cobaltstrike | 41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8

General

Target

41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe
Size

565KB
MD5

11f483182a6d4f1a0dd2682e58b4eaf0
SHA1

57ebd92b2f0c2269a3aa1aea74498a44041ecc75
SHA256

41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8
SHA512

028e321cf5bdde26660f98477fbbc23607f48a724ecbfd6041969828c09b10e0f0603c1551f63f998a9b6c4964363bbd6f4b4fbd2fea07bc2f42fe57fdaca144
SSDEEP

6144:8M1HMUCuFyhyGUKnjZ0dxuhUMA3eIJuMPJCVy+tPXbLE8x/RSI2SS:8MaUCAwUMZ0PRJZMBPbLE8x

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4668 WINWORD.EXE
4668 WINWORD.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
4668	WINWORD.EXE
4668	WINWORD.EXE
4668	WINWORD.EXE
4668	WINWORD.EXE
4668	WINWORD.EXE
4668	WINWORD.EXE
4668	WINWORD.EXE
4668	WINWORD.EXE
4668	WINWORD.EXE
4668	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe

description	pid	process	target process
PID 4568 wrote to memory of 4668	4568	41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe	WINWORD.EXE
PID 4568 wrote to memory of 4668	4568	41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe	WINWORD.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe
"C:\Users\Admin\AppData\Local\Temp\41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.docx" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.docx
Filesize
113KB

MD5
66d160ab553ff1a90af31b851dc0a108

SHA1
c39e723e18914280f5420573e58264e640e895ab

SHA256
d868970f1f89fcd01c0ef7fcdeac90696e3248796cec927b39e0ea5f1db7001d

SHA512
cdccca152014e1c0628e4af16979e9927940fecef940a1dcb370130c0906cb0826926e3084e450674475774bb546776026bd870f66f689530e724a88c98f5aca

Download Submit
memory/4568-50-0x000001532D070000-0x000001532D0BE000-memory.dmp

Filesize
312KB

Download
memory/4568-49-0x000001532D1E0000-0x000001532D2E0000-memory.dmp

Filesize
1024KB

Download
memory/4568-42-0x000001532D070000-0x000001532D0BE000-memory.dmp

Filesize
312KB

Download
memory/4568-41-0x000001532D1E0000-0x000001532D2E0000-memory.dmp

Filesize
1024KB

Download
memory/4568-40-0x00007FF7B20D0000-0x00007FF7B2166000-memory.dmp

Filesize
600KB

Download
memory/4568-30-0x00007FF7B20D0000-0x00007FF7B2166000-memory.dmp

Filesize
600KB

Download
memory/4668-16-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmp

Filesize
64KB

Download
memory/4668-14-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmp

Filesize
64KB

Download
memory/4668-17-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmp

Filesize
2.0MB

Download
memory/4668-12-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmp

Filesize
64KB

Download
memory/4668-18-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmp

Filesize
2.0MB

Download
memory/4668-19-0x00007FFCA9E50000-0x00007FFCA9E60000-memory.dmp

Filesize
64KB

Download
memory/4668-20-0x00007FFCA9E50000-0x00007FFCA9E60000-memory.dmp

Filesize
64KB

Download
memory/4668-15-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmp

Filesize
2.0MB

Download
memory/4668-35-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmp

Filesize
2.0MB

Download
memory/4668-36-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmp

Filesize
2.0MB

Download
memory/4668-13-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmp

Filesize
2.0MB

Download
memory/4668-9-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmp

Filesize
2.0MB

Download
memory/4668-10-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmp

Filesize
64KB

Download
memory/4668-11-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmp

Filesize
2.0MB

Download
memory/4668-8-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads