Filesize
312KB

Download
memory/2196-22-0x00000000000C0000-0x0000000000101000-memory.dmp

Filesize
260KB

Download
memory/2196-23-0x0000000000110000-0x000000000015E000-memory.dmp

Filesize
312KB

Download
memory/2240-12-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download
memory/2240-24-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download
memory/2240-11-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2240-10-0x000000002FA51000-0x000000002FA52000-memory.dmp

Filesize
4KB

Download
memory/2240-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2240-41-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads