cobaltstrike | 074020d2d88544c1747e8b8d51eedd460305f6c2c529d548d993f1816b93c702

Analysis

max time kernel
119s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adobe update.exe
Size

606KB
MD5

6d15502f7965eb86b7e3ef22415df950
SHA1

5607d53d6f679f8ea6c8e5a1225d97cc0c36fed2
SHA256

074020d2d88544c1747e8b8d51eedd460305f6c2c529d548d993f1816b93c702
SHA512

12d73774636e0fcccfb2ef75bfca94888d7b15806a80c1e5a8292b23baf6d6cbda1cba41f9817f1bf37c29fda9a349bd3a8989e7962b977d53091b942bea8028
SSDEEP

12288:JNZum6aVKx6SIIRYz6Y9IwDGDYPG76bR220oRnWDg7sK:JNZDV6IIRCRI5UbR2EF2oL

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://flogpasteapp.top:443/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

adobe update.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	adobe update.exe

Executes dropped EXE 3 IoCs

Processes:

Wanting.pifWanting.pifWanting.pif

pid process

2204 Wanting.pif
4472 Wanting.pif
1704 Wanting.pif

Suspicious use of SetThreadContext 2 IoCs

Processes:

Wanting.pif

description	pid	process	target process
PID 2204 set thread context of 4472	2204	Wanting.pif	Wanting.pif
PID 2204 set thread context of 1704	2204	Wanting.pif	Wanting.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3496 schtasks.exe
4380 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2244 tasklist.exe
3236 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2912 PING.EXE

pid	process
3496	schtasks.exe
4380	schtasks.exe

pid	process
2244	tasklist.exe
3236	tasklist.exe

pid	process
2912	PING.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

Wanting.pif

pid	process
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif
2204	Wanting.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 2244 tasklist.exe
Token: SeDebugPrivilege 3236 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Wanting.pif

pid process

2204 Wanting.pif
2204 Wanting.pif
2204 Wanting.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Wanting.pif

pid process

2204 Wanting.pif
2204 Wanting.pif
2204 Wanting.pif

description	pid	process
Token: SeDebugPrivilege	2244	tasklist.exe
Token: SeDebugPrivilege	3236	tasklist.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

adobe update.execmd.exeWanting.pifcmd.exe

description	pid	process	target process
PID 2528 wrote to memory of 4236	2528	adobe update.exe	cmd.exe
PID 2528 wrote to memory of 4236	2528	adobe update.exe	cmd.exe
PID 2528 wrote to memory of 4236	2528	adobe update.exe	cmd.exe
PID 4236 wrote to memory of 2244	4236	cmd.exe	tasklist.exe
PID 4236 wrote to memory of 2244	4236	cmd.exe	tasklist.exe
PID 4236 wrote to memory of 2244	4236	cmd.exe	tasklist.exe
PID 4236 wrote to memory of 5108	4236	cmd.exe	findstr.exe
PID 4236 wrote to memory of 5108	4236	cmd.exe	findstr.exe
PID 4236 wrote to memory of 5108	4236	cmd.exe	findstr.exe
PID 4236 wrote to memory of 3236	4236	cmd.exe	tasklist.exe
PID 4236 wrote to memory of 3236	4236	cmd.exe	tasklist.exe
PID 4236 wrote to memory of 3236	4236	cmd.exe	tasklist.exe
PID 4236 wrote to memory of 1560	4236	cmd.exe	findstr.exe
PID 4236 wrote to memory of 1560	4236	cmd.exe	findstr.exe
PID 4236 wrote to memory of 1560	4236	cmd.exe	findstr.exe
PID 4236 wrote to memory of 1968	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 1968	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 1968	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 4420	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 4420	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 4420	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 3620	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 3620	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 3620	4236	cmd.exe	cmd.exe
PID 4236 wrote to memory of 2204	4236	cmd.exe	Wanting.pif
PID 4236 wrote to memory of 2204	4236	cmd.exe	Wanting.pif
PID 4236 wrote to memory of 2912	4236	cmd.exe	PING.EXE
PID 4236 wrote to memory of 2912	4236	cmd.exe	PING.EXE
PID 4236 wrote to memory of 2912	4236	cmd.exe	PING.EXE
PID 2204 wrote to memory of 3496	2204	Wanting.pif	schtasks.exe
PID 2204 wrote to memory of 3496	2204	Wanting.pif	schtasks.exe
PID 2204 wrote to memory of 1856	2204	Wanting.pif	cmd.exe
PID 2204 wrote to memory of 1856	2204	Wanting.pif	cmd.exe
PID 1856 wrote to memory of 4380	1856	cmd.exe	schtasks.exe
PID 1856 wrote to memory of 4380	1856	cmd.exe	schtasks.exe
PID 2204 wrote to memory of 4472	2204	Wanting.pif	Wanting.pif
PID 2204 wrote to memory of 4472	2204	Wanting.pif	Wanting.pif
PID 2204 wrote to memory of 4472	2204	Wanting.pif	Wanting.pif
PID 2204 wrote to memory of 4472	2204	Wanting.pif	Wanting.pif
PID 2204 wrote to memory of 1704	2204	Wanting.pif	Wanting.pif
PID 2204 wrote to memory of 1704	2204	Wanting.pif	Wanting.pif
PID 2204 wrote to memory of 1704	2204	Wanting.pif	Wanting.pif
PID 2204 wrote to memory of 1704	2204	Wanting.pif	Wanting.pif

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\adobe update.exe
"C:\Users\Admin\AppData\Local\Temp\adobe update.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Translation Translation.bat & Translation.bat & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
3⤵
PID:5108

C:\Windows\SysWOW64\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
3⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c md 26770
3⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 26770\Wanting.pif + Norton + Ear + Timeline + Cgi + Shoulder + Harm 26770\Wanting.pif
3⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Escape + Foreign + Understood 26770\G
3⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pif
26770\Wanting.pif 26770\G
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /create /tn "CreativeFlowX" /tr "wscript 'C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js'" /sc onlogon /F /RL HIGHEST
4⤵
- Creates scheduled task(s)
PID:3496

C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks.exe /create /tn "So" /tr "wscript 'C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
4⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "So" /tr "wscript 'C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:4380

C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pif
C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pif
4⤵
- Executes dropped EXE
PID:4472

C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pif
C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pif
4⤵
- Executes dropped EXE
PID:1704

C:\Windows\SysWOW64\PING.EXE
ping -n 15 127.0.0.1
3⤵
- Runs ping.exe
PID:2912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26770\G
Filesize
472KB

MD5
3f8b8300896696055ec7b5289f0a3890

SHA1
8aaff557e1a42c6cefc0fedbd64978120d6076ba

SHA256
bf52a5585e38b67ff461ef1ec8dd6244606bba0d07bf67fd5b48ae4716abe1a7

SHA512
224e688329417949336e15caadc247f6267b2394243b1e01125938d5e18b75f8228186e59dc7d7ac9959279a3b127c3211fd04441dda482af183e5e8f184689f

Download Submit
C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pif
Filesize
1.0MB

MD5
bfa84dbde0df8f1cad3e179bd46a6e34

SHA1
06ae3c38d4b2f8125656268925ebde9eca6a1f9e

SHA256
6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314

SHA512
edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cgi
Filesize
178KB

MD5
534ee60e70d3b0abd61ac8459bdd127c

SHA1
7ef481a80580f1e04940b09ac758f3b001eda14b

SHA256
3fc1d87901701337978a133eaddbea0b314b5a49da2e46f21571e3294a2814ad

SHA512
b7bb6370ef6314e8343580a4bca3d1f50f94d9a3f5d867c824871f7681ad5890d0d6159cff5e28506369652db41f840aff52fe6c84ae1a528566c98655bb90d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ear
Filesize
151KB

MD5
97fe7c9cc9c4d96a8d7287e00a974f47

SHA1
bb220295f53800aa797331993b19fbc81b8bc476

SHA256
b0539b86d340f96c8644fac07107c7e84f1d77f1f56eec511eb66ee0a1e04a38

SHA512
9a754051e46d9db3e046d3bff7df99a3d260023eedef07dc144d64fcc38919193e9388f29888198b07490961290c4606b3ba8781b4c37c229e4b6daa9044856d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Escape
Filesize
205KB

MD5
a4c033e1208a4560d3a72e0ba926f91c

SHA1
59886a1979421ee811ec33351dc52ad0f6d035f8

SHA256
3eaedd3bf07da9f26e8d85ddd42e4b999ad1249af17e55f712ac328a199bc9e3

SHA512
006736e8dcf8a98c46452fc7656c01c1d42df40dcbc97378e8dbb7311d3ce1442c10308892b92dff1547b23ff0e9f97da79c8bd1ecd1a6be95f8df5db5e9ed79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Foreign
Filesize
232KB

MD5
d8637ced6059e011349fee2597d53313

SHA1
d140570d9f3eeaa9c6d1b42d1a61fa0c6b7d9c0c

SHA256
3d7201c97f506e1aba899ff67cf078b253d772b9af13721e9e67aa11535b50b7

SHA512
4e4c124e48c4640ce9bf154ca618349aea0556431b1c8b5a150fced1e5fed4764fda845c98b965affe8399425c31b4bb902a813b4818adb6c2c90ab03bc61987

Download Submit
C:\Users\Admin\AppData\Local\Temp\Harm
Filesize
157KB

MD5
ea83f03d6eb011609f4b161e75bdde78

SHA1
def461cc324b4fdeb5c5ce0fcb85d72f73042166

SHA256
c61a3a8ebf5a46bc9c79cc34a1e0e5bf84d0028c6b9fd85de8e49e9985c0a813

SHA512
310cbc5a6a8e58ae03c443a4f22ecb223da14046ae8a189bab0c0efeaebaed5e18ab81830ed02606d5a6e35d1597b5d716cdce7c1db79aed4962f40c56bff10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Norton
Filesize
105KB

MD5
582b11a7d90d126fec87cd1a727ad7bc

SHA1
bfd7d212a870de2186f94740589aecf51fc9ca28

SHA256
da6fa0aff26dddfd44428548df0668e02b9c239741a495474a2cb041d6bb58f5

SHA512
50a5977fd3c2c2834e0cf414bfec3c18cde2dc7a03dec6437603253af9339063451c64c4393e609fd32f5e3b116c219acca67c34eb73e30f87aaf439418188c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shoulder
Filesize
283KB

MD5
1746f9f70c328815b41504b51f5b111c

SHA1
090613e27969ca7178f9e165287cda3c79712506

SHA256
4e5c39814a3ae06ce315498d05afb8534f4b0538812208926c099948086d5d6f

SHA512
8eca1af761105695f4a7244b37c810986c4128f4501d890691605ef4082e5a5c102ea1b545cc24342d1ce0a2fd2d851d06958048778169c3bcaee814aa8dcac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Timeline
Filesize
172KB

MD5
92d7c9f4d67c5e251c1811b44e1ec1b8

SHA1
60f62e59a18f567345d7b291eb540e6c6aecaea5

SHA256
be38ee59c76d3eb0c641b3ad6123fcca557302be536cbe3a8461f757c99103e4

SHA512
243df2c04d540acf21824c0181398f53dc239e3b449473f973dd28236e5360fd96a38102765d9cbdceb68cf97ea8382d3d83cb79e8b475a152e46bdb182644bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Translation
Filesize
13KB

MD5
1f9f8a2694d823688c51fe4f8d4e2ba8

SHA1
c82063d4082d27742a10672885fe40b67716a2f6

SHA256
6b7912c06da6c6a9859c6a773cecd85bb6f72fa746bcb1105795f8b32721857e

SHA512
fdc8b3838aa5f2da335c1b4e7b35a45c9ace6f5914f3ec90a79f79f728f68976697cf19d3128196e4ce23b9a328fe1070aef03ce9eacd1115e2776ded76c888c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Understood
Filesize
35KB

MD5
f5f9398e85d10a4c0e8219057565d87a

SHA1
d3540705389a05c15521f09fb3f9a316be0660d7

SHA256
93872993b77c842bf2d75acc988ea451a408483a6c5c34007bceef01f5c6f73d

SHA512
750a4129ae68e060a247506090450fe6ded89f521b26046c54f4daa3e4570abc765565e5c0fc8def189e18518270d89313f0e6cd67beb06df543e4260d9bb16b

Download Submit
memory/1704-45-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2204-31-0x000001DF55260000-0x000001DF55261000-memory.dmp

Filesize
4KB

Download
memory/4472-32-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4472-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4472-36-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4472-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4472-37-0x00000235E8C40000-0x00000235E8C41000-memory.dmp

Filesize
4KB

Download