cobaltstrike | 877e48025897375b2c526a2c27e7bc529c67625106f7124507f9a1dff86b622e

General

Target

2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe
Size

627KB
MD5

9dc0bed1bd5aa4be93ea1e1b5c6b939d
SHA1

597ba3a5049c521004a653e6fee8392f75dd3a27
SHA256

877e48025897375b2c526a2c27e7bc529c67625106f7124507f9a1dff86b622e
SHA512

a9ae820ad11a55a330a1e51429e2e0f4a517d47945f34e2e294d29adc15d11cfb8d0f53bcddda39afe9bd58e4e7b5edba124f2348e2571a7bd28a6165b90e59c
SSDEEP

12288:FbTIYhan3HgKiMuvfRuo/dXZEIGo02sHJyEysN4KxlN4:FbTIYhanIMuvowXZaTpVysyKXN4

Score

10^/10

cobaltstrike 0 1 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Extracted

Family

cobaltstrike

Botnet

1

C2

http://38.54.88.100:443/ptj

Attributes

access_type
512
beacon_type
2048
host
38.54.88.100,/ptj
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGojX1gXykofhY6wzw30/n182LSqDWLt20xumnvVNRhUCWMwr7YJG/jKtUt6L0AIawa93GZ4rH1j9Pz3Jb0KmNrnru8JU2s+DhT4fR/kpibOPiqX608219fxjaYi22f5jUg9gZjHQHHl1YzvGJ3+zBOdcOF9itgmFGLNKkc9JCgwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
watermark
1

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	3172	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
916	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4272	868	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	88
PID 868 wrote to memory of 4272	868	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	88
PID 868 wrote to memory of 3776	868	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	90
PID 868 wrote to memory of 3776	868	2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe	90
PID 3776 wrote to memory of 1876	3776	cmd.exe	92
PID 3776 wrote to memory of 1876	3776	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-13_9dc0bed1bd5aa4be93ea1e1b5c6b939d_cobalt-strike_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title è´ªåƒè›‡.ç”Ÿæ»å±€
  2⤵
  PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con cols=80 lines=35
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\system32\mode.com
    mode con cols=80 lines=35
    3⤵
    PID:1876

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTU0MTFFOTgtNUZCNC00QzBFLThEODktQzJCODM2NjU2N0Y0fSIgdXNlcmlkPSJ7RTE0QTMwMzgtNEI1OC00MUZBLUEwMzUtQzRCMTQ1QzhDNjU4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUEzMDM4OTktRUI2My00OUJCLUI1NjEtMTU1MjIwMkQ5QjI3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NzQ1OTA4ODkwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-1-0x000001EB9B0D0000-0x000001EB9B11E000-memory.dmp

Filesize
312KB

Download
memory/868-0-0x000001EB9B060000-0x000001EB9B0C5000-memory.dmp

Filesize
404KB

Download
memory/868-3-0x000001EB9B0D0000-0x000001EB9B11E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads