cobaltstrike | d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe
Size

3.4MB
MD5

3117bf9274374480ea7b7165786dd3e6
SHA1

5c2b9be474186ae10e884ffc15844191c2d144ae
SHA256

d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83
SHA512

b214abf62646fd10426b79405e2c67cfbed654bbd7e333cc08d88adfec74d269c60fb5b0a8c696fa8107897792228dab34af76f884f237cff1342762c6362e94
SSDEEP

49152:QI1BMSvHH9sufzgtSN9t9/y8MH31Q+QVc5GxJxn+mqEvzHyZsUocVIIR6qW+LKNi:QDSvxrg+t9/ypFQ+QuKJ9TyZ9JKc

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://154.9.255.31:6666/vSFN

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.4.1263.203; Windows NT 6.1; WOW64; Trident/5.0)

Extracted

Family

cobaltstrike

Botnet

100000

http://154.9.255.31:6666/pixel.gif

Attributes

access_type
512
host
154.9.255.31,/pixel.gif
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
6666
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK3rLzrZjUM9JHGk+MkyiweizMh1UN5SghOUGMem0V661GlZU3VFjgj0GjDCZ7n7BB/ZxZlZW3+AyFk84CWktpKLetpsqUQfwVZXXybglwzxC6dgLck3I5vbXIPgyQwgUBW57GNmFiabvB1aCn90NMXnSeNSQypauXKIbsXCYtEwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; LG; LG-E906)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe

Executes dropped EXE 2 IoCs

Processes:

ak.exeak.exe

pid process

3172 ak.exe
4672 ak.exe
Loads dropped DLL 4 IoCs

Processes:

ak.exe

pid process

4672 ak.exe
4672 ak.exe
4672 ak.exe
4672 ak.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3172	ak.exe
4672	ak.exe

pid	process
4672	ak.exe
4672	ak.exe
4672	ak.exe
4672	ak.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exeak.exe

description	pid	process	target process
PID 3476 wrote to memory of 3172	3476	d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe	ak.exe
PID 3476 wrote to memory of 3172	3476	d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe	ak.exe
PID 3172 wrote to memory of 4672	3172	ak.exe	ak.exe
PID 3172 wrote to memory of 4672	3172	ak.exe	ak.exe

C:\Users\Admin\AppData\Local\Temp\d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe
"C:\Users\Admin\AppData\Local\Temp\d3829c6ecc883d62e2bfcee24edec9bb49aae6eb315f22b08a3c668d66e6bf83.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\onefile_3172_133527584164475998\ak.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll
Filesize
14KB

MD5
c8e5b25a7bb5ec2739e535a62e17b693

SHA1
60baa77caa85ef663ce0298ef12adf5e8bd122b3

SHA256
c945798e61307ce8eb97c1c272d61782db902aac214944d52da5558a36ff4e40

SHA512
ca014b6d981a29a79c2286d26538407da6bb93448b02df9bd57c2e3ce64656ba53e19f2352f17ae566d1064d72568312bebbbb6046e4447f27a15cdba3d82fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
Filesize
460KB

MD5
81c2c818d975e1a0e2c842fc623d63d5

SHA1
62a7d32446d86efd3167bec283d1312a0e9782ce

SHA256
f5b609a5a61d6095fd15435a4f03b88db18f8ad2165c48e20e22ffff74659db1

SHA512
4df84c2a1f694ce0eae4a0c518bd47bfa915588d8371c0de0ac66859a93bdab40c055bf5cc51ae74052fca0344cbdf05d3fec6a5ea017dd98580c5fb586ff9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ak.exe
Filesize
3.2MB

MD5
1e9f06ff572008ae0fe723c01a19f51f

SHA1
80623cbd7d7ad0cc539fcc42e0fa5a2f4a6d1193

SHA256
d0a790d8c8fa9147b6fd6d5bf0ef3c2a8907ec17eeb384dcc9b2611044928802

SHA512
7b9d4a9294b931e5efdc02a86336ee8daa4cad83e0c8aa49f148ae3040e819ea483837614a22f66c033d025b6e9106c0198caf1f51db8b3c261c16a024063d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\日记.txt
Filesize
26KB

MD5
839e6d240e7f072b5b101d803c4b3be3

SHA1
b77a5649de8f5c146bc80773e6b61b62dd94fed0

SHA256
561130e97c3f5434d25c0e224168ee2dab5f79a7863796ad2aeb28061de352c1

SHA512
a668511cdceab97fc01d6645fe0aa7331752393f19969886aa4639d8d2d1a7a1745ecb3bda73ee0bfa1a17e430888c91ad4b0a0ac54edbd26267126c70b394cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3172_133527584164475998\_ctypes.pyd
Filesize
1KB

MD5
4a3e7447b9ac26fbe4e27467c0c67c67

SHA1
a79c2ca92bd314809f6cee32d1ed880435396606

SHA256
c86b4d42cd7c1392bd4e3c6a4f4fdb04d7b630770e9f0df5243104b18a201222

SHA512
d01735e9302e14be6bb775874dd30b620619a9865f4790d7b73643a10ba491bcaee55dd552910494116b9559dee6e8b297e73fd10c1d15818932d6902e466879

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3172_133527584164475998\ak.exe
Filesize
1.1MB

MD5
f0d9c20f5dca8bce686c596f54e43ef0

SHA1
221e813811b562ecce5e69185f5242d5cea094ac

SHA256
37249a5b30ae59e089a63ca79f17acef7853167b7c5609df1f205f86321cd0cf

SHA512
395bed6785ddf48afc1571d75992196ced0b19d203e984c228ee3159eabe4609e14684af615bc0f7c851b8ede730cd1742d2f0ac5b610e11cd38645e619fefe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3172_133527584164475998\ak.exe
Filesize
1.4MB

MD5
3cbc33189dfae027cb46a8178f7294a0

SHA1
30a63df0253b1e1767d28c24325f5f6cea881c50

SHA256
39a4f4f6f6d0cde38f22d1a1de714d31719dbb21d6399b388f1d21d9039e5c84

SHA512
f4c4de65782fec7753c3a906dff5a2c32840a760eb36a4e78ff4df5d0e6c67c9927d7add75d24c9292500b39c4a0b3122a59705be599ff6f62b93ab3d02352dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3172_133527584164475998\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3172_133527584164475998\python310.dll
Filesize
1.3MB

MD5
1439698316c39269662ce1358d55507e

SHA1
013a7bddf04786f8927167d1a16c7a654bb777b5

SHA256
e6d87c037873ba73ad539398fdbd6b7592b5cdca5f52611db11e40328a2824da

SHA512
9c4a3358e7abe27f9bceb8367c0fe44f3a33496811268801b310a0f95a14404ca5f4c72edc933b8c8c4e9c542355dedbba53e6e1288f2d7f94f64f593c745c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3172_133527584164475998\python310.dll
Filesize
880KB

MD5
bed90aa82e1c9899611c0b0c4d016aaf

SHA1
709c4c37bb705f03843e13b69525f27f98658e50

SHA256
70910c519b8eedc6ab1ac9793f1bd0971fe4626d21476648c29607693cda707a

SHA512
2b89941e48509f746778fa48ec85541b4be470b2f15ac3e43f3f8befbe0514026c02c03f3a55e81ff4cb80279dd75d74528196b41a1e059359eaf7f2a80428c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3172_133527584164475998\vcruntime140.dll
Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
memory/3172-33-0x00007FF78AE10000-0x00007FF78B15C000-memory.dmp

Filesize
3.3MB

Download
memory/4672-30-0x000001AEEA730000-0x000001AEEA731000-memory.dmp

Filesize
4KB

Download
memory/4672-31-0x000001AEECBE0000-0x000001AEECFE0000-memory.dmp

Filesize
4.0MB

Download
memory/4672-32-0x000001AEECFE0000-0x000001AEED02F000-memory.dmp

Filesize
316KB

Download
memory/4672-34-0x00007FF78EDA0000-0x00007FF78F157000-memory.dmp

Filesize
3.7MB

Download
memory/4672-37-0x000001AEECFE0000-0x000001AEED02F000-memory.dmp

Filesize
316KB

Download