cobaltstrike | 1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3

General

Target

1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe
Size

2.6MB
MD5

0844e4f2ed1b8c9f6af2b6e5605ef48e
SHA1

42c91c3d19643c821635bdf36541ee9480bc5c89
SHA256

1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3
SHA512

84386b3e496005fb36deda9a6ed2a865c1b8ed0785b6bd8625ddc4fb6cbdcfe491dd17f3fdb1aa27545d978ff333277ae16789bf873c0e2ca49bbb9677130d4e
SSDEEP

49152:VuWH3n+Yn+Hx3k8kDOEqjKbgTz8VzN7Ner+PFBTUAgQc7rX13FePa1+63ux+aV:VuWDQkBDOxK88VzxNe+dBTLgxa8uxJV

Score

10^/10

cobaltstrike 100000000 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000000

C2

http://www.microssoftt.site:8443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
www.microssoftt.site,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
8443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh6qZq3bXvZiWwrESQIcmXY6PK4DEykVspGMRn9I0rftzL2p/I1Pciae+B+BOjA3FcZ7jAuvS936MYF+Bc2r+y04WNz/mNl47RStHXS0RjOkiQpfe7yeQydtcNtK8S99sf64KCsLo3go4nSRk7QEG3g6W0fgnrdKHdpAnKQ2UT3QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
100000000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe

Executes dropped EXE 2 IoCs

pid	Process
2988	flashcenter_install_cn.exe
2392	beacon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flashcenter_install_cn.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2988	flashcenter_install_cn.exe
2988	flashcenter_install_cn.exe
2988	flashcenter_install_cn.exe
2988	flashcenter_install_cn.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 2988	556	1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe	86
PID 556 wrote to memory of 2988	556	1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe	86
PID 556 wrote to memory of 2988	556	1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe	86
PID 556 wrote to memory of 2392	556	1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe	88
PID 556 wrote to memory of 2392	556	1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe	88

C:\Users\Admin\AppData\Local\Temp\1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe
"C:\Users\Admin\AppData\Local\Temp\1164e9076b83f9852a50a50b9cabc12f71b0706e60d4b233573a006e73ca48a3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556
- C:\Windows\Temp\flashcenter_install_cn.exe
  "C:\Windows\Temp\flashcenter_install_cn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2988
- C:\Windows\Temp\beacon.exe
  "C:\Windows\Temp\beacon.exe"
  2⤵
  - Executes dropped EXE
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\beacon.exe

Filesize
281KB

MD5
02a798324261c47e53f9b49c9555c229

SHA1
ad43c235c671a2d73ab8638cdb2a1a713856a321

SHA256
658a43ce3a9c8270666d507339d26830ea0cf10cc11e3047980221c15faed876

SHA512
e4503429dbfe60e20c6406602dcea933451b6aa21aba1700d0c87a2eb1926d0a0699d48b76b363a1e3631dca5a790adcee0b42a46d0b23bcb79bbdfcf63eb041

Download Submit
C:\Windows\Temp\flashcenter_install_cn.exe

Filesize
2.2MB

MD5
e9028a609403af57d19703ba8c153d90

SHA1
5012068e2e24f8ca6691713afa255a2cfd38300d

SHA256
97ad6eb9937db6022066fb4dae0d3b39c41457aca4d0f8a57859bd4453e3d7d1

SHA512
89ed4863a25a49fa4f796b5d7721fb4798d010c03c47670c82320d09a8a1ac5d446b379a978df936325467bf9f8b0e4804ddaff9e6b21320513b448ece5bec8a

Download Submit
memory/2392-247-0x0000000000920000-0x0000000000961000-memory.dmp

Filesize
260KB

Download
memory/2392-248-0x0000000000E60000-0x00000000012D2000-memory.dmp

Filesize
4.4MB

Download
memory/2392-251-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2988-18-0x00000000012C0000-0x00000000012C3000-memory.dmp

Filesize
12KB

Download
memory/2988-17-0x0000000000BE0000-0x0000000001243000-memory.dmp

Filesize
6.4MB

Download
memory/2988-250-0x00000000012C0000-0x00000000012C3000-memory.dmp

Filesize
12KB

Download
memory/2988-249-0x0000000000BE0000-0x0000000001243000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing