cobaltstrike | b94be764e5eb87917b37e4940d10782e78b8c7b097cd344019e279199b506d13

General

Target

573e3d2fcde58ae09638709e78e394c8.exe
Size

906KB
MD5

573e3d2fcde58ae09638709e78e394c8
SHA1

ab32f2bd40209a61567111dd6569bcde8501469c
SHA256

b94be764e5eb87917b37e4940d10782e78b8c7b097cd344019e279199b506d13
SHA512

cb321d8a62cbe499827e79b934a207d4fe5c755b9561587fa1aff2252bd1e69bbbe3c79af5117b6ea0ea190aa14d21c15b5247824a08d7526557830adbcb1c41
SSDEEP

12288:mlalun4QO0ONLVUL4TEtZvAcp2QGh64J6JgL3j7CzyAdlAUhCp5f7VqF:QalyO+4TEvASTGPJ6jOzU83

Score

10^/10

cobaltstrike 0 426352781 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

426352781

C2

http://5.133.109.104:81/activity

Attributes

access_type
512
host
5.133.109.104,/activity
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
81
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrsjeqVfPwUMvPnbo+bT2xEGxtknCsC2Ujlv+sXxLyCjlJQt0eAuPnIYwS0cknvO0bO/Jh82BaxPVuCw3fkHupUnYhJmr0yCUBQ0NNeeMj9kSltQwhv2Ir+5ru2gLq3dWq9RIafqxY5XqdBErhhOzmAM52RGoCaDQKnSpLPOAIbQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.4; .NET4.0C)
watermark
426352781

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2232 created 3524	2232	573e3d2fcde58ae09638709e78e394c8.exe	38

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	573e3d2fcde58ae09638709e78e394c8.exe

Executes dropped EXE 1 IoCs

pid	Process
4012	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	573e3d2fcde58ae09638709e78e394c8.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3100	WINWORD.EXE
3100	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2232	573e3d2fcde58ae09638709e78e394c8.exe
2232	573e3d2fcde58ae09638709e78e394c8.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 4012	2232	573e3d2fcde58ae09638709e78e394c8.exe	89
PID 2232 wrote to memory of 4012	2232	573e3d2fcde58ae09638709e78e394c8.exe	89
PID 2232 wrote to memory of 3100	2232	573e3d2fcde58ae09638709e78e394c8.exe	96
PID 2232 wrote to memory of 3100	2232	573e3d2fcde58ae09638709e78e394c8.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\573e3d2fcde58ae09638709e78e394c8.exe
  "C:\Users\Admin\AppData\Local\Temp\573e3d2fcde58ae09638709e78e394c8.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\刘宇简历-2021.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3100
- C:\Users\Admin\AppData\Local\Temp\Update.exe
  C:\Users\Admin\AppData\Local\Temp\Update.exe
  2⤵
  - Executes dropped EXE
  PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Update.exe

Filesize
124KB

MD5
695ec60a6cf76f52c09692434581d111

SHA1
3e2e30c20f0558c51d93b6f1dddbb6e4c08c6608

SHA256
1a51542848954b016e9f52caa4367eb1759e03d0318f17ccf89474b928f351aa

SHA512
faf567b682d6ba4ec22a923deca33813f4bacaee91891d4939945dc93c8df0416375521c5fd92c74aa13ad78ad21d0ea5f8f90f7099d3b9d197fb1efb9fd0a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\office_48.bin

Filesize
256KB

MD5
07c7da45631f96d77177f6079134faf2

SHA1
ea6415e23a62d4c55c60800b9f28ecc0c39d40d0

SHA256
1a1da3e130be87974360bc56af67fcb0ef21472b2fae39dc7ee4d064f1bbdf46

SHA512
28aedb5e1178421557398fd7a183b1308a3766c78a866c33b59bc1ef876f8a5ad8817c06968a53c05237c401dc2453110dd272ef74d52e956aa1cc4a8c452d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\刘宇简历-2021.doc

Filesize
242KB

MD5
e9ac955be552d11fabe8570a905d3358

SHA1
8b0d8586dadb3ef637f22dca03f27bc4a1675339

SHA256
27d76288b481c558843c1b3927e6c01980c962649d18a2f05436f53b444e03e4

SHA512
1cc1a2621598b41f3814bb8d81e3017219a91a5a91dd81363d47b33f63b5fa6478b3d4f2c93bd7758843ceddc846c501214014790c58a4dad84026ffc588d471

Download Submit
memory/3100-24-0x00007FFC90C90000-0x00007FFC90CA0000-memory.dmp

Filesize
64KB

Download
memory/3100-26-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-23-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-22-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-30-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-21-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-35-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-37-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-36-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-34-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-33-0x00007FFC90C90000-0x00007FFC90CA0000-memory.dmp

Filesize
64KB

Download
memory/3100-31-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-29-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-28-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-27-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-14-0x00007FFC935F0000-0x00007FFC93600000-memory.dmp

Filesize
64KB

Download
memory/3100-80-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-20-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-32-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-19-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-18-0x00007FFC935F0000-0x00007FFC93600000-memory.dmp

Filesize
64KB

Download
memory/3100-17-0x00007FFC935F0000-0x00007FFC93600000-memory.dmp

Filesize
64KB

Download
memory/3100-16-0x00007FFC935F0000-0x00007FFC93600000-memory.dmp

Filesize
64KB

Download
memory/3100-15-0x00007FFC935F0000-0x00007FFC93600000-memory.dmp

Filesize
64KB

Download
memory/3100-81-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-25-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-55-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-79-0x00007FFCD3570000-0x00007FFCD3765000-memory.dmp

Filesize
2.0MB

Download
memory/3100-75-0x00007FFC935F0000-0x00007FFC93600000-memory.dmp

Filesize
64KB

Download
memory/3100-76-0x00007FFC935F0000-0x00007FFC93600000-memory.dmp

Filesize
64KB

Download
memory/3100-77-0x00007FFC935F0000-0x00007FFC93600000-memory.dmp

Filesize
64KB

Download
memory/3100-78-0x00007FFC935F0000-0x00007FFC93600000-memory.dmp

Filesize
64KB

Download
memory/4012-56-0x000001D3EBE40000-0x000001D3EBE8E000-memory.dmp

Filesize
312KB

Download
memory/4012-49-0x000001D3EBE40000-0x000001D3EBE8E000-memory.dmp

Filesize
312KB

Download
memory/4012-48-0x000001D3EBC00000-0x000001D3EBC41000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads