cobaltstrike | 56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca

Analysis

max time kernel
130s
max time network
131s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
Size

5.9MB
MD5

19db0c6047d107e85fbeb4fcdee08dc2
SHA1

d15a1f4bd002c5f509fc03c88ddbbc7da5569f6c
SHA256

56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca
SHA512

26fbcd8d11e22ce98f6dba97c6b7191b8d3da46d6984906aecc88c29bb8ff188cf2eadb01e1a6ea3073bb0f60dd852e06e96cffa3b9d726c0dffafade8ec5da3

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 13 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\OKgQuwl.exe	cobalt_reflective_dll
C:\Windows\system\OKgQuwl.exe	cobalt_reflective_dll
\Windows\system\wrAusat.exe	cobalt_reflective_dll
\Windows\system\DmQePES.exe	cobalt_reflective_dll
C:\Windows\system\DmQePES.exe	cobalt_reflective_dll
C:\Windows\system\wrAusat.exe	cobalt_reflective_dll
\Windows\system\uhtemgG.exe	cobalt_reflective_dll
C:\Windows\system\uhtemgG.exe	cobalt_reflective_dll
\Windows\system\FUyAsVw.exe	cobalt_reflective_dll
C:\Windows\system\FUyAsVw.exe	cobalt_reflective_dll
\Windows\system\JiyiOeq.exe	cobalt_reflective_dll
C:\Windows\system\JiyiOeq.exe	cobalt_reflective_dll
\Windows\system\aZkfPQR.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 6 IoCs

Processes:

OKgQuwl.exeDmQePES.exewrAusat.exeuhtemgG.exeFUyAsVw.exeJiyiOeq.exe

pid process

1320 OKgQuwl.exe
1472 DmQePES.exe
1176 wrAusat.exe
836 uhtemgG.exe
2012 FUyAsVw.exe
1972 JiyiOeq.exe

pid	process
1320	OKgQuwl.exe
1472	DmQePES.exe
1176	wrAusat.exe
836	uhtemgG.exe
2012	FUyAsVw.exe
1972	JiyiOeq.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\OKgQuwl.exe	upx
C:\Windows\system\OKgQuwl.exe	upx
\Windows\system\wrAusat.exe	upx
\Windows\system\DmQePES.exe	upx
C:\Windows\system\DmQePES.exe	upx
C:\Windows\system\wrAusat.exe	upx
\Windows\system\uhtemgG.exe	upx
C:\Windows\system\uhtemgG.exe	upx
\Windows\system\FUyAsVw.exe	upx
C:\Windows\system\FUyAsVw.exe	upx
\Windows\system\JiyiOeq.exe	upx
C:\Windows\system\JiyiOeq.exe	upx
\Windows\system\aZkfPQR.exe	upx

Loads dropped DLL 7 IoCs

Processes:

56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe

pid	process
1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe

JavaScript code in executable 13 IoCs

Processes:

resource	yara_rule
\Windows\system\OKgQuwl.exe	js
C:\Windows\system\OKgQuwl.exe	js
\Windows\system\wrAusat.exe	js
\Windows\system\DmQePES.exe	js
C:\Windows\system\DmQePES.exe	js
C:\Windows\system\wrAusat.exe	js
\Windows\system\uhtemgG.exe	js
C:\Windows\system\uhtemgG.exe	js
\Windows\system\FUyAsVw.exe	js
C:\Windows\system\FUyAsVw.exe	js
\Windows\system\JiyiOeq.exe	js
C:\Windows\system\JiyiOeq.exe	js
\Windows\system\aZkfPQR.exe	js

Drops file in Windows directory 7 IoCs

Processes:

56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe

description	ioc	process
File created	C:\Windows\System\uhtemgG.exe	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
File created	C:\Windows\System\FUyAsVw.exe	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
File created	C:\Windows\System\JiyiOeq.exe	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
File created	C:\Windows\System\aZkfPQR.exe	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
File created	C:\Windows\System\OKgQuwl.exe	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
File created	C:\Windows\System\wrAusat.exe	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
File created	C:\Windows\System\DmQePES.exe	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe

description	pid	process	target process
PID 1880 wrote to memory of 1320	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	OKgQuwl.exe
PID 1880 wrote to memory of 1320	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	OKgQuwl.exe
PID 1880 wrote to memory of 1320	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	OKgQuwl.exe
PID 1880 wrote to memory of 1176	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	wrAusat.exe
PID 1880 wrote to memory of 1176	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	wrAusat.exe
PID 1880 wrote to memory of 1176	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	wrAusat.exe
PID 1880 wrote to memory of 1472	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	DmQePES.exe
PID 1880 wrote to memory of 1472	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	DmQePES.exe
PID 1880 wrote to memory of 1472	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	DmQePES.exe
PID 1880 wrote to memory of 836	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	uhtemgG.exe
PID 1880 wrote to memory of 836	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	uhtemgG.exe
PID 1880 wrote to memory of 836	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	uhtemgG.exe
PID 1880 wrote to memory of 2012	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	FUyAsVw.exe
PID 1880 wrote to memory of 2012	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	FUyAsVw.exe
PID 1880 wrote to memory of 2012	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	FUyAsVw.exe
PID 1880 wrote to memory of 1972	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	JiyiOeq.exe
PID 1880 wrote to memory of 1972	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	JiyiOeq.exe
PID 1880 wrote to memory of 1972	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	JiyiOeq.exe
PID 1880 wrote to memory of 1640	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	aZkfPQR.exe
PID 1880 wrote to memory of 1640	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	aZkfPQR.exe
PID 1880 wrote to memory of 1640	1880	56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe	aZkfPQR.exe

C:\Users\Admin\AppData\Local\Temp\56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe
"C:\Users\Admin\AppData\Local\Temp\56e2f454fdf5fcecf5011e7a67d712c2040dbbe51524ce986c563e3aaf3c6eca.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\System\OKgQuwl.exe
C:\Windows\System\OKgQuwl.exe
2⤵
- Executes dropped EXE
PID:1320

C:\Windows\System\wrAusat.exe
C:\Windows\System\wrAusat.exe
2⤵
- Executes dropped EXE
PID:1176

C:\Windows\System\DmQePES.exe
C:\Windows\System\DmQePES.exe
2⤵
- Executes dropped EXE
PID:1472

C:\Windows\System\uhtemgG.exe
C:\Windows\System\uhtemgG.exe
2⤵
- Executes dropped EXE
PID:836

C:\Windows\System\FUyAsVw.exe
C:\Windows\System\FUyAsVw.exe
2⤵
- Executes dropped EXE
PID:2012

C:\Windows\System\JiyiOeq.exe
C:\Windows\System\JiyiOeq.exe
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\System\aZkfPQR.exe
C:\Windows\System\aZkfPQR.exe
2⤵
PID:1640

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DmQePES.exe
MD5
fdaa602ac1db8d9a1b4de80751218bad

SHA1
33eccb4956abed996b023f81ff15e1ecfc75a544

SHA256
486814c5b1381e0af2db893f9ef62f20ddada5b54ead42740bd8b7eb8aa25b47

SHA512
2f43d19e09a1fc7a6b94469723ac2374c8b0cc8b481c2d8b2c5f4c8925115418d6525e72b273aaed820f6dc753898cefa67d6f91c8f9361f2c6fd056c7307bd7

Download Submit
C:\Windows\system\FUyAsVw.exe
MD5
67142a27713cb9a9999401809d53a2e6

SHA1
a4b9f5f336c3d7742a73b869baf38bc45e3fe80c

SHA256
83894c2909a30a3aa4498e5c8b1fe6fd926b3be22c5fb6abd34061e2d8d193f6

SHA512
73ece62b00dff4f4a6cd8ebb259ea8bffef0ce8eebbeb2d75af3fbf79e4c0bf50ea25059ad771e388e84e8b3f8f0819f5de86712561750ed11e94a387c60db91

Download Submit
C:\Windows\system\JiyiOeq.exe
MD5
161d908e2f4b6eee292ad6e5482a9da6

SHA1
c51c539b2b5dd828e1d241af6a3f27932e635a83

SHA256
f3d4062e69c50b75f1b1ec8f752405306421638d2fb25bdb500df4679313f37b

SHA512
e807972cd8d5b088d55c9f8a5fcd432cab581d9562190082fd5a795a38265ece676cf397e43ed2e775937716762f64e5b251b54f3fe796a48cd75bb4104fe290

Download Submit
C:\Windows\system\OKgQuwl.exe
MD5
7bc10286b8c6f3a7c568f763b45278ac

SHA1
db5fa070ae7d8274cad39a2e3a0f5f5964e57e49

SHA256
36d6b8aff9e958abd555e5b6fac2c3084ca2a0a84a7c5ddcba4c1415f1b6734c

SHA512
a1d266578d42be36181f30a17a32d08f0f1a83d86576d8b94896d5e881c1958e359b9ee51d18e4f97214a22bf8865fe8bb0992535dce2c57e5b1bbd91d567ebe

Download Submit
C:\Windows\system\uhtemgG.exe
MD5
7b35f6bd4cfcd9be2b5b3ecc5dd7d085

SHA1
94e301ea6430ff8987007b36cfd273ee08029b8d

SHA256
ab70199e285165dd2b2ae3dc89e0fe45dcfac7895bda35958a16a89e70374791

SHA512
b5f7b4acca71a9c7ad4e9c087f4416d386ae04a53787e634b85ac5dd34061bd388fc6f0a1b337f53c616a8b06d15f6a890a6a653e2931a79a2dfaea56c05c53b

Download Submit
C:\Windows\system\wrAusat.exe
MD5
7338c44bbce204e0a70a7b50c83fd42a

SHA1
16465f05e43e448f2d5182699612d58fee1d315c

SHA256
e48da339f570132bff09733ee37bf7a38a58bee0cd98bd8598cbcd40f25b003a

SHA512
e4347427778adb4745bbff11da509b7d2d7bd9edc0d503e1e1b5d5fa33127b12ac5141a14de3aa35d13893a439db1b2cc4380b10b6bd1c9d634002ba58d6a3d6

Download Submit
\Windows\system\DmQePES.exe
MD5
fdaa602ac1db8d9a1b4de80751218bad

SHA1
33eccb4956abed996b023f81ff15e1ecfc75a544

SHA256
486814c5b1381e0af2db893f9ef62f20ddada5b54ead42740bd8b7eb8aa25b47

SHA512
2f43d19e09a1fc7a6b94469723ac2374c8b0cc8b481c2d8b2c5f4c8925115418d6525e72b273aaed820f6dc753898cefa67d6f91c8f9361f2c6fd056c7307bd7

Download Submit
\Windows\system\FUyAsVw.exe
MD5
67142a27713cb9a9999401809d53a2e6

SHA1
a4b9f5f336c3d7742a73b869baf38bc45e3fe80c

SHA256
83894c2909a30a3aa4498e5c8b1fe6fd926b3be22c5fb6abd34061e2d8d193f6

SHA512
73ece62b00dff4f4a6cd8ebb259ea8bffef0ce8eebbeb2d75af3fbf79e4c0bf50ea25059ad771e388e84e8b3f8f0819f5de86712561750ed11e94a387c60db91

Download Submit
\Windows\system\JiyiOeq.exe
MD5
161d908e2f4b6eee292ad6e5482a9da6

SHA1
c51c539b2b5dd828e1d241af6a3f27932e635a83

SHA256
f3d4062e69c50b75f1b1ec8f752405306421638d2fb25bdb500df4679313f37b

SHA512
e807972cd8d5b088d55c9f8a5fcd432cab581d9562190082fd5a795a38265ece676cf397e43ed2e775937716762f64e5b251b54f3fe796a48cd75bb4104fe290

Download Submit
\Windows\system\OKgQuwl.exe
MD5
7bc10286b8c6f3a7c568f763b45278ac

SHA1
db5fa070ae7d8274cad39a2e3a0f5f5964e57e49

SHA256
36d6b8aff9e958abd555e5b6fac2c3084ca2a0a84a7c5ddcba4c1415f1b6734c

SHA512
a1d266578d42be36181f30a17a32d08f0f1a83d86576d8b94896d5e881c1958e359b9ee51d18e4f97214a22bf8865fe8bb0992535dce2c57e5b1bbd91d567ebe

Download Submit
\Windows\system\aZkfPQR.exe
MD5
6b11125e23f814975150224f404a5ebf

SHA1
6b7a02ff9727ad6319ec7135beff822e1506ce53

SHA256
1af5db427169d9401c98915acd97f6cd9dd80730cacfe3b650cb4f73afd68a3c

SHA512
f4a30bdf06ee908139093981e6463c8525ebe809902d8d0851c5ca8a18926a5cb3cd49a000c11c057cdd84b9f1120b72da3a42fc47175dfe9904138fef21a0d1

Download Submit
\Windows\system\uhtemgG.exe
MD5
7b35f6bd4cfcd9be2b5b3ecc5dd7d085

SHA1
94e301ea6430ff8987007b36cfd273ee08029b8d

SHA256
ab70199e285165dd2b2ae3dc89e0fe45dcfac7895bda35958a16a89e70374791

SHA512
b5f7b4acca71a9c7ad4e9c087f4416d386ae04a53787e634b85ac5dd34061bd388fc6f0a1b337f53c616a8b06d15f6a890a6a653e2931a79a2dfaea56c05c53b

Download Submit
\Windows\system\wrAusat.exe
MD5
7338c44bbce204e0a70a7b50c83fd42a

SHA1
16465f05e43e448f2d5182699612d58fee1d315c

SHA256
e48da339f570132bff09733ee37bf7a38a58bee0cd98bd8598cbcd40f25b003a

SHA512
e4347427778adb4745bbff11da509b7d2d7bd9edc0d503e1e1b5d5fa33127b12ac5141a14de3aa35d13893a439db1b2cc4380b10b6bd1c9d634002ba58d6a3d6

Download Submit
memory/836-8-0x0000000000000000-mapping.dmp

Download
memory/1176-4-0x0000000000000000-mapping.dmp

Download
memory/1320-1-0x0000000000000000-mapping.dmp

Download
memory/1472-6-0x0000000000000000-mapping.dmp

Download
memory/1640-19-0x0000000000000000-mapping.dmp

Download
memory/1972-16-0x0000000000000000-mapping.dmp

Download
memory/2012-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads