cobaltstrike | 80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c

Analysis

max time kernel
46s
max time network
19s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
Size

5.9MB
MD5

a539cc8fca9d74875bb3f2a3c93efa66
SHA1

509186674aa462e12e66dae224c030cf69bd53b9
SHA256

80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c
SHA512

d22600c22dedf56ae990b089139bd2287c1ea8f6cb76dda59ae529be58f427b3621782099919e6caf022311160883ca4f51b7ae098073ac538c0119515a62cf9

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 17 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\eNsmbfm.exe	cobalt_reflective_dll
C:\Windows\system\eNsmbfm.exe	cobalt_reflective_dll
\Windows\system\OsRvuTh.exe	cobalt_reflective_dll
C:\Windows\system\OsRvuTh.exe	cobalt_reflective_dll
\Windows\system\RJupAQy.exe	cobalt_reflective_dll
C:\Windows\system\RJupAQy.exe	cobalt_reflective_dll
\Windows\system\jmBtCxw.exe	cobalt_reflective_dll
C:\Windows\system\jmBtCxw.exe	cobalt_reflective_dll
\Windows\system\kPbaifJ.exe	cobalt_reflective_dll
C:\Windows\system\kPbaifJ.exe	cobalt_reflective_dll
\Windows\system\thseAkM.exe	cobalt_reflective_dll
C:\Windows\system\thseAkM.exe	cobalt_reflective_dll
\Windows\system\xApRYPI.exe	cobalt_reflective_dll
C:\Windows\system\xApRYPI.exe	cobalt_reflective_dll
\Windows\system\QABBnFY.exe	cobalt_reflective_dll
\Windows\system\jxvighH.exe	cobalt_reflective_dll
C:\Windows\system\QABBnFY.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 8 IoCs

Processes:

eNsmbfm.exeOsRvuTh.exeRJupAQy.exejmBtCxw.exekPbaifJ.exethseAkM.exexApRYPI.exeQABBnFY.exe

pid process

1252 eNsmbfm.exe
1308 OsRvuTh.exe
1944 RJupAQy.exe
1984 jmBtCxw.exe
336 kPbaifJ.exe
1948 thseAkM.exe
812 xApRYPI.exe
1692 QABBnFY.exe

pid	process
1252	eNsmbfm.exe
1308	OsRvuTh.exe
1944	RJupAQy.exe
1984	jmBtCxw.exe
336	kPbaifJ.exe
1948	thseAkM.exe
812	xApRYPI.exe
1692	QABBnFY.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\eNsmbfm.exe	upx
C:\Windows\system\eNsmbfm.exe	upx
\Windows\system\OsRvuTh.exe	upx
C:\Windows\system\OsRvuTh.exe	upx
\Windows\system\RJupAQy.exe	upx
C:\Windows\system\RJupAQy.exe	upx
\Windows\system\jmBtCxw.exe	upx
C:\Windows\system\jmBtCxw.exe	upx
\Windows\system\kPbaifJ.exe	upx
C:\Windows\system\kPbaifJ.exe	upx
\Windows\system\thseAkM.exe	upx
C:\Windows\system\thseAkM.exe	upx
\Windows\system\xApRYPI.exe	upx
C:\Windows\system\xApRYPI.exe	upx
\Windows\system\QABBnFY.exe	upx
\Windows\system\jxvighH.exe	upx
C:\Windows\system\QABBnFY.exe	upx

Loads dropped DLL 9 IoCs

Processes:

80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe

pid	process
1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe

JavaScript code in executable 17 IoCs

Processes:

resource	yara_rule
\Windows\system\eNsmbfm.exe	js
C:\Windows\system\eNsmbfm.exe	js
\Windows\system\OsRvuTh.exe	js
C:\Windows\system\OsRvuTh.exe	js
\Windows\system\RJupAQy.exe	js
C:\Windows\system\RJupAQy.exe	js
\Windows\system\jmBtCxw.exe	js
C:\Windows\system\jmBtCxw.exe	js
\Windows\system\kPbaifJ.exe	js
C:\Windows\system\kPbaifJ.exe	js
\Windows\system\thseAkM.exe	js
C:\Windows\system\thseAkM.exe	js
\Windows\system\xApRYPI.exe	js
C:\Windows\system\xApRYPI.exe	js
\Windows\system\QABBnFY.exe	js
\Windows\system\jxvighH.exe	js
C:\Windows\system\QABBnFY.exe	js

Drops file in Windows directory 9 IoCs

Processes:

80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe

description	ioc	process
File created	C:\Windows\System\OsRvuTh.exe	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
File created	C:\Windows\System\RJupAQy.exe	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
File created	C:\Windows\System\jmBtCxw.exe	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
File created	C:\Windows\System\thseAkM.exe	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
File created	C:\Windows\System\eNsmbfm.exe	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
File created	C:\Windows\System\xApRYPI.exe	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
File created	C:\Windows\System\QABBnFY.exe	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
File created	C:\Windows\System\jxvighH.exe	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
File created	C:\Windows\System\kPbaifJ.exe	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe

description	pid	process	target process
PID 1584 wrote to memory of 1252	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	eNsmbfm.exe
PID 1584 wrote to memory of 1252	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	eNsmbfm.exe
PID 1584 wrote to memory of 1252	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	eNsmbfm.exe
PID 1584 wrote to memory of 1308	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	OsRvuTh.exe
PID 1584 wrote to memory of 1308	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	OsRvuTh.exe
PID 1584 wrote to memory of 1308	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	OsRvuTh.exe
PID 1584 wrote to memory of 1944	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	RJupAQy.exe
PID 1584 wrote to memory of 1944	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	RJupAQy.exe
PID 1584 wrote to memory of 1944	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	RJupAQy.exe
PID 1584 wrote to memory of 1984	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	jmBtCxw.exe
PID 1584 wrote to memory of 1984	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	jmBtCxw.exe
PID 1584 wrote to memory of 1984	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	jmBtCxw.exe
PID 1584 wrote to memory of 336	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	kPbaifJ.exe
PID 1584 wrote to memory of 336	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	kPbaifJ.exe
PID 1584 wrote to memory of 336	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	kPbaifJ.exe
PID 1584 wrote to memory of 1948	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	thseAkM.exe
PID 1584 wrote to memory of 1948	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	thseAkM.exe
PID 1584 wrote to memory of 1948	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	thseAkM.exe
PID 1584 wrote to memory of 812	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	xApRYPI.exe
PID 1584 wrote to memory of 812	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	xApRYPI.exe
PID 1584 wrote to memory of 812	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	xApRYPI.exe
PID 1584 wrote to memory of 1692	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	QABBnFY.exe
PID 1584 wrote to memory of 1692	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	QABBnFY.exe
PID 1584 wrote to memory of 1692	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	QABBnFY.exe
PID 1584 wrote to memory of 1952	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	jxvighH.exe
PID 1584 wrote to memory of 1952	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	jxvighH.exe
PID 1584 wrote to memory of 1952	1584	80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe	jxvighH.exe

C:\Users\Admin\AppData\Local\Temp\80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe
"C:\Users\Admin\AppData\Local\Temp\80621984fb658514df5c42229f20612ea3d2f5af55448639f5d7e87fa8129c5c.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\System\eNsmbfm.exe
C:\Windows\System\eNsmbfm.exe
2⤵
- Executes dropped EXE
PID:1252

C:\Windows\System\OsRvuTh.exe
C:\Windows\System\OsRvuTh.exe
2⤵
- Executes dropped EXE
PID:1308

C:\Windows\System\RJupAQy.exe
C:\Windows\System\RJupAQy.exe
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\System\jmBtCxw.exe
C:\Windows\System\jmBtCxw.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\kPbaifJ.exe
C:\Windows\System\kPbaifJ.exe
2⤵
- Executes dropped EXE
PID:336

C:\Windows\System\thseAkM.exe
C:\Windows\System\thseAkM.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\System\xApRYPI.exe
C:\Windows\System\xApRYPI.exe
2⤵
- Executes dropped EXE
PID:812

C:\Windows\System\QABBnFY.exe
C:\Windows\System\QABBnFY.exe
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\System\jxvighH.exe
C:\Windows\System\jxvighH.exe
2⤵
PID:1952

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\OsRvuTh.exe
MD5
89fb53033b7d2bbbb062e49cfb0c3587

SHA1
de9a6843f8c83f8e1add82a86ce3d2afc60bbed3

SHA256
4e5c4cd87ab33e0cc12df5526d20a7ac4b19f78e6ae94a8f3c8edefef9aa7975

SHA512
9e4f9e39e37e9b42f920c5ab56c8842b6627501b55fc8a64829bdf1b85367cb195c97e59a9f7ea431d3c87e3ad9a5fb56ca7e3c1bd66cba79d68072adb2f1a09

Download Submit
C:\Windows\system\QABBnFY.exe
MD5
5ae329a54d34d9c5f085046dc1967e6b

SHA1
31974e6758c439195dd4cd8ba285ca56fc92c953

SHA256
5095563d1fed2f21edb84e38eb93d1f4d97de9e17e643e9e9b2a79be283e7b9b

SHA512
c35d887f1a16b3e25b82eb944e3af21c0f0e2040ed15fd144139496d449968979ed3c16aaf2741368e4dd8f3aab85806ed98a164c7ef329ec874c4c256dfa600

Download Submit
C:\Windows\system\RJupAQy.exe
MD5
eb003a4f8e75f50e438ff2e8e6fda059

SHA1
b08ec27f84ca6ed920c34775faf6eee0711ed8d2

SHA256
7a79bc68bb015bae37ee1e5c1df03d28d4005902cc8fdd01ad11dc3c9d6caad4

SHA512
6c31984907403112518e9fcee6e2e7a5b76b9d3473a7193022930aa7eabb160e3749b89e82211d686dedf28e12b2d6f278ceaca44f939bc9b6452110319a1430

Download Submit
C:\Windows\system\eNsmbfm.exe
MD5
c7c6c684b2462f1875ec71e8a20688a5

SHA1
2dab64ed774b0d6e9d35db23148b6e7484da3526

SHA256
63011346f43f694c066239f12b603321fe0a15bc48e970950aca597752d08a9e

SHA512
a39f77b95a5a7858a056bd7da18fceb4ac799fc87ab0f893c9982f508157386f788959567813e2d5e8576ef5aff0148237ea6ac48b73698fa521b53f09463ff0

Download Submit
C:\Windows\system\jmBtCxw.exe
MD5
d9d773d7c72ec45675d39314a0fa3df3

SHA1
9a5a79737591e057b88ab6cb0d62f8d5845fdecf

SHA256
2af918745a32415d87dacc90784b8c274d739037169a7ed344decb8ad8d6ec0d

SHA512
f7e6ef7f7c4fd7a2bc0252181415930137382c57000c45acc3f2a982764a4c43600a03d3dd919fa9a1d5f7e4b14282afd9b16c1be40113a51668d785d7cf37cf

Download Submit
C:\Windows\system\kPbaifJ.exe
MD5
48a96baa3c7d419e48a5ce27859f6b2a

SHA1
cc427512381895df593960cdb269f61cc88e27e9

SHA256
5cdac66fd4f0353d8a4cab9f1c074bab36376f8b880a454cee2f4f7851bf2a1b

SHA512
024649f2cf3433ddb396a9b0528d30007db2d04d4d324ceaeb63ba1e49e850cc596d442f1d81c4d20f99f63401ff901bcdf45b265383c7cac51c8cd320355abe

Download Submit
C:\Windows\system\thseAkM.exe
MD5
3c848367e143245909964fa04e0e3f54

SHA1
e5a0e3308cb573568f938bef602120caf38975bf

SHA256
4e7f09301839517ca73e0b8ecc85542bb9719ab40eb5c99d3a5c3d190fb24f37

SHA512
1d53be212e01813d4c69d2e48f1c11db85d593b7d1cde68cc529de9fd4f1014b23388592fffe7383f961225bfe79605e5d3b64deb2c2187b89f10a7309b67bb7

Download Submit
C:\Windows\system\xApRYPI.exe
MD5
ddb14067afbcea1c3d49692d28c5c071

SHA1
cc77ccb60a9e4f88334dd2e42cbbfebac993d037

SHA256
f8299f54835cf98a0d9b9b2f38ddb81a3f04cabfb4fce32d61b56cda247f6b88

SHA512
20305ab3bf6b711891aef78975425860b144bfd6b7609033b8a4fc6f1487dfdffbb31fc35fde134d3186e5af9b6594083ff1bb450c7b3797853e11cddf948f71

Download Submit
\Windows\system\OsRvuTh.exe
MD5
89fb53033b7d2bbbb062e49cfb0c3587

SHA1
de9a6843f8c83f8e1add82a86ce3d2afc60bbed3

SHA256
4e5c4cd87ab33e0cc12df5526d20a7ac4b19f78e6ae94a8f3c8edefef9aa7975

SHA512
9e4f9e39e37e9b42f920c5ab56c8842b6627501b55fc8a64829bdf1b85367cb195c97e59a9f7ea431d3c87e3ad9a5fb56ca7e3c1bd66cba79d68072adb2f1a09

Download Submit
\Windows\system\QABBnFY.exe
MD5
5ae329a54d34d9c5f085046dc1967e6b

SHA1
31974e6758c439195dd4cd8ba285ca56fc92c953

SHA256
5095563d1fed2f21edb84e38eb93d1f4d97de9e17e643e9e9b2a79be283e7b9b

SHA512
c35d887f1a16b3e25b82eb944e3af21c0f0e2040ed15fd144139496d449968979ed3c16aaf2741368e4dd8f3aab85806ed98a164c7ef329ec874c4c256dfa600

Download Submit
\Windows\system\RJupAQy.exe
MD5
eb003a4f8e75f50e438ff2e8e6fda059

SHA1
b08ec27f84ca6ed920c34775faf6eee0711ed8d2

SHA256
7a79bc68bb015bae37ee1e5c1df03d28d4005902cc8fdd01ad11dc3c9d6caad4

SHA512
6c31984907403112518e9fcee6e2e7a5b76b9d3473a7193022930aa7eabb160e3749b89e82211d686dedf28e12b2d6f278ceaca44f939bc9b6452110319a1430

Download Submit
\Windows\system\eNsmbfm.exe
MD5
c7c6c684b2462f1875ec71e8a20688a5

SHA1
2dab64ed774b0d6e9d35db23148b6e7484da3526

SHA256
63011346f43f694c066239f12b603321fe0a15bc48e970950aca597752d08a9e

SHA512
a39f77b95a5a7858a056bd7da18fceb4ac799fc87ab0f893c9982f508157386f788959567813e2d5e8576ef5aff0148237ea6ac48b73698fa521b53f09463ff0

Download Submit
\Windows\system\jmBtCxw.exe
MD5
d9d773d7c72ec45675d39314a0fa3df3

SHA1
9a5a79737591e057b88ab6cb0d62f8d5845fdecf

SHA256
2af918745a32415d87dacc90784b8c274d739037169a7ed344decb8ad8d6ec0d

SHA512
f7e6ef7f7c4fd7a2bc0252181415930137382c57000c45acc3f2a982764a4c43600a03d3dd919fa9a1d5f7e4b14282afd9b16c1be40113a51668d785d7cf37cf

Download Submit
\Windows\system\jxvighH.exe
MD5
275b240fc932614ff8789301c0be236f

SHA1
d45861b1076d9e55f65fb707651c6dd74f73bc20

SHA256
7795a9ad29200ef1364a2250c6396d93d74285ccda74e2e6388ef493c2fb399a

SHA512
590ac7c516896e539f3c896c8a67a1c1b1c595ae4785ef8e4655530b1ca1da5b7250f5832fcd1ffb603efb64952fe8b5d3be5345d7e7614b9bf6830f6cc5fe72

Download Submit
\Windows\system\kPbaifJ.exe
MD5
48a96baa3c7d419e48a5ce27859f6b2a

SHA1
cc427512381895df593960cdb269f61cc88e27e9

SHA256
5cdac66fd4f0353d8a4cab9f1c074bab36376f8b880a454cee2f4f7851bf2a1b

SHA512
024649f2cf3433ddb396a9b0528d30007db2d04d4d324ceaeb63ba1e49e850cc596d442f1d81c4d20f99f63401ff901bcdf45b265383c7cac51c8cd320355abe

Download Submit
\Windows\system\thseAkM.exe
MD5
3c848367e143245909964fa04e0e3f54

SHA1
e5a0e3308cb573568f938bef602120caf38975bf

SHA256
4e7f09301839517ca73e0b8ecc85542bb9719ab40eb5c99d3a5c3d190fb24f37

SHA512
1d53be212e01813d4c69d2e48f1c11db85d593b7d1cde68cc529de9fd4f1014b23388592fffe7383f961225bfe79605e5d3b64deb2c2187b89f10a7309b67bb7

Download Submit
\Windows\system\xApRYPI.exe
MD5
ddb14067afbcea1c3d49692d28c5c071

SHA1
cc77ccb60a9e4f88334dd2e42cbbfebac993d037

SHA256
f8299f54835cf98a0d9b9b2f38ddb81a3f04cabfb4fce32d61b56cda247f6b88

SHA512
20305ab3bf6b711891aef78975425860b144bfd6b7609033b8a4fc6f1487dfdffbb31fc35fde134d3186e5af9b6594083ff1bb450c7b3797853e11cddf948f71

Download Submit
memory/336-13-0x0000000000000000-mapping.dmp

Download
memory/812-19-0x0000000000000000-mapping.dmp

Download
memory/1252-1-0x0000000000000000-mapping.dmp

Download
memory/1308-4-0x0000000000000000-mapping.dmp

Download
memory/1692-22-0x0000000000000000-mapping.dmp

Download
memory/1944-7-0x0000000000000000-mapping.dmp

Download
memory/1948-16-0x0000000000000000-mapping.dmp

Download
memory/1952-25-0x0000000000000000-mapping.dmp

Download
memory/1984-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads