cobaltstrike | 8de600a88650d22bad284c4c8a2ee009795117d3389248f4104420dce11b9a0b

General

Target

xshell软件排查结果反馈/xshell软件排查结果反馈.docx.lnk
Size

1KB
MD5

dcf3d59f84590bf4195d3e42d1f229be
SHA1

f219a6fbb04f2513e109e22269f839121c072fc7
SHA256

82bf7ba9e947c1dc93032278c52f32b20a026cd05f3195ef08cf9a31be75a5b2
SHA512

724d3225699af65b645b2c0ed7e8116f5a392c77018acbe2da0901cc76b4341546bf8f629325916fa6980e8054775c7160c6abce58c6c9637e927a2ece769a5c

Score

10^/10

cobaltstrike 0 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

C2

http://consumer-img.huawei.com:80/lib/v2/wcp-consent.js

Attributes

access_type
512
host
consumer-img.huawei.com,/lib/v2/wcp-consent.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
30000
port_number
80
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJKQv1XF4Cmh2xywEarCa/bP0HPP+UFEQJHMOo5NsyVYvAVfHd59D4LmvVhtB6dvdqdkLUunc6NQljbO4D42xMOrFI41rqlbFibjEJQYX58RbZvjS1bhHVKa9XdQIQRpuk3eWO4Pk+iGyM1gHKjyZT+PV5lhUp1aBwAUirc7UnEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/lib/v2/recaptcha__en.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
watermark
100000

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
6	2240	rundll32.exe
7	2240	rundll32.exe
39	2240	rundll32.exe
40	2240	rundll32.exe
50	2240	rundll32.exe
51	2240	rundll32.exe
56	2240	rundll32.exe
57	2240	rundll32.exe
60	2240	rundll32.exe
59	2240	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exeexplorer.exeWScript.exe

description	pid	process	target process
PID 4284 wrote to memory of 4300	4284	cmd.exe	explorer.exe
PID 4284 wrote to memory of 4300	4284	cmd.exe	explorer.exe
PID 1528 wrote to memory of 2388	1528	explorer.exe	WScript.exe
PID 1528 wrote to memory of 2388	1528	explorer.exe	WScript.exe
PID 2388 wrote to memory of 2240	2388	WScript.exe	rundll32.exe
PID 2388 wrote to memory of 2240	2388	WScript.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\xshell软件排查结果反馈\xshell软件排查结果反馈.docx.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" ".\其他材料\.__MACOSX__\.__MACOS__\._MACOS_\cs.vbs"
2⤵
PID:4300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xshell软件排查结果反馈\其他材料\.__MACOSX__\.__MACOS__\._MACOS_\cs.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\xshell软件排查结果反馈\其他材料\.__MACOSX__\.__MACOS__\._MACOS_\mc.dll,Test
3⤵
- Blocklisted process makes network request
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2240-0-0x000001C383780000-0x000001C3837C1000-memory.dmp

Filesize
260KB

Download
memory/2240-5-0x000001C383780000-0x000001C3837CF000-memory.dmp

Filesize
316KB

Download
memory/2240-4-0x000001C3A9330000-0x000001C3A937F000-memory.dmp

Filesize
316KB

Download
memory/2240-6-0x000001C383780000-0x000001C3837C1000-memory.dmp

Filesize
260KB

Download
memory/2240-7-0x00000000712A0000-0x00000000717A6000-memory.dmp

Filesize
5.0MB

Download
memory/2240-9-0x000001C383780000-0x000001C3837C1000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads