cobaltstrike | b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a

General

Target

b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe
Size

1.3MB
MD5

dec0cd55bc5352e45667926db1ba542a
SHA1

5e1a71ef8cb6a3faa600a4260a22de8be4d53a0a
SHA256

b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a
SHA512

539d624a0f841c9c5c817d0f174e3915ba908f9bd9c8abf020434fb25b646c3d8daf12555d07967b799f4b86561cc9cba820c0a99129fc8beaf60c3bdf7e7afc
SSDEEP

24576:taLL/AJYg2M+B15txfi3BwC6k+neOWtqpzuN+hZd:KcYgWX06kEeOu+hn

Score

10^/10

cobaltstrike 100000000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://sw.falsh.co:443/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:002.0) Gecko/20100101 Firefox/117.0

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://sw.falsh.co:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
sw.falsh.co,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
10000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCZVxEemPbfo1NzkOoFqPOBR9RwZLbjRv12oUT0MI4NG35T4bJWpkP/YbAYXpRMk34eLWt5oHB5gI4m8e177wtUL7BJP61NEEIZqRatOGFGQeRbdYwnLrt9KwqIUn1zVFlbAuH9eHKwxQ6tDLJqrdus/i6WW73M9kly9mB7TI3iNwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:002.0) Gecko/20100101 Firefox/117.0
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

sword.exe

pid process

4104 sword.exe
Drops file in System32 directory 1 IoCs

Processes:

dllhost.exe

description ioc process

File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\sword dllhost.exe

pid	process
4104	sword.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\sword	dllhost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dllhost.exe

description	pid	process
Token: SeDebugPrivilege	4876	dllhost.exe
Token: SeRestorePrivilege	4876	dllhost.exe
Token: SeBackupPrivilege	4876	dllhost.exe
Token: SeTakeOwnershipPrivilege	4876	dllhost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exesword.exe

description	pid	process	target process
PID 692 wrote to memory of 3432	692	b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe	dllhost.exe
PID 692 wrote to memory of 3432	692	b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe	dllhost.exe
PID 692 wrote to memory of 4876	692	b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe	dllhost.exe
PID 692 wrote to memory of 4876	692	b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe	dllhost.exe
PID 4104 wrote to memory of 3412	4104	sword.exe	dllhost.exe
PID 4104 wrote to memory of 3412	4104	sword.exe	dllhost.exe
PID 4104 wrote to memory of 1700	4104	sword.exe	dllhost.exe
PID 4104 wrote to memory of 1700	4104	sword.exe	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe
"C:\Users\Admin\AppData\Local\Temp\b8f2a2318f7936a830bd51f33227d057fa9d14195efada73cb0a3baeffb1a83a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
2⤵
PID:3432

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe yETrFvE9z1wrSlAo9xpSCKyntmn0v477AB+TUNQUZTI= 8N7LyzY/lJCpIyRD5h447Q==
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
2⤵
PID:3412

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
2⤵
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe
Filesize
301KB

MD5
3d131dfc947e318d0005023b9e97c535

SHA1
bf9da19e0506542d8b6da990cf3b8e56f4652ea6

SHA256
d6d7c05965fddeb35241b886d3ced1e9c3ac5e3c77a7746d91a93211229226e6

SHA512
046b75ec810df3aec2a305a2e72138f41c403d0a4821f1a3586b9ef1e4f798dae78c3f1365092e8964f949c62db2573dee9a4031215ed5ee0e5f5559d7a3e3f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\sword.exe
Filesize
208KB

MD5
3073a15943ea36e1748ca4c6f4ad4943

SHA1
827895027d3e0625cfa775283ce64b843b6be3a6

SHA256
b2a7044ea934465739f68e043f926eb1c4d85a2f188b18de72c082a8ccf0cc77

SHA512
c651e1dd29f38e9a7752fa1aec7179636cb2019ad29984284e4b21f45288e48a9bb9b1907cf239fccefad8b4141a469122c9e0d3c6cb0c0854c6a9de8ac4760f

Download Submit
C:\Users\Admin\AppData\Roaming\system.ini
Filesize
189KB

MD5
5283802957ec8772f014315e03648687

SHA1
a16e0af0bae48f315a5c353b860ace0436009ae7

SHA256
0fc3dbedec81763871b9fadc19edd624d0e8ae91403c8d6bbc95b8047adacc4d

SHA512
d25adb853a421249dab2a38f75eca6df172ff7b3c63bbb94e2910819d42b648c24fd8a034e5c881b908c775f1165357d24295d2e6b98545a85e0a3ec3f454f30

Download Submit
memory/692-2-0x00000127E5A60000-0x00000127E5E60000-memory.dmp

Filesize
4.0MB

Download
memory/692-14-0x00000127E5A60000-0x00000127E5E60000-memory.dmp

Filesize
4.0MB

Download
memory/692-0-0x00000127E3E70000-0x00000127E3E71000-memory.dmp

Filesize
4KB

Download
memory/692-1-0x00000127E5E60000-0x00000127E62D2000-memory.dmp

Filesize
4.4MB

Download
memory/1700-49-0x00000153884D0000-0x00000153884EE000-memory.dmp

Filesize
120KB

Download
memory/1700-50-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

Filesize
10.8MB

Download
memory/3412-42-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

Filesize
10.8MB

Download
memory/3412-44-0x000001C179110000-0x000001C179120000-memory.dmp

Filesize
64KB

Download
memory/3412-48-0x000001C179110000-0x000001C179120000-memory.dmp

Filesize
64KB

Download
memory/3412-47-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

Filesize
10.8MB

Download
memory/3412-40-0x000001C177850000-0x000001C17786E000-memory.dmp

Filesize
120KB

Download
memory/3412-43-0x000001C179110000-0x000001C179120000-memory.dmp

Filesize
64KB

Download
memory/3432-8-0x0000014F53610000-0x0000014F53620000-memory.dmp

Filesize
64KB

Download
memory/3432-4-0x0000014F53600000-0x0000014F53608000-memory.dmp

Filesize
32KB

Download
memory/3432-3-0x0000014F51D50000-0x0000014F51D6E000-memory.dmp

Filesize
120KB

Download
memory/3432-16-0x0000014F53610000-0x0000014F53620000-memory.dmp

Filesize
64KB

Download
memory/3432-15-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

Filesize
10.8MB

Download
memory/3432-6-0x0000014F53610000-0x0000014F53620000-memory.dmp

Filesize
64KB

Download
memory/3432-7-0x0000014F53610000-0x0000014F53620000-memory.dmp

Filesize
64KB

Download
memory/3432-5-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

Filesize
10.8MB

Download
memory/4104-30-0x000001CED87B0000-0x000001CED87B1000-memory.dmp

Filesize
4KB

Download
memory/4104-46-0x000001CED9700000-0x000001CED9B00000-memory.dmp

Filesize
4.0MB

Download
memory/4104-31-0x000001CED8BB0000-0x000001CED8D69000-memory.dmp

Filesize
1.7MB

Download
memory/4104-33-0x000001CED8BB0000-0x000001CED8D69000-memory.dmp

Filesize
1.7MB

Download
memory/4104-35-0x000001CED87D0000-0x000001CED87D1000-memory.dmp

Filesize
4KB

Download
memory/4104-34-0x000001CED87C0000-0x000001CED87C1000-memory.dmp

Filesize
4KB

Download
memory/4104-32-0x000001CED8BB0000-0x000001CED8D69000-memory.dmp

Filesize
1.7MB

Download
memory/4104-38-0x000001CED93B0000-0x000001CED93C0000-memory.dmp

Filesize
64KB

Download
memory/4104-39-0x000001CED9B00000-0x000001CED9F72000-memory.dmp

Filesize
4.4MB

Download
memory/4104-45-0x000001CED93B0000-0x000001CED93C0000-memory.dmp

Filesize
64KB

Download
memory/4876-11-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-27-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-25-0x000001C717CC0000-0x000001C717D16000-memory.dmp

Filesize
344KB

Download
memory/4876-19-0x000001C730560000-0x000001C730570000-memory.dmp

Filesize
64KB

Download
memory/4876-18-0x000001C730560000-0x000001C730570000-memory.dmp

Filesize
64KB

Download
memory/4876-17-0x00007FFBF4E30000-0x00007FFBF58F1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-13-0x000001C730560000-0x000001C730570000-memory.dmp

Filesize
64KB

Download
memory/4876-12-0x000001C730560000-0x000001C730570000-memory.dmp

Filesize
64KB

Download
memory/4876-10-0x000001C717AB0000-0x000001C717AE2000-memory.dmp

Filesize
200KB

Download
memory/4876-9-0x000001C716100000-0x000001C71611E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads