cobaltstrike | 357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d

Analysis

max time kernel
51s
max time network
22s
platform
windows7_x64
resource
win7v20201028
submitted
10-11-2020 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
Size

5.2MB
MD5

cc8b5c07edc55011fbe2b6fe2920df26
SHA1

9f28ae239df5c36e938062fb72d042ef1635c825
SHA256

357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d
SHA512

ffa7d57ad4848a840a6c0a189dc05ab0f94463fa8fe913e801302f101ecbcc5e3f97cecb76576c66dff6d3ceaeeff84b1ad217d24b4c3d766d53a29903f78207

Score

10^/10

cobaltstrike backdoor trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 13 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\Onuidoa.exe	cobalt_reflective_dll
C:\Windows\system\Onuidoa.exe	cobalt_reflective_dll
\Windows\system\lcUZRYA.exe	cobalt_reflective_dll
\Windows\system\WoUUpcQ.exe	cobalt_reflective_dll
C:\Windows\system\WoUUpcQ.exe	cobalt_reflective_dll
C:\Windows\system\lcUZRYA.exe	cobalt_reflective_dll
\Windows\system\MPdecli.exe	cobalt_reflective_dll
C:\Windows\system\MPdecli.exe	cobalt_reflective_dll
\Windows\system\kkgYGMP.exe	cobalt_reflective_dll
\Windows\system\UcwPYBO.exe	cobalt_reflective_dll
C:\Windows\system\kkgYGMP.exe	cobalt_reflective_dll
C:\Windows\system\UcwPYBO.exe	cobalt_reflective_dll
\Windows\system\hEHjWJh.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 6 IoCs

Processes:

Onuidoa.exelcUZRYA.exeWoUUpcQ.exeMPdecli.exekkgYGMP.exeUcwPYBO.exe

pid process

2036 Onuidoa.exe
1784 lcUZRYA.exe
1696 WoUUpcQ.exe
1772 MPdecli.exe
1768 kkgYGMP.exe
824 UcwPYBO.exe

pid	process
2036	Onuidoa.exe
1784	lcUZRYA.exe
1696	WoUUpcQ.exe
1772	MPdecli.exe
1768	kkgYGMP.exe
824	UcwPYBO.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\Onuidoa.exe	upx
C:\Windows\system\Onuidoa.exe	upx
\Windows\system\lcUZRYA.exe	upx
\Windows\system\WoUUpcQ.exe	upx
C:\Windows\system\WoUUpcQ.exe	upx
C:\Windows\system\lcUZRYA.exe	upx
\Windows\system\MPdecli.exe	upx
C:\Windows\system\MPdecli.exe	upx
\Windows\system\kkgYGMP.exe	upx
\Windows\system\UcwPYBO.exe	upx
C:\Windows\system\kkgYGMP.exe	upx
C:\Windows\system\UcwPYBO.exe	upx
\Windows\system\hEHjWJh.exe	upx

Loads dropped DLL 7 IoCs

Processes:

357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe

pid	process
340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe

JavaScript code in executable 13 IoCs

Processes:

resource	yara_rule
\Windows\system\Onuidoa.exe	js
C:\Windows\system\Onuidoa.exe	js
\Windows\system\lcUZRYA.exe	js
\Windows\system\WoUUpcQ.exe	js
C:\Windows\system\WoUUpcQ.exe	js
C:\Windows\system\lcUZRYA.exe	js
\Windows\system\MPdecli.exe	js
C:\Windows\system\MPdecli.exe	js
\Windows\system\kkgYGMP.exe	js
\Windows\system\UcwPYBO.exe	js
C:\Windows\system\kkgYGMP.exe	js
C:\Windows\system\UcwPYBO.exe	js
\Windows\system\hEHjWJh.exe	js

Drops file in Windows directory 7 IoCs

Processes:

357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe

description	ioc	process
File created	C:\Windows\System\lcUZRYA.exe	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
File created	C:\Windows\System\WoUUpcQ.exe	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
File created	C:\Windows\System\MPdecli.exe	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
File created	C:\Windows\System\kkgYGMP.exe	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
File created	C:\Windows\System\UcwPYBO.exe	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
File created	C:\Windows\System\hEHjWJh.exe	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
File created	C:\Windows\System\Onuidoa.exe	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe

description	pid	process	target process
PID 340 wrote to memory of 2036	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	Onuidoa.exe
PID 340 wrote to memory of 2036	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	Onuidoa.exe
PID 340 wrote to memory of 2036	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	Onuidoa.exe
PID 340 wrote to memory of 1784	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	lcUZRYA.exe
PID 340 wrote to memory of 1784	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	lcUZRYA.exe
PID 340 wrote to memory of 1784	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	lcUZRYA.exe
PID 340 wrote to memory of 1696	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	WoUUpcQ.exe
PID 340 wrote to memory of 1696	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	WoUUpcQ.exe
PID 340 wrote to memory of 1696	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	WoUUpcQ.exe
PID 340 wrote to memory of 1772	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	MPdecli.exe
PID 340 wrote to memory of 1772	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	MPdecli.exe
PID 340 wrote to memory of 1772	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	MPdecli.exe
PID 340 wrote to memory of 1768	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	kkgYGMP.exe
PID 340 wrote to memory of 1768	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	kkgYGMP.exe
PID 340 wrote to memory of 1768	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	kkgYGMP.exe
PID 340 wrote to memory of 824	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	UcwPYBO.exe
PID 340 wrote to memory of 824	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	UcwPYBO.exe
PID 340 wrote to memory of 824	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	UcwPYBO.exe
PID 340 wrote to memory of 1588	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	hEHjWJh.exe
PID 340 wrote to memory of 1588	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	hEHjWJh.exe
PID 340 wrote to memory of 1588	340	357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe	hEHjWJh.exe

C:\Users\Admin\AppData\Local\Temp\357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe
"C:\Users\Admin\AppData\Local\Temp\357cf9b030eb6d8d48798fef447c99f01d6410124971dabd20261565903f1c5d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\System\Onuidoa.exe
C:\Windows\System\Onuidoa.exe
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\System\lcUZRYA.exe
C:\Windows\System\lcUZRYA.exe
2⤵
- Executes dropped EXE
PID:1784

C:\Windows\System\WoUUpcQ.exe
C:\Windows\System\WoUUpcQ.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\System\MPdecli.exe
C:\Windows\System\MPdecli.exe
2⤵
- Executes dropped EXE
PID:1772

C:\Windows\System\kkgYGMP.exe
C:\Windows\System\kkgYGMP.exe
2⤵
- Executes dropped EXE
PID:1768

C:\Windows\System\UcwPYBO.exe
C:\Windows\System\UcwPYBO.exe
2⤵
- Executes dropped EXE
PID:824

C:\Windows\System\hEHjWJh.exe
C:\Windows\System\hEHjWJh.exe
2⤵
PID:1588

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\MPdecli.exe
MD5
6dba547bcb6da8c14dbc1530aece8403

SHA1
11370c63163413f39ed9130d62ba309442ddfe53

SHA256
fec1c1662af680415ea85d7643daf0c6d2209657abfd5f1a78dfab31a5553899

SHA512
69fb269f520cd70fbc35307b1ed315521923bea0d61c01bc50a444acf356ae8926545e05d766e23b6c816786b529ae4af0fa5a384cca535d248afbe27b4bd1be

Download Submit
C:\Windows\system\Onuidoa.exe
MD5
c6741977b68693f4f4e4180895a9058e

SHA1
a52bf8e8bf3f2641b12c8cbb5d48c34937c32c38

SHA256
29830c32483ca6bf66da782530b14024f00c9ebd870fc2d600ef285eed11fe03

SHA512
e75b1f1117bcd58ab30b830e6bd53ff49a2e395e44c590f12aed53d550894e384db5d59bdf426fe15d48fed35d8b5ecb39f7509052017f85e3b617b0994d44b0

Download Submit
C:\Windows\system\UcwPYBO.exe
MD5
60065374483db7f2f56ec78464ab3af1

SHA1
4c7948fa8f69d8b4ae4c29359b26dbb6e5226f4b

SHA256
24a50625b4cbf4f9e5e78b811df6a39e8d3e8e1fa0ad7af42b89123cc4f5c1aa

SHA512
9a373f75ae8c7df7ea33212ebbfa91e29285f9f467b36eb851b8c516bd3a3e440d4355425c63fff0629810aa66c591db614b1c27c6805522ef0d26293eba2570

Download Submit
C:\Windows\system\WoUUpcQ.exe
MD5
ce05b4b7711718651234891b1d272814

SHA1
9da506fd4ab42d2f58790ac0bb23d198330e0caa

SHA256
d4569511e8de63b7b7292e9f35e65569589ca7a0eb43ebf0da910cca90ce25f3

SHA512
15d04869bbf23046e038bfcea87907d1e97019a061715827e85153122934d4c6e23754fb4ba030cb06288ea8fa40eee85924e85a12ebcbd2eef0593d6802f7c2

Download Submit
C:\Windows\system\kkgYGMP.exe
MD5
f43b7191d6195040bfd9d295aef3ea11

SHA1
397f06cabfd73e62e424092164515948ba30b2bc

SHA256
208a990f188854f7d26357de7eb50207ce04d5dde2a22b204f75fecf38bde028

SHA512
4330f86eaf77404c65ff7e6c841356eefeb5a00b01f33d363ccd1c3ea79c55839c41d97c93f168a5cd8a7b150e9370c73ea087dab60287889ebd22afdeb51b40

Download Submit
C:\Windows\system\lcUZRYA.exe
MD5
d59a48b4d692960464f218cf46f2115e

SHA1
b8ede8c1efe886a7a139a8155c56167ee1ee52e5

SHA256
9224fb8ee9a71fb15112ab8e82521b62dd44440c2aa5611a18952fd52693bb42

SHA512
3bcd1722149ba0525ddbcb064031650b0996ce7df365241d80f55687e7a3fac5993eed0a4499ca1b6b8472b2340e7482bfcc221d788519ed1ea31741f62de34d

Download Submit
\Windows\system\MPdecli.exe
MD5
6dba547bcb6da8c14dbc1530aece8403

SHA1
11370c63163413f39ed9130d62ba309442ddfe53

SHA256
fec1c1662af680415ea85d7643daf0c6d2209657abfd5f1a78dfab31a5553899

SHA512
69fb269f520cd70fbc35307b1ed315521923bea0d61c01bc50a444acf356ae8926545e05d766e23b6c816786b529ae4af0fa5a384cca535d248afbe27b4bd1be

Download Submit
\Windows\system\Onuidoa.exe
MD5
c6741977b68693f4f4e4180895a9058e

SHA1
a52bf8e8bf3f2641b12c8cbb5d48c34937c32c38

SHA256
29830c32483ca6bf66da782530b14024f00c9ebd870fc2d600ef285eed11fe03

SHA512
e75b1f1117bcd58ab30b830e6bd53ff49a2e395e44c590f12aed53d550894e384db5d59bdf426fe15d48fed35d8b5ecb39f7509052017f85e3b617b0994d44b0

Download Submit
\Windows\system\UcwPYBO.exe
MD5
60065374483db7f2f56ec78464ab3af1

SHA1
4c7948fa8f69d8b4ae4c29359b26dbb6e5226f4b

SHA256
24a50625b4cbf4f9e5e78b811df6a39e8d3e8e1fa0ad7af42b89123cc4f5c1aa

SHA512
9a373f75ae8c7df7ea33212ebbfa91e29285f9f467b36eb851b8c516bd3a3e440d4355425c63fff0629810aa66c591db614b1c27c6805522ef0d26293eba2570

Download Submit
\Windows\system\WoUUpcQ.exe
MD5
ce05b4b7711718651234891b1d272814

SHA1
9da506fd4ab42d2f58790ac0bb23d198330e0caa

SHA256
d4569511e8de63b7b7292e9f35e65569589ca7a0eb43ebf0da910cca90ce25f3

SHA512
15d04869bbf23046e038bfcea87907d1e97019a061715827e85153122934d4c6e23754fb4ba030cb06288ea8fa40eee85924e85a12ebcbd2eef0593d6802f7c2

Download Submit
\Windows\system\hEHjWJh.exe
MD5
2533bde6412194e2d03cb767cdcf589e

SHA1
d8e2fa0dddfa5ed13699f9d50aae9b93adcf99c1

SHA256
cfdf7d0e0174597c03ad59b2be5966d637208fc40bccf391bbd52e5e28bb123c

SHA512
b24dba985fca1d42510b5c371c1d7047a701eeebe557dc7d49d6369beb7e1b8715a4fc9817a444a7ad71726c65f516fe99ff9703e10454adf505812609b284cc

Download Submit
\Windows\system\kkgYGMP.exe
MD5
f43b7191d6195040bfd9d295aef3ea11

SHA1
397f06cabfd73e62e424092164515948ba30b2bc

SHA256
208a990f188854f7d26357de7eb50207ce04d5dde2a22b204f75fecf38bde028

SHA512
4330f86eaf77404c65ff7e6c841356eefeb5a00b01f33d363ccd1c3ea79c55839c41d97c93f168a5cd8a7b150e9370c73ea087dab60287889ebd22afdeb51b40

Download Submit
\Windows\system\lcUZRYA.exe
MD5
d59a48b4d692960464f218cf46f2115e

SHA1
b8ede8c1efe886a7a139a8155c56167ee1ee52e5

SHA256
9224fb8ee9a71fb15112ab8e82521b62dd44440c2aa5611a18952fd52693bb42

SHA512
3bcd1722149ba0525ddbcb064031650b0996ce7df365241d80f55687e7a3fac5993eed0a4499ca1b6b8472b2340e7482bfcc221d788519ed1ea31741f62de34d

Download Submit
memory/824-15-0x0000000000000000-mapping.dmp

Download
memory/1588-19-0x0000000000000000-mapping.dmp

Download
memory/1696-7-0x0000000000000000-mapping.dmp

Download
memory/1768-13-0x0000000000000000-mapping.dmp

Download
memory/1772-10-0x0000000000000000-mapping.dmp

Download
memory/1784-4-0x0000000000000000-mapping.dmp

Download
memory/2036-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads