cobaltstrike | 87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304

General

Target

87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe
Size

1.7MB
MD5

e4f7f869fb843fb9bacab49a68c531ae
SHA1

75e9f6901eb40d25944be820602e903262f25c2b
SHA256

87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304
SHA512

a5c8688766a2a6ac32be8f8d44b890b834cd0f869d648f913f6ce2ad40fe984e9914169adee7d154e5963d33e3200273e007648e0f359be14c8e50c5c9faf3f4
SSDEEP

24576:LrMkmmLHo7qXzHd6xGWjrtJf/zKuoZz6h/q7dS2hHem:Lm4HoGAxBf7DLzhS7

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://47.97.41.107:443/static/js/libs/masonry.pkgd.min.js

Attributes

user_agent
Accept: */* Accept-Language: en-US,en;q=0.9 Referer: https://www.python.org/ Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.140 Safari/537.36

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 1 IoCs

Processes:

mspdf.exe

pid process

5108 mspdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
5108	mspdf.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

724 WINWORD.EXE
724 WINWORD.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

724 WINWORD.EXE
724 WINWORD.EXE
724 WINWORD.EXE
724 WINWORD.EXE
724 WINWORD.EXE
724 WINWORD.EXE
724 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

pid	process
724	WINWORD.EXE
724	WINWORD.EXE

pid	process
724	WINWORD.EXE
724	WINWORD.EXE
724	WINWORD.EXE
724	WINWORD.EXE
724	WINWORD.EXE
724	WINWORD.EXE
724	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.execmd.exe

description	pid	process	target process
PID 2116 wrote to memory of 1032	2116	87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe	cmd.exe
PID 2116 wrote to memory of 1032	2116	87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe	cmd.exe
PID 1032 wrote to memory of 724	1032	cmd.exe	WINWORD.EXE
PID 1032 wrote to memory of 724	1032	cmd.exe	WINWORD.EXE
PID 2116 wrote to memory of 5108	2116	87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe	mspdf.exe
PID 2116 wrote to memory of 5108	2116	87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe	mspdf.exe

C:\Users\Admin\AppData\Local\Temp\87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe
"C:\Users\Admin\AppData\Local\Temp\87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\system32\cmd.exe
cmd /c start C:\Users\Admin\AppData\Local\Temp\docxfile273120836\投稿.docx
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1032

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\docxfile273120836\投稿.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:724

C:\Users\Admin\AppData\Local\Temp\docxfile273120836\mspdf.exe
C:\Users\Admin\AppData\Local\Temp\docxfile273120836\mspdf.exe
2⤵
- Executes dropped EXE
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\docxfile273120836\mspdf.exe
Filesize
115KB

MD5
22527af9403af6d2cae89d7f066057bb

SHA1
45db7cbc3a31dda3aa5dc4f9e3b2f57d27c64459

SHA256
15149b0fa15fe27b6cafc0088080b67ad2125eeafb29d0fe0dc9f819d694c1c3

SHA512
71a080cc9821482d09898776d1f515763434306dbe67a04d1db5e4209e49af1778a16be123fbf2986dc1a22ce2de897dd71903f287b55cd73891dd6c637596f6

Download Submit
memory/724-30-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-66-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-18-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmp

Filesize
64KB

Download
memory/724-7-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/724-9-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/724-8-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-10-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-15-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-14-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/724-16-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-13-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-12-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-11-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/724-17-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmp

Filesize
64KB

Download
memory/724-6-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-31-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-5-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/724-32-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-33-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-34-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-35-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-38-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-58-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/724-59-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/724-61-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-60-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/724-63-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-64-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/724-62-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

Filesize
64KB

Download
memory/724-65-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

Filesize
2.0MB

Download
memory/5108-4-0x0000015F22CF0000-0x0000015F22CF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads