cobaltstrike | 58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430

General

Target

58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe
Size

1.5MB
MD5

ea63c0e69c4a9c30d9af4afe2bdf5cfd
SHA1

97ee05ba4442d3a5372ffaa372b327d0f6f9e655
SHA256

58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430
SHA512

0ba32bef9b92b10079eb621e8ac32fd27987d45f00a0b1704ae29210f2906e4344d77801e5d120a9d02ce5e0e8742468dc0ab2c9d869d9027f5390299589cc0c
SSDEEP

24576:EVAtAQfLY08PFDyKfPVXL5u+gyQQ/hffpLAeMcUg9sB26wn6fbQhPZ:E4dkV54UAkZ

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://69.235.177.76:17777/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 1 IoCs

Processes:

artifact.exe

pid process

2400 artifact.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
2400	artifact.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

212 EXCEL.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe

pid process

1436 58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

212 EXCEL.EXE
212 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

pid	process
1436	58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.execmd.exe

description	pid	process	target process
PID 1436 wrote to memory of 5008	1436	58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe	cmd.exe
PID 1436 wrote to memory of 5008	1436	58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe	cmd.exe
PID 1436 wrote to memory of 5008	1436	58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe	cmd.exe
PID 1436 wrote to memory of 2400	1436	58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe	artifact.exe
PID 1436 wrote to memory of 2400	1436	58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe	artifact.exe
PID 5008 wrote to memory of 212	5008	cmd.exe	EXCEL.EXE
PID 5008 wrote to memory of 212	5008	cmd.exe	EXCEL.EXE
PID 5008 wrote to memory of 212	5008	cmd.exe	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe
"C:\Users\Admin\AppData\Local\Temp\58f40f4f8f24b7bc27fef06b056f8f6b653208118c2cf0326e94648132fa1430.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\员工3月出勤统计.xlsx
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5008

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\员工3月出勤统计.xlsx"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:212

C:\Users\Public\artifact.exe
C:\Users\Public\artifact.exe
2⤵
- Executes dropped EXE
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3840 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\员工3月出勤统计.xlsx
Filesize
29KB

MD5
fbc1a1e6ccd56012b942256f5ed8af21

SHA1
4891fa654f8ee6daaa3ba19caffa45f2f6c2b48e

SHA256
a64ee5735b54b41d3f2475d7f900651feef6ccdd32319a1b728d28c668682a16

SHA512
f8a25f0e351e3d2a30523b1ce99d655499e2fda1c669fb499ff98e7f6cbee37c95fec99c3e7e5c57de12ce4fbc3f1813b4778acd672ea35b641c64c113452f51

Download Submit
C:\Users\Public\artifact.exe
Filesize
17KB

MD5
e92422cff5b187ecce930534a3f7a14d

SHA1
11e07c604e687b47f541acfa8cd1ce814f76c557

SHA256
fce27761efbc65259b601c1457bf08314e4cf07cca7a59f3216bf32206484032

SHA512
d12ed7d0278af2f909d04517eeef04aad68ca6e4c87a6e1d49cddfca783d0ac1e592f998bb49211c4ea49478d0b09ab16f3ab320ce114b8537f0895ebe07e780

Download Submit
memory/212-21-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-13-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/212-9-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/212-23-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-10-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-12-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-14-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-24-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-15-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-16-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-17-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/212-18-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-20-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-25-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-75-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-22-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

Filesize
64KB

Download
memory/212-11-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/212-8-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/212-19-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-26-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

Filesize
64KB

Download
memory/212-74-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-40-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-41-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-66-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/212-67-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/212-68-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/212-69-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

Filesize
64KB

Download
memory/212-70-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-71-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-72-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/212-73-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

Filesize
2.0MB

Download
memory/2400-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2400-6-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads