cobaltstrike | 8de600a88650d22bad284c4c8a2ee009795117d3389248f4104420dce11b9a0b

Analysis

max time kernel
140s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/cs.vbs
Size

291B
MD5

4b0fa4b7a9b2eff999b0cce9e5ac7925
SHA1

6e0c89d5c77126de53f6fcbee0596c1b5ef9c2a6
SHA256

3327ee66d0892199aa9eb7917c961b3266a5f90695baa6728c50b0c2ff8a9099
SHA512

79aca7bf5f180242fd21ad3c9e339b19183c66d1d0343c62c49eba33c246f2e142171e1096b786ba833ae24d98fe57c8b7d960b469a28d9ccc1484e49c1af2f6

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

http://consumer-img.huawei.com:80/lib/v2/wcp-consent.js

Attributes

access_type
512
host
consumer-img.huawei.com,/lib/v2/wcp-consent.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
30000
port_number
80
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJKQv1XF4Cmh2xywEarCa/bP0HPP+UFEQJHMOo5NsyVYvAVfHd59D4LmvVhtB6dvdqdkLUunc6NQljbO4D42xMOrFI41rqlbFibjEJQYX58RbZvjS1bhHVKa9XdQIQRpuk3eWO4Pk+iGyM1gHKjyZT+PV5lhUp1aBwAUirc7UnEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/lib/v2/recaptcha__en.js
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow	pid	process
4	3724	rundll32.exe
5	3724	rundll32.exe
26	3724	rundll32.exe
27	3724	rundll32.exe
39	3724	rundll32.exe
40	3724	rundll32.exe
44	3724	rundll32.exe
49	3724	rundll32.exe
51	3724	rundll32.exe
52	3724	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1908 wrote to memory of 3724	1908	WScript.exe	rundll32.exe
PID 1908 wrote to memory of 3724	1908	WScript.exe	rundll32.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xshell软件排查结果反馈\其他材料\.__MACOSX__\.__MACOS__\._MACOS_\cs.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\xshell软件排查结果反馈\其他材料\.__MACOSX__\.__MACOS__\._MACOS_\mc.dll,Test
2⤵
- Blocklisted process makes network request
PID:3724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3724-0-0x0000016DFF320000-0x0000016DFF361000-memory.dmp

Filesize
260KB

Download
memory/3724-2-0x0000016DFF370000-0x0000016DFF3BF000-memory.dmp

Filesize
316KB

Download
memory/3724-5-0x0000016DFF9A0000-0x0000016DFF9EF000-memory.dmp

Filesize
316KB

Download
memory/3724-6-0x000000006FA30000-0x000000006FF36000-memory.dmp

Filesize
5.0MB

Download
memory/3724-8-0x0000016DFF320000-0x0000016DFF361000-memory.dmp

Filesize
260KB

Download