cobaltstrike | 7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed

General

Target

7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe
Size

5.2MB
MD5

adace8e9e168b1f9031303798d306a5a
SHA1

8c4254bed2a7dddfd6c0ed8dadf0805d9acc7176
SHA256

7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed
SHA512

fb78fd7266d79da00bde730ed0778eb120358a200b3230ee621b8ae37458ba3c77834f829179943ce71e3ad3b615e5bd8af302a63acba0ba8922903871e4f3a4

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 7 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\PRejSeI.exe	cobalt_reflective_dll
C:\Windows\system\PRejSeI.exe	cobalt_reflective_dll
\Windows\system\LoZFykg.exe	cobalt_reflective_dll
\Windows\system\pspvtoX.exe	cobalt_reflective_dll
C:\Windows\system\LoZFykg.exe	cobalt_reflective_dll
C:\Windows\system\pspvtoX.exe	cobalt_reflective_dll
\Windows\system\aPVPylq.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 3 IoCs

Processes:

PRejSeI.exeLoZFykg.exepspvtoX.exe

pid process

1232 PRejSeI.exe
1344 LoZFykg.exe
1952 pspvtoX.exe

pid	process
1232	PRejSeI.exe
1344	LoZFykg.exe
1952	pspvtoX.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\PRejSeI.exe	upx
C:\Windows\system\PRejSeI.exe	upx
\Windows\system\LoZFykg.exe	upx
\Windows\system\pspvtoX.exe	upx
C:\Windows\system\LoZFykg.exe	upx
C:\Windows\system\pspvtoX.exe	upx
\Windows\system\aPVPylq.exe	upx

Loads dropped DLL 4 IoCs

Processes:

7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe

pid	process
1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe
1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe
1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe
1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe

JavaScript code in executable 7 IoCs

Processes:

resource	yara_rule
\Windows\system\PRejSeI.exe	js
C:\Windows\system\PRejSeI.exe	js
\Windows\system\LoZFykg.exe	js
\Windows\system\pspvtoX.exe	js
C:\Windows\system\LoZFykg.exe	js
C:\Windows\system\pspvtoX.exe	js
\Windows\system\aPVPylq.exe	js

Drops file in Windows directory 4 IoCs

Processes:

7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe

description	ioc	process
File created	C:\Windows\System\PRejSeI.exe	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe
File created	C:\Windows\System\LoZFykg.exe	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe
File created	C:\Windows\System\pspvtoX.exe	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe
File created	C:\Windows\System\aPVPylq.exe	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe

description	pid	process	target process
PID 1032 wrote to memory of 1232	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	PRejSeI.exe
PID 1032 wrote to memory of 1232	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	PRejSeI.exe
PID 1032 wrote to memory of 1232	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	PRejSeI.exe
PID 1032 wrote to memory of 1344	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	LoZFykg.exe
PID 1032 wrote to memory of 1344	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	LoZFykg.exe
PID 1032 wrote to memory of 1344	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	LoZFykg.exe
PID 1032 wrote to memory of 1952	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	pspvtoX.exe
PID 1032 wrote to memory of 1952	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	pspvtoX.exe
PID 1032 wrote to memory of 1952	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	pspvtoX.exe
PID 1032 wrote to memory of 1148	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	aPVPylq.exe
PID 1032 wrote to memory of 1148	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	aPVPylq.exe
PID 1032 wrote to memory of 1148	1032	7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe	aPVPylq.exe

C:\Users\Admin\AppData\Local\Temp\7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe
"C:\Users\Admin\AppData\Local\Temp\7eab136ce2cf0217512d9453216dd31fde0c58037a36761a4a98670b1fcd49ed.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\System\PRejSeI.exe
C:\Windows\System\PRejSeI.exe
2⤵
- Executes dropped EXE
PID:1232

C:\Windows\System\LoZFykg.exe
C:\Windows\System\LoZFykg.exe
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\System\pspvtoX.exe
C:\Windows\System\pspvtoX.exe
2⤵
- Executes dropped EXE
PID:1952

C:\Windows\System\aPVPylq.exe
C:\Windows\System\aPVPylq.exe
2⤵
PID:1148

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\LoZFykg.exe
MD5
8b8b47726e00f81fadd25592eb16a661

SHA1
ae6fce882e1db033ea546fbc56819da83b669eb5

SHA256
ddd7744a8fad0348e84600ebad98336e48d1be6459f73cd995776738c11bf84e

SHA512
3eee9bdf5065b6eef0b0f15cbeacf78e708d85eba83f218ed105a1a5db093b9d79336c56c9ec043d35b28c010091bb911e6357e913c817c72d56b3f4cb4432a5

Download Submit
C:\Windows\system\PRejSeI.exe
MD5
4382c9b1d9d850d771f443c630cdc407

SHA1
0acdbd67d6c5ea7828f684f64072f067662dc8a6

SHA256
5599e753e24e83e831d8cbbb7866da26bec015525b1ac8ec81a1057710cac793

SHA512
513ccc3be8594df121bc24b29f7f2cb7d11a5e2cd0061f7312e666689572a23dbba4d62470e6c731d03f3b8a8e068299223cafb4624abe2860cb46c37afa77bf

Download Submit
C:\Windows\system\pspvtoX.exe
MD5
1f40783eb1ba82b8dae99a7ff1b1531a

SHA1
000b3d05e1aab5443005498c97e8b0648549a49f

SHA256
7d5d99af61d28ae045d1492c4cd53062e5fbf72d9b1afd3f7eca387a6f4414b1

SHA512
9fe9b664d68ad8057500f01c8149d2928a2aca960fe6e7847ff5e05c0db19a47ccf25710c588272110a5caf10aa7385170fe7c9ab8b737c9e23b24feee644379

Download Submit
\Windows\system\LoZFykg.exe
MD5
8b8b47726e00f81fadd25592eb16a661

SHA1
ae6fce882e1db033ea546fbc56819da83b669eb5

SHA256
ddd7744a8fad0348e84600ebad98336e48d1be6459f73cd995776738c11bf84e

SHA512
3eee9bdf5065b6eef0b0f15cbeacf78e708d85eba83f218ed105a1a5db093b9d79336c56c9ec043d35b28c010091bb911e6357e913c817c72d56b3f4cb4432a5

Download Submit
\Windows\system\PRejSeI.exe
MD5
4382c9b1d9d850d771f443c630cdc407

SHA1
0acdbd67d6c5ea7828f684f64072f067662dc8a6

SHA256
5599e753e24e83e831d8cbbb7866da26bec015525b1ac8ec81a1057710cac793

SHA512
513ccc3be8594df121bc24b29f7f2cb7d11a5e2cd0061f7312e666689572a23dbba4d62470e6c731d03f3b8a8e068299223cafb4624abe2860cb46c37afa77bf

Download Submit
\Windows\system\aPVPylq.exe
MD5
25f8d9d74c4ceb36518bf4ba7aba1dd3

SHA1
83b4f4f073ab38221872f46819d20dbb2ae47e33

SHA256
f8cf9f9b71bf5ceeb1d0941e986eb68dd71d8005107bfbec3b79d60b1795191b

SHA512
33b95beecc5fbd55c8dee5166b604ccef9e31d286737dade541c4d7d63884f4fa17103e6e1592a80ef0f59cc759b764a68153cef1b9685e766a5b62bc76b8b12

Download Submit
\Windows\system\pspvtoX.exe
MD5
1f40783eb1ba82b8dae99a7ff1b1531a

SHA1
000b3d05e1aab5443005498c97e8b0648549a49f

SHA256
7d5d99af61d28ae045d1492c4cd53062e5fbf72d9b1afd3f7eca387a6f4414b1

SHA512
9fe9b664d68ad8057500f01c8149d2928a2aca960fe6e7847ff5e05c0db19a47ccf25710c588272110a5caf10aa7385170fe7c9ab8b737c9e23b24feee644379

Download Submit
memory/1148-10-0x0000000000000000-mapping.dmp

Download
memory/1232-1-0x0000000000000000-mapping.dmp

Download
memory/1344-4-0x0000000000000000-mapping.dmp

Download
memory/1952-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads