cobaltstrike | 8e45d8b087d7044079cc90c5087e7060734043ea74ab93a1165314338aacaeb1

General

Target

2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe
Size

509KB
MD5

58c7935adc93f3c3859ebe408938d706
SHA1

448b54408eb942cc2745daf8f914d6b96d0a1325
SHA256

8e45d8b087d7044079cc90c5087e7060734043ea74ab93a1165314338aacaeb1
SHA512

b9c1757f2c36c3c5d24708d7d43447d2f4263dcf57f4335ea6a87a6a9b230fe2e112fb9d5d672d737a741e6e43bd2380ada3518809ec433c244b4f6a06c992e0
SSDEEP

12288:y2ye/RY4Lmil2eRM756/bKMc0cg77ZSyyQU5w:Ly54T9/LLU5w

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q

Attributes

user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://img.uioqwea.xyz:8443/messages/xV5GdE

Attributes

access_type
512
beacon_type
2048
host
img.uioqwea.xyz,/messages/xV5GdE
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
2560
polling_time
10000
port_number
8443
sc_process32
%windir%\syswow64\esentutl.exe
sc_process64
%windir%\sysnative\esentutl.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
3.092976896e+09
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/messages/96OpFu
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2608 WINWORD.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

WINWORD.EXE

pid process

2608 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe

pid process

1044 2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe

pid process

1044 2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe

pid	process
2608	WINWORD.EXE

pid	process
2608	WINWORD.EXE

pid	process
1044	2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe

pid	process
1044	2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	1312	Explorer.EXE
Token: SeShutdownPrivilege	1312	Explorer.EXE
Token: SeShutdownPrivilege	1312	Explorer.EXE
Token: SeShutdownPrivilege	1312	Explorer.EXE
Token: SeShutdownPrivilege	1312	Explorer.EXE
Token: SeShutdownPrivilege	1312	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

WINWORD.EXE

pid process

2608 WINWORD.EXE
2608 WINWORD.EXE
2608 WINWORD.EXE
2608 WINWORD.EXE
2608 WINWORD.EXE
2608 WINWORD.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE

pid	process
1312	Explorer.EXE
1312	Explorer.EXE

pid	process
1312	Explorer.EXE
1312	Explorer.EXE

pid	process
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE
2608	WINWORD.EXE

pid	process
1312	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.execmd.exe

description	pid	process	target process
PID 1044 wrote to memory of 2376	1044	2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe	cmd.exe
PID 1044 wrote to memory of 2376	1044	2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe	cmd.exe
PID 1044 wrote to memory of 2376	1044	2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe	cmd.exe
PID 1044 wrote to memory of 1312	1044	2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe	Explorer.EXE
PID 2376 wrote to memory of 2608	2376	cmd.exe	WINWORD.EXE
PID 2376 wrote to memory of 2608	2376	cmd.exe	WINWORD.EXE
PID 2376 wrote to memory of 2608	2376	cmd.exe	WINWORD.EXE
PID 2376 wrote to memory of 2608	2376	cmd.exe	WINWORD.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:1312

C:\Users\Admin\AppData\Local\Temp\2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\cmd.exe
cmd /cd2J4Z2xjbm0.doc
3⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d2J4Z2xjbm0.doc"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d2J4Z2xjbm0.doc
Filesize
93KB

MD5
de72533ed8828182ad05d8e7f694548f

SHA1
06c86de28558b5cb22539a077e94884a97804f6a

SHA256
3ae8dd53d8d97d71900ee8f194e6ce2aeab40b2f01ce01f756098facd249eda2

SHA512
ce681b28fd2d3158788399d8c7f81e8b7e31eaceb8885bd4e3209c55b359afd64ef357ffe31c0114aea49ffea2dc7008e6437b863648f54be195edb5fb125c36

Download Submit
memory/1312-14-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1312-46-0x0000000003360000-0x00000000033C1000-memory.dmp

Filesize
388KB

Download
memory/1312-47-0x0000000009110000-0x0000000009266000-memory.dmp

Filesize
1.3MB

Download
memory/1312-49-0x0000000009110000-0x0000000009266000-memory.dmp

Filesize
1.3MB

Download
memory/2608-27-0x000000002F871000-0x000000002F872000-memory.dmp

Filesize
4KB

Download
memory/2608-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2608-29-0x00000000713CD000-0x00000000713D8000-memory.dmp

Filesize
44KB

Download
memory/2608-48-0x00000000713CD000-0x00000000713D8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads