cobaltstrike | e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274

General

Target

e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe
Size

1.4MB
MD5

5fa12e1523d8a684f524d1a41c06a7a7
SHA1

277d2b8405df0ac7700f0e835e10c1bd1fcf98ee
SHA256

e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274
SHA512

0017313f16254a566d17e7b306df3f3b70cd23b868dc8501d02e3f084fe204f9ca20189a6e8470391f2b8baf5a89f26d2d97d0799664dbc93f425916c49d0033
SSDEEP

24576:Mcrm44B9NlSN7s+GK5aOQ5I2FfPqVFXp+5HvsMu7X9OrIAKQa8HjJrx91YMZHVSv:HrmnbNUN79naf5RfEp+5HvUhOy34JF9R

Score

10^/10

cobaltstrike 305419896 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://49.235.206.130:443/FC001/JOHN

Attributes

access_type
512
host
49.235.206.130,/FC001/JOHN
http_header1
AAAAEAAAABhIb3N0OiBmdWNrdW1hbi5nb29nbGUuY24AAAAKAAAAFkNvbm5lY3Rpb246IEtlZWwtQWxpdmUAAAAHAAAAAAAAAAsAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAAEAAAABdIb3N0OiBmdWNrdW1hbi5nb29sZS5jbgAAAAoAAAAWQ29ubmVjdGlvbjogS2VlbC1BbGl2ZQAAAAcAAAAAAAAACwAAAAwAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
5120
maxdns
255
polling_time
1000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.481970944e+09
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/FC002/JOHN-
user_agent
Microsoft Internet Explorer
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe

Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

4872 test.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4872	test.exe

Modifies registry class 1 IoCs

Processes:

e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2656 vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exetest.exe

pid	process
4100	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe
4100	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe
4872	test.exe
4872	test.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2656 vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXEvlc.exe

description	pid	process
Token: 33	4436	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4436	AUDIODG.EXE
Token: 33	2656	vlc.exe
Token: SeIncBasePriorityPrivilege	2656	vlc.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

vlc.exe

pid	process
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe
2656	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

vlc.exe

pid process

2656 vlc.exe
2656 vlc.exe
2656 vlc.exe
2656 vlc.exe
2656 vlc.exe
2656 vlc.exe
2656 vlc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vlc.exe

pid process

2656 vlc.exe
2656 vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe

description	pid	process	target process
PID 4100 wrote to memory of 4872	4100	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe	test.exe
PID 4100 wrote to memory of 4872	4100	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe	test.exe
PID 4100 wrote to memory of 2656	4100	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe	vlc.exe
PID 4100 wrote to memory of 2656	4100	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe	vlc.exe
PID 4100 wrote to memory of 3168	4100	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe	cmd.exe
PID 4100 wrote to memory of 3168	4100	e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe
"C:\Users\Admin\AppData\Local\Temp\e54b46b93f4d846cb26c10187bee2bfccce6dfd8432a0a163a001ac281ea3274.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Public\test.exe
  C:\Users\Public\test.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\QQ录屏大师.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2656
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E54B46~1.EXE >> NUL
  2⤵
  PID:3168

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x310
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QQ录屏大师.mp4

Filesize
574KB

MD5
5619e9d219b430589267819408632e16

SHA1
80ab684c75d98cf4980c7d382c42cf00cb7078f3

SHA256
4edd71004ebd84cc3962fe1d7d59fa42ad2d9c57773b1c2bc522dcbe3955aa55

SHA512
24d3138bef712b73e242051914646a041281803a2ef7aaf4cbde1bd87383ad082ce3363d515674fd04535a15daccdfb820945dc582e5a655d83fea0f560966d6

Download Submit
C:\Users\Public\test.exe

Filesize
523KB

MD5
fed22c27962b828439a4b1fc8aec0214

SHA1
6c5e14ee3e53dd3a1fe552b11a564d8e4d063572

SHA256
0dc53314837e1b23f578426d3ff5f4a659ab8c80cb71fd6983eeb29f9e1d528f

SHA512
4dc30b2980c394127bcc00d4fafe6d4faa5dd27404fbe2992beaed0f4ae058056137b7a170e0c86adcca5fc7c369193f39f0dcc305d30196ecdd52f05905570d

Download Submit
memory/2656-22-0x00007FF99D770000-0x00007FF99D781000-memory.dmp

Filesize
68KB

Download
memory/2656-27-0x00007FF99D260000-0x00007FF99D271000-memory.dmp

Filesize
68KB

Download
memory/2656-18-0x00007FF99D2C0000-0x00007FF99D2F4000-memory.dmp

Filesize
208KB

Download
memory/2656-17-0x00007FF65B220000-0x00007FF65B318000-memory.dmp

Filesize
992KB

Download
memory/2656-19-0x00007FF99C940000-0x00007FF99CBF6000-memory.dmp

Filesize
2.7MB

Download
memory/2656-25-0x00007FF99D280000-0x00007FF99D29D000-memory.dmp

Filesize
116KB

Download
memory/2656-24-0x00007FF99D2A0000-0x00007FF99D2B1000-memory.dmp

Filesize
68KB

Download
memory/2656-23-0x00007FF99D710000-0x00007FF99D727000-memory.dmp

Filesize
92KB

Download
memory/2656-28-0x00007FF99D050000-0x00007FF99D091000-memory.dmp

Filesize
260KB

Download
memory/2656-21-0x00007FF9A0C80000-0x00007FF9A0C97000-memory.dmp

Filesize
92KB

Download
memory/2656-20-0x00007FF9A3070000-0x00007FF9A3088000-memory.dmp

Filesize
96KB

Download
memory/2656-30-0x00007FF99D000000-0x00007FF99D018000-memory.dmp

Filesize
96KB

Download
memory/2656-26-0x00007FF98DEC0000-0x00007FF98E0CB000-memory.dmp

Filesize
2.0MB

Download
memory/2656-29-0x00007FF99D020000-0x00007FF99D041000-memory.dmp

Filesize
132KB

Download
memory/2656-34-0x00007FF99C730000-0x00007FF99C74B000-memory.dmp

Filesize
108KB

Download
memory/2656-33-0x00007FF99CF00000-0x00007FF99CF11000-memory.dmp

Filesize
68KB

Download
memory/2656-32-0x00007FF99CF20000-0x00007FF99CF31000-memory.dmp

Filesize
68KB

Download
memory/2656-31-0x00007FF99CF40000-0x00007FF99CF51000-memory.dmp

Filesize
68KB

Download
memory/4872-6-0x000001A0F05B0000-0x000001A0F05FC000-memory.dmp

Filesize
304KB

Download
memory/4872-5-0x000001A0F0570000-0x000001A0F05B0000-memory.dmp

Filesize
256KB

Download
memory/4872-53-0x000001A0F05B0000-0x000001A0F05FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads