cobaltstrike | 5fb73c68d5cafbb6899fa156aa1cbb57e54e00a88aeb3eb670ca97fd102e7232

Analysis

max time kernel
141s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Macro.vbs
Size

7KB
MD5

69afce0d871fbb27c821c9c1a4767f2a
SHA1

cdc01081e7166553a794249a0a1ddbbc954556b8
SHA256

5fb73c68d5cafbb6899fa156aa1cbb57e54e00a88aeb3eb670ca97fd102e7232
SHA512

d2168ba0d089f06ce27631858f364bd9e4c5844e040bd9b04f17c787b5518fca8727410a2e1dbdd843961c3ed3a723685b97a36fe7c837ed1e0dd0cb7aeedf40
SSDEEP

96:30WZ95e7mwwM8ZzBNy23QD4FjsSfK/ehKdhKLTTBor3Hsj260auGOg:VZ90m1MqQEFjxf0cyKLx8gN9uG1

Score

10^/10

cobaltstrike metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/reverse_http

http://89.197.154.116:7810/jS5PuYLAgMaqgKuBzGjWdQTVEi-GQrM2B4_HTHXdAE2aRnCnqvVP05HBAODR9DRAs6omOzZ6R5twhmlyIB9o80OX2vreTG_JlWV9tvNFAnlCt3DkvjTIgBW9f1LobBmBTiPk_POSLxJ-BNuxWldFmWo_C8JPpkugBdjv3iK3

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 1 IoCs

pid	Process
2428	bEENamwAKglG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bEENamwAKglG.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2428	2168	WScript.exe	30
PID 2168 wrote to memory of 2428	2168	WScript.exe	30
PID 2168 wrote to memory of 2428	2168	WScript.exe	30
PID 2168 wrote to memory of 2428	2168	WScript.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Macro.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\radAAA1B.tmp\bEENamwAKglG.exe
  "C:\Users\Admin\AppData\Local\Temp\radAAA1B.tmp\bEENamwAKglG.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB849.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBC33.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\radAAA1B.tmp\bEENamwAKglG.exe

Filesize
4KB

MD5
1a03772b6d1e5a3d0cedc1ca8deba1e1

SHA1
413bfb736e1bfa09ad9ef10816a5c7d49e25f2d8

SHA256
8e14e8b9f57e29ee9b73f11ed05ecc3bb1968bfbb20923bd55fb31e1352c38f5

SHA512
8b7cf32af353019fe11135040f2ec00bb7ffe500fc94c31f85f9fc2a5ba9dad990f587616dddedfed9b1435de997f9142e8442b0d4851c6f84cca28a98880231

Download Submit
memory/2428-7-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2428-24-0x0000000004160000-0x0000000004560000-memory.dmp

Filesize
4.0MB

Download
memory/2428-25-0x0000000003400000-0x0000000003448000-memory.dmp

Filesize
288KB

Download
memory/2428-44-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2428-46-0x0000000004160000-0x0000000004560000-memory.dmp

Filesize
4.0MB

Download
memory/2428-47-0x0000000003400000-0x0000000003448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads