cobaltstrike | 55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee

General

Target

55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe
Size

628KB
MD5

2e01e07dd7d228810126e8e449ffd97b
SHA1

144639db8ba3e7ce5ba03fa9c9cee61758e34de9
SHA256

55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee
SHA512

9cebf8f26da3cdb15dd01b275b030151f11c48a19a6c16274a50fb5d5099f6db3c77b9d9d4f7ab899ba9630a99ccdfa5702490c113978250584a00ec9fc92ad2
SSDEEP

12288:JAsWP4S+JJ91FEUPiNavGL+mRjTfFkbfp6OZr9JbFSBZ:yHYJJ97F6NSGLlRu4I4BZ

Score

10^/10

cobaltstrike 0 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://178.132.4.150:80/owa/

Attributes

access_type
512
host
178.132.4.150,/owa/
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAACGQ29va2llOiBNaWNyb3NvZnRBcHBsaWNhdGlvbnNUZWxlbWV0cnlEZXZpY2VJZD05NWMxOGQ4LTRkY2U5ODU0O0NsaWVudElkPTFDMEY2QzVEOTEwRjk7TVNQQXV0aD0zRWtBakRLakk7eGlkPTczMGJmNzt3bGE0Mj1aRzB5TXpBMktqRXMAAAAHAAAAAAAAAA0AAAAFAAAAAndhAAAACQAAAA5wYXRoPS9jYWxlbmRhcgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAABAAAADQAAAAUAAAACd2EAAAAHAAAAAAAAAA0AAAACAAAABndsYTQyPQAAAAIAAAALeGlkPTczMGJmNzsAAAACAAAAEk1TUEF1dGg9M0VrQWpES2pJOwAAAAIAAAAXQ2xpZW50SWQ9MUMwRjZDNUQ5MTBGOTsAAAACAAAAOE1pY3Jvc29mdEFwcGxpY2F0aW9uc1RlbGVtZXRyeURldmljZUlkPTk1YzE4ZDgtNGRjZTk4NTQ7AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
GET
jitter
5120
polling_time
30000
port_number
80
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
1.448416512e+09
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
1.610612736e+09
uri
/OWA/
user_agent
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Suspicious use of SetThreadContext 1 IoCs

Processes:

55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe

description	pid	process	target process
PID 2924 set thread context of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exeRegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe

description	pid	process	target process
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe
PID 2924 wrote to memory of 2840	2924	55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe
"C:\Users\Admin\AppData\Local\Temp\55d484eed1b9baf86dbf794d2f01725d17f39f792f181d183e8db8254d92b4ee.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2840-6-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-27-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/2840-25-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/2840-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-9-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-28-0x0000000000320000-0x000000000035E000-memory.dmp

Filesize
248KB

Download
memory/2840-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-22-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-20-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2924-5-0x0000000005010000-0x00000000050A4000-memory.dmp

Filesize
592KB

Download
memory/2924-23-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2924-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/2924-4-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2924-3-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2924-2-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/2924-1-0x0000000000230000-0x00000000002D2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads