cobaltstrike | dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27

General

Target

dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
Size

360KB
MD5

3d838159fdfcb5c26cec948f8687a0d1
SHA1

a4d569ebe607a080378401452f3b5855394bd791
SHA256

dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27
SHA512

db35a78f4e5ef9429850a97c65c60a3d1b0db6feea150b2b49a21071e5c2840c2ed79d9deeaffe8ad4cda15bb6d518c4d4387f447b1cc24bbd62fe96394dd219
SSDEEP

6144:a8v9b3uzTMu3PJFrafXjiLQhdYTitPuIjMsUVPbrnjPKohULB9OT:a8vpKTMu3z+fXQQhOT7IjEXmoWN9

Score

10^/10

cobaltstrike 100000 backdoor persistence trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://update.microsoftwindows.biz:8443/api/2

Attributes

user_agent
Host: update.microsoftwindows.biz User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://update.microsoftwindows.biz:8443/api/3

Attributes

access_type
512
beacon_type
2048
host
update.microsoftwindows.biz,/api/3
http_header1
AAAAEAAAACFIb3N0OiB1cGRhdGUubWljcm9zb2Z0d2luZG93cy5iaXoAAAAHAAAAAAAAAAMAAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAACFIb3N0OiB1cGRhdGUubWljcm9zb2Z0d2luZG93cy5iaXoAAAAHAAAAAAAAAAwAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
8443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfOAvlVEsRCS3UC6+JcnuZD+f2HjE5TMA2p+lWq3cVWz/RlxpBh9PVCQLgrRUSEuQ6cDA0x93WPF3rCrJkOvddDcSdUx/YRhOPY1r+/A4KXMdj70vU0fO/gLFLjbZBMu7xEjopEdOtVq5+T4NFOE4BiwGtGAnGIOQ/zDt2bbahKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/api/4
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 2 IoCs

Processes:

WindowsDefenderActive.exeDefenderActiveProtect.exe

pid process

3824 WindowsDefenderActive.exe
1504 DefenderActiveProtect.exe

pid	process
3824	WindowsDefenderActive.exe
1504	DefenderActiveProtect.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderActive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsDefenderActive.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefenderActiveProtect = "C:\\Users\\Public\\DefenderActiveProtect.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3680 schtasks.exe
2492 schtasks.exe
4508 schtasks.exe
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

3752 reg.exe
2148 reg.exe
4736 reg.exe

pid	process
3680	schtasks.exe
2492	schtasks.exe
4508	schtasks.exe

pid	process
3752	reg.exe
2148	reg.exe
4736	reg.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3992 wrote to memory of 608	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3992 wrote to memory of 608	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 608 wrote to memory of 3680	608	cmd.exe	schtasks.exe
PID 608 wrote to memory of 3680	608	cmd.exe	schtasks.exe
PID 3992 wrote to memory of 1440	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3992 wrote to memory of 1440	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 1440 wrote to memory of 3752	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 3752	1440	cmd.exe	reg.exe
PID 3992 wrote to memory of 2032	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3992 wrote to memory of 2032	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2032 wrote to memory of 2492	2032	cmd.exe	schtasks.exe
PID 2032 wrote to memory of 2492	2032	cmd.exe	schtasks.exe
PID 3992 wrote to memory of 3172	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3992 wrote to memory of 3172	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3172 wrote to memory of 2148	3172	cmd.exe	reg.exe
PID 3172 wrote to memory of 2148	3172	cmd.exe	reg.exe
PID 3992 wrote to memory of 2888	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3992 wrote to memory of 2888	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 2888 wrote to memory of 4508	2888	cmd.exe	schtasks.exe
PID 2888 wrote to memory of 4508	2888	cmd.exe	schtasks.exe
PID 3992 wrote to memory of 4188	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3992 wrote to memory of 4188	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 4188 wrote to memory of 4736	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 4736	4188	cmd.exe	reg.exe
PID 3992 wrote to memory of 5100	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3992 wrote to memory of 5100	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3992 wrote to memory of 3696	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe
PID 3992 wrote to memory of 3696	3992	dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
"C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c schtasks /create /tn WinUpdate /tr C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe /sc minute /mo 1
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\system32\schtasks.exe
schtasks /create /tn WinUpdate /tr C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:3680

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinUpdate /t REG_SZ /F /D C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinUpdate /t REG_SZ /F /D C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:3752

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c schtasks /create /tn WindowsDefenderActive /tr C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe /sc minute /mo 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\schtasks.exe
schtasks /create /tn WindowsDefenderActive /tr C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:2492

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WindowsDefenderActive /t REG_SZ /F /D C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WindowsDefenderActive /t REG_SZ /F /D C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2148

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c schtasks /create /tn DefenderActiveProtect /tr C:\Users\Public\DefenderActiveProtect.exe /sc minute /mo 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\system32\schtasks.exe
schtasks /create /tn DefenderActiveProtect /tr C:\Users\Public\DefenderActiveProtect.exe /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:4508

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DefenderActiveProtect /t REG_SZ /F /D C:\Users\Public\DefenderActiveProtect.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V DefenderActiveProtect /t REG_SZ /F /D C:\Users\Public\DefenderActiveProtect.exe
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4736

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
2⤵
PID:5100

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c copy C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe C:\Users\Public\DefenderActiveProtect.exe
2⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
C:\Users\Admin\AppData\Local\Temp\dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27.exe
1⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
1⤵
- Executes dropped EXE
PID:3824

C:\Users\Public\DefenderActiveProtect.exe
C:\Users\Public\DefenderActiveProtect.exe
1⤵
- Executes dropped EXE
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsDefenderActive.exe
Filesize
360KB

MD5
3d838159fdfcb5c26cec948f8687a0d1

SHA1
a4d569ebe607a080378401452f3b5855394bd791

SHA256
dfe1914c551e8542e55e7707ea1badd058ac6df4d57636649bd714aaa832ee27

SHA512
db35a78f4e5ef9429850a97c65c60a3d1b0db6feea150b2b49a21071e5c2840c2ed79d9deeaffe8ad4cda15bb6d518c4d4387f447b1cc24bbd62fe96394dd219

Download Submit
memory/1504-15-0x0000020CB7960000-0x0000020CB79AF000-memory.dmp

Filesize
316KB

Download
memory/1504-18-0x0000020CB7960000-0x0000020CB79AF000-memory.dmp

Filesize
316KB

Download
memory/3824-16-0x0000024476630000-0x000002447667F000-memory.dmp

Filesize
316KB

Download
memory/3824-19-0x0000024476630000-0x000002447667F000-memory.dmp

Filesize
316KB

Download
memory/3948-17-0x00000279F5180000-0x00000279F51CF000-memory.dmp

Filesize
316KB

Download
memory/3948-20-0x00000279F5180000-0x00000279F51CF000-memory.dmp

Filesize
316KB

Download
memory/3992-4-0x000002B46BBE0000-0x000002B46BBE1000-memory.dmp

Filesize
4KB

Download
memory/3992-5-0x000002B46D8A0000-0x000002B46DCA0000-memory.dmp

Filesize
4.0MB

Download
memory/3992-6-0x000002B46DCA0000-0x000002B46DCEF000-memory.dmp

Filesize
316KB

Download
memory/3992-14-0x000002B46DCA0000-0x000002B46DCEF000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads