cobaltstrike | 241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20

Analysis

max time kernel
115s
max time network
14s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
Size

5.9MB
MD5

4f318f04e42eae7430de3dbf27fe925d
SHA1

d771860ba4ffa2c6f4ab39acf61213f697dac7c2
SHA256

241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20
SHA512

74219661fe9db9da9c3e2c0262d067e3cd130864fac38ebb198ba3cf6e52d2bd21495fcfff92241b8ad62bd4839940e489a757c57b502f76f6daba6b96f70c06

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 15 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\NQsFgAA.exe	cobalt_reflective_dll
C:\Windows\system\NQsFgAA.exe	cobalt_reflective_dll
\Windows\system\yzMQQJn.exe	cobalt_reflective_dll
\Windows\system\DoUvGnC.exe	cobalt_reflective_dll
C:\Windows\system\yzMQQJn.exe	cobalt_reflective_dll
C:\Windows\system\DoUvGnC.exe	cobalt_reflective_dll
\Windows\system\VpXMsdu.exe	cobalt_reflective_dll
C:\Windows\system\VpXMsdu.exe	cobalt_reflective_dll
\Windows\system\LDwRPez.exe	cobalt_reflective_dll
C:\Windows\system\LDwRPez.exe	cobalt_reflective_dll
\Windows\system\BAgASEl.exe	cobalt_reflective_dll
C:\Windows\system\BAgASEl.exe	cobalt_reflective_dll
\Windows\system\ioftWMK.exe	cobalt_reflective_dll
C:\Windows\system\ioftWMK.exe	cobalt_reflective_dll
\Windows\system\EJDKcMc.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 7 IoCs

Processes:

NQsFgAA.exeyzMQQJn.exeDoUvGnC.exeVpXMsdu.exeLDwRPez.exeBAgASEl.exeioftWMK.exe

pid process

1424 NQsFgAA.exe
1564 yzMQQJn.exe
1984 DoUvGnC.exe
1968 VpXMsdu.exe
1956 LDwRPez.exe
1632 BAgASEl.exe
920 ioftWMK.exe

pid	process
1424	NQsFgAA.exe
1564	yzMQQJn.exe
1984	DoUvGnC.exe
1968	VpXMsdu.exe
1956	LDwRPez.exe
1632	BAgASEl.exe
920	ioftWMK.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\NQsFgAA.exe	upx
C:\Windows\system\NQsFgAA.exe	upx
\Windows\system\yzMQQJn.exe	upx
\Windows\system\DoUvGnC.exe	upx
C:\Windows\system\yzMQQJn.exe	upx
C:\Windows\system\DoUvGnC.exe	upx
\Windows\system\VpXMsdu.exe	upx
C:\Windows\system\VpXMsdu.exe	upx
\Windows\system\LDwRPez.exe	upx
C:\Windows\system\LDwRPez.exe	upx
\Windows\system\BAgASEl.exe	upx
C:\Windows\system\BAgASEl.exe	upx
\Windows\system\ioftWMK.exe	upx
C:\Windows\system\ioftWMK.exe	upx
\Windows\system\EJDKcMc.exe	upx

Loads dropped DLL 8 IoCs

Processes:

241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe

pid	process
1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe

JavaScript code in executable 15 IoCs

Processes:

resource	yara_rule
\Windows\system\NQsFgAA.exe	js
C:\Windows\system\NQsFgAA.exe	js
\Windows\system\yzMQQJn.exe	js
\Windows\system\DoUvGnC.exe	js
C:\Windows\system\yzMQQJn.exe	js
C:\Windows\system\DoUvGnC.exe	js
\Windows\system\VpXMsdu.exe	js
C:\Windows\system\VpXMsdu.exe	js
\Windows\system\LDwRPez.exe	js
C:\Windows\system\LDwRPez.exe	js
\Windows\system\BAgASEl.exe	js
C:\Windows\system\BAgASEl.exe	js
\Windows\system\ioftWMK.exe	js
C:\Windows\system\ioftWMK.exe	js
\Windows\system\EJDKcMc.exe	js

Drops file in Windows directory 8 IoCs

Processes:

241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe

description	ioc	process
File created	C:\Windows\System\BAgASEl.exe	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
File created	C:\Windows\System\ioftWMK.exe	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
File created	C:\Windows\System\EJDKcMc.exe	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
File created	C:\Windows\System\NQsFgAA.exe	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
File created	C:\Windows\System\yzMQQJn.exe	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
File created	C:\Windows\System\DoUvGnC.exe	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
File created	C:\Windows\System\VpXMsdu.exe	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
File created	C:\Windows\System\LDwRPez.exe	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe

description	pid	process	target process
PID 1924 wrote to memory of 1424	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	NQsFgAA.exe
PID 1924 wrote to memory of 1424	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	NQsFgAA.exe
PID 1924 wrote to memory of 1424	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	NQsFgAA.exe
PID 1924 wrote to memory of 1564	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	yzMQQJn.exe
PID 1924 wrote to memory of 1564	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	yzMQQJn.exe
PID 1924 wrote to memory of 1564	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	yzMQQJn.exe
PID 1924 wrote to memory of 1984	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	DoUvGnC.exe
PID 1924 wrote to memory of 1984	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	DoUvGnC.exe
PID 1924 wrote to memory of 1984	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	DoUvGnC.exe
PID 1924 wrote to memory of 1968	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	VpXMsdu.exe
PID 1924 wrote to memory of 1968	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	VpXMsdu.exe
PID 1924 wrote to memory of 1968	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	VpXMsdu.exe
PID 1924 wrote to memory of 1956	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	LDwRPez.exe
PID 1924 wrote to memory of 1956	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	LDwRPez.exe
PID 1924 wrote to memory of 1956	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	LDwRPez.exe
PID 1924 wrote to memory of 1632	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	BAgASEl.exe
PID 1924 wrote to memory of 1632	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	BAgASEl.exe
PID 1924 wrote to memory of 1632	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	BAgASEl.exe
PID 1924 wrote to memory of 920	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	ioftWMK.exe
PID 1924 wrote to memory of 920	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	ioftWMK.exe
PID 1924 wrote to memory of 920	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	ioftWMK.exe
PID 1924 wrote to memory of 360	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	EJDKcMc.exe
PID 1924 wrote to memory of 360	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	EJDKcMc.exe
PID 1924 wrote to memory of 360	1924	241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe	EJDKcMc.exe

C:\Users\Admin\AppData\Local\Temp\241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe
"C:\Users\Admin\AppData\Local\Temp\241ef6bcf617456f45f2a71f8a648b118b1c833f4f126f540081f7e446b4dc20.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\System\NQsFgAA.exe
C:\Windows\System\NQsFgAA.exe
2⤵
- Executes dropped EXE
PID:1424

C:\Windows\System\yzMQQJn.exe
C:\Windows\System\yzMQQJn.exe
2⤵
- Executes dropped EXE
PID:1564

C:\Windows\System\DoUvGnC.exe
C:\Windows\System\DoUvGnC.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\VpXMsdu.exe
C:\Windows\System\VpXMsdu.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\System\LDwRPez.exe
C:\Windows\System\LDwRPez.exe
2⤵
- Executes dropped EXE
PID:1956

C:\Windows\System\BAgASEl.exe
C:\Windows\System\BAgASEl.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Windows\System\ioftWMK.exe
C:\Windows\System\ioftWMK.exe
2⤵
- Executes dropped EXE
PID:920

C:\Windows\System\EJDKcMc.exe
C:\Windows\System\EJDKcMc.exe
2⤵
PID:360

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BAgASEl.exe
MD5
5d72ddffc5ee9ac9c90524d0dd85d234

SHA1
99a9ed29a73d8b3afeb64e2abfeff49055b6ee8d

SHA256
517c8c16b04ae78448c7507c5917f76a1e9d53b2952cc831db4e308e3addb81d

SHA512
8425bb08dc8395631e3c03fdd5bb928783704cc2504e42d4757b7184b1f36572ca28eda322dbd7ae7a8844437ff377675c09a171edef0fe3ec50d5759386dd86

Download Submit
C:\Windows\system\DoUvGnC.exe
MD5
0523e7e0bf593f9cd44bf9b5a45b24f7

SHA1
32b5cd69cfcaeb8b1820539946fb3327d3d36924

SHA256
fa60c359603c6fdb5561e184d67196cec6f84e4771b9310eab12b6c401c20771

SHA512
053b9ff7cda9d9db389b3f09caeaf311e87ece2ee7fad07c3ad723dc0b7abd15dfe07ab441333271126936d5ae5772e9aca7e8f6169fadced2d78054d2eb13a2

Download Submit
C:\Windows\system\LDwRPez.exe
MD5
82e9320a3d3f70cb60091062575fe215

SHA1
d3e2dd0a529d449b8ee53603c35564310a096f5b

SHA256
7e10898549a7d51b7541cb8a5ed19da0f6a004d9cb8cc8b90748a7601849a5a5

SHA512
c8014d57cbd73cc8b1eda689347a8c2d7d9a0007fab39fd35222e3524f4e71c0d30f4ec708ae8f2867ac45dcf2eb695bdf2b042e56c4f968b678574f9f35db17

Download Submit
C:\Windows\system\NQsFgAA.exe
MD5
3ed6c5f861e9f34c381cee02f206d696

SHA1
5ede910e49b45a631bbc358ca8b67cad47cab2a1

SHA256
9e76daee05e3f3dc9520b384583dfbc46cb04c31c509c35052fcfb86d2bae174

SHA512
9ebeb5f01cff76d314001e90573eab7820003fb4453ffce4edce3f5e3fdd256169764f50db16b253522995f63410396badce08e379b174838788a6f5a39dad92

Download Submit
C:\Windows\system\VpXMsdu.exe
MD5
3880adb699fe4deb350e81eac4f32e95

SHA1
b58758714dab8a14567818c2998c5cd05013a0d1

SHA256
3432a3ce98a00120405bde0be57c71e37f979d910f499c6e7b3e88f7b3f36266

SHA512
1377c783cd1d9b19202ed4beb8dd16eae728c8cdc1c50c5186d577699ef45a8406e20646587e44baef608e31612b9714136d6ff83a837bc749fb3c3d599435bb

Download Submit
C:\Windows\system\ioftWMK.exe
MD5
c5f4593825c33552304d6284c039b329

SHA1
4439243e4f2f606ec581a3c3884b3bf9867de47e

SHA256
8383e8b439d8dfce412cdc45f02cdb0b00ce5098e60f4eb2abd8fa4188009add

SHA512
48857c59594972bdb2ce56bc66b5027a737eb9189cc96b39ff29b7f7f7ed5b608a6e9e7eeaf7f175de33c36cbfeefdc49391543e97c1634cdeb2d39cea66f084

Download Submit
C:\Windows\system\yzMQQJn.exe
MD5
482aed0c5a4908ade7439a960c4145d1

SHA1
76d7a23c17c30d7569aacb66a73807a810000b27

SHA256
d09843635c0beca12a41d275d9f911b8188e10358d4d4a258d020c7ec76cc9da

SHA512
0195e16c44a0dd1d8ecfda3f9a07ce1a35bf5f20870f102cdce92267bcade91ea207a9adfb65f2cd4482c1235b8a97b64e5a6914818f4cd8b2ec1ddd639358b3

Download Submit
\Windows\system\BAgASEl.exe
MD5
5d72ddffc5ee9ac9c90524d0dd85d234

SHA1
99a9ed29a73d8b3afeb64e2abfeff49055b6ee8d

SHA256
517c8c16b04ae78448c7507c5917f76a1e9d53b2952cc831db4e308e3addb81d

SHA512
8425bb08dc8395631e3c03fdd5bb928783704cc2504e42d4757b7184b1f36572ca28eda322dbd7ae7a8844437ff377675c09a171edef0fe3ec50d5759386dd86

Download Submit
\Windows\system\DoUvGnC.exe
MD5
0523e7e0bf593f9cd44bf9b5a45b24f7

SHA1
32b5cd69cfcaeb8b1820539946fb3327d3d36924

SHA256
fa60c359603c6fdb5561e184d67196cec6f84e4771b9310eab12b6c401c20771

SHA512
053b9ff7cda9d9db389b3f09caeaf311e87ece2ee7fad07c3ad723dc0b7abd15dfe07ab441333271126936d5ae5772e9aca7e8f6169fadced2d78054d2eb13a2

Download Submit
\Windows\system\EJDKcMc.exe
MD5
70a8a9d858f961dc420349db5b723af9

SHA1
aea54d36a447849a67e99ee94080cc022ecb20c7

SHA256
5b6261765530bc93ad3512b52082098be6aa2c83f2937746ebc4e935eadac52e

SHA512
490f4d70127418774639f658e9d5ee5e51a7c433efb7bf9f71f8f70e05eb93d117533a8a4e6e9a7808b8588f8e557c2bbd3dbc0173d7a4c86288a458baa099ec

Download Submit
\Windows\system\LDwRPez.exe
MD5
82e9320a3d3f70cb60091062575fe215

SHA1
d3e2dd0a529d449b8ee53603c35564310a096f5b

SHA256
7e10898549a7d51b7541cb8a5ed19da0f6a004d9cb8cc8b90748a7601849a5a5

SHA512
c8014d57cbd73cc8b1eda689347a8c2d7d9a0007fab39fd35222e3524f4e71c0d30f4ec708ae8f2867ac45dcf2eb695bdf2b042e56c4f968b678574f9f35db17

Download Submit
\Windows\system\NQsFgAA.exe
MD5
3ed6c5f861e9f34c381cee02f206d696

SHA1
5ede910e49b45a631bbc358ca8b67cad47cab2a1

SHA256
9e76daee05e3f3dc9520b384583dfbc46cb04c31c509c35052fcfb86d2bae174

SHA512
9ebeb5f01cff76d314001e90573eab7820003fb4453ffce4edce3f5e3fdd256169764f50db16b253522995f63410396badce08e379b174838788a6f5a39dad92

Download Submit
\Windows\system\VpXMsdu.exe
MD5
3880adb699fe4deb350e81eac4f32e95

SHA1
b58758714dab8a14567818c2998c5cd05013a0d1

SHA256
3432a3ce98a00120405bde0be57c71e37f979d910f499c6e7b3e88f7b3f36266

SHA512
1377c783cd1d9b19202ed4beb8dd16eae728c8cdc1c50c5186d577699ef45a8406e20646587e44baef608e31612b9714136d6ff83a837bc749fb3c3d599435bb

Download Submit
\Windows\system\ioftWMK.exe
MD5
c5f4593825c33552304d6284c039b329

SHA1
4439243e4f2f606ec581a3c3884b3bf9867de47e

SHA256
8383e8b439d8dfce412cdc45f02cdb0b00ce5098e60f4eb2abd8fa4188009add

SHA512
48857c59594972bdb2ce56bc66b5027a737eb9189cc96b39ff29b7f7f7ed5b608a6e9e7eeaf7f175de33c36cbfeefdc49391543e97c1634cdeb2d39cea66f084

Download Submit
\Windows\system\yzMQQJn.exe
MD5
482aed0c5a4908ade7439a960c4145d1

SHA1
76d7a23c17c30d7569aacb66a73807a810000b27

SHA256
d09843635c0beca12a41d275d9f911b8188e10358d4d4a258d020c7ec76cc9da

SHA512
0195e16c44a0dd1d8ecfda3f9a07ce1a35bf5f20870f102cdce92267bcade91ea207a9adfb65f2cd4482c1235b8a97b64e5a6914818f4cd8b2ec1ddd639358b3

Download Submit
memory/360-22-0x0000000000000000-mapping.dmp

Download
memory/920-19-0x0000000000000000-mapping.dmp

Download
memory/1424-1-0x0000000000000000-mapping.dmp

Download
memory/1564-4-0x0000000000000000-mapping.dmp

Download
memory/1632-16-0x0000000000000000-mapping.dmp

Download
memory/1956-13-0x0000000000000000-mapping.dmp

Download
memory/1968-10-0x0000000000000000-mapping.dmp

Download
memory/1984-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads