Analysis
-
max time kernel
1798s -
max time network
1801s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-11-2020 19:42
Static task
static1
Behavioral task
behavioral1
Sample
cobaltstrike_shellcode.bin.exe
Resource
win10v20201028
General
-
Target
cobaltstrike_shellcode.bin.exe
-
Size
219KB
-
MD5
8e4d8b8796d2188324a0cfd6fdc8de92
-
SHA1
9e7a053d34eb00e732e470bc28cc1fa4aa030b8f
-
SHA256
1ae532cc0fa2e16cac4f23e289741e256cf517afbbb536aeeb0d7cd601bc05a1
-
SHA512
db4ced8b71b63a7bd48a5bf96270e99c7380865ec31e875b9e0862535298828f4bbae3a4feeb52ef507a8ba461b744c1ce338e3ed191e90cb7079f209ecdbcf3
Malware Config
Extracted
cobaltstrike
http://47.91.237.42:8898/IE9CompatViewList.xml
-
access_type
512
-
beacon_type
0
-
create_remote_thread
0
-
day
0
-
dns_idle
0
-
dns_sleep
0
-
host
47.91.237.42,/IE9CompatViewList.xml
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
- injection_process
-
jitter
0
-
maxdns
255
-
month
0
- pipe_name
-
polling_time
60000
-
port_number
8898
- proxy_password
- proxy_server
- proxy_username
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS7zRQv7EhhTkbgDrCNBsNay7lzQFmcC/GWwjOq93nKwPSszjIKgtW8nwhtoRhr6MFZx4DSYFdeuJDrtJNcTZz2C/LgZzhSQJmhiEqCkVqPPCfK1C6S4PzDrzy9L794rPLOuoewlGAXgiH5/Ae2aC5k2wedRNfes3DJZDDCaJJYwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown3
0
-
unknown4
0
-
unknown5
2.018915346e+09
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1)
-
year
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Adds policy Run key to start application 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe -
Adds Run key to start application 2 TTPs 32 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunServices\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunServices\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunServices reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunServices reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\WindowsUpdate = "C:\\Users\\Public\\svchcst.exe" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup reg.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4532 schtasks.exe 1068 schtasks.exe 4260 schtasks.exe 828 schtasks.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
cobaltstrike_shellcode.bin.exeExplorer.EXEpid process 4632 cobaltstrike_shellcode.bin.exe 4632 cobaltstrike_shellcode.bin.exe 2956 Explorer.EXE 2956 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 66 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE Token: SeShutdownPrivilege 2956 Explorer.EXE Token: SeCreatePagefilePrivilege 2956 Explorer.EXE -
Suspicious use of WriteProcessMemory 151 IoCs
Processes:
cobaltstrike_shellcode.bin.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4632 wrote to memory of 2956 4632 cobaltstrike_shellcode.bin.exe Explorer.EXE PID 4632 wrote to memory of 3908 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 3908 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 3908 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 3908 wrote to memory of 4260 3908 cmd.exe schtasks.exe PID 3908 wrote to memory of 4260 3908 cmd.exe schtasks.exe PID 3908 wrote to memory of 4260 3908 cmd.exe schtasks.exe PID 4632 wrote to memory of 584 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 584 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 584 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 584 wrote to memory of 828 584 cmd.exe schtasks.exe PID 584 wrote to memory of 828 584 cmd.exe schtasks.exe PID 584 wrote to memory of 828 584 cmd.exe schtasks.exe PID 4632 wrote to memory of 928 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 928 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 928 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 928 wrote to memory of 1044 928 cmd.exe reg.exe PID 928 wrote to memory of 1044 928 cmd.exe reg.exe PID 928 wrote to memory of 1044 928 cmd.exe reg.exe PID 4632 wrote to memory of 1144 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 1144 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 1144 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 1144 wrote to memory of 1344 1144 cmd.exe reg.exe PID 1144 wrote to memory of 1344 1144 cmd.exe reg.exe PID 1144 wrote to memory of 1344 1144 cmd.exe reg.exe PID 4632 wrote to memory of 1416 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 1416 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 1416 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 1416 wrote to memory of 1712 1416 cmd.exe reg.exe PID 1416 wrote to memory of 1712 1416 cmd.exe reg.exe PID 1416 wrote to memory of 1712 1416 cmd.exe reg.exe PID 4632 wrote to memory of 1828 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 1828 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 1828 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 1828 wrote to memory of 3244 1828 cmd.exe reg.exe PID 1828 wrote to memory of 3244 1828 cmd.exe reg.exe PID 1828 wrote to memory of 3244 1828 cmd.exe reg.exe PID 4632 wrote to memory of 4092 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 4092 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 4092 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4092 wrote to memory of 4292 4092 cmd.exe reg.exe PID 4092 wrote to memory of 4292 4092 cmd.exe reg.exe PID 4092 wrote to memory of 4292 4092 cmd.exe reg.exe PID 4632 wrote to memory of 3180 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 3180 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 3180 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 3180 wrote to memory of 4364 3180 cmd.exe reg.exe PID 3180 wrote to memory of 4364 3180 cmd.exe reg.exe PID 3180 wrote to memory of 4364 3180 cmd.exe reg.exe PID 4632 wrote to memory of 4352 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 4352 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 4352 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4352 wrote to memory of 4436 4352 cmd.exe reg.exe PID 4352 wrote to memory of 4436 4352 cmd.exe reg.exe PID 4352 wrote to memory of 4436 4352 cmd.exe reg.exe PID 4632 wrote to memory of 4480 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 4480 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 4480 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4480 wrote to memory of 2304 4480 cmd.exe reg.exe PID 4480 wrote to memory of 2304 4480 cmd.exe reg.exe PID 4480 wrote to memory of 2304 4480 cmd.exe reg.exe PID 4632 wrote to memory of 2496 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 2496 4632 cobaltstrike_shellcode.bin.exe cmd.exe PID 4632 wrote to memory of 2496 4632 cobaltstrike_shellcode.bin.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4512 attrib.exe 1336 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\cobaltstrike_shellcode.bin.exe"C:\Users\Admin\AppData\Local\Temp\cobaltstrike_shellcode.bin.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /create /tn WindowsUpdate /tr C:\Users\Public\svchcst.exe /sc minute /mo 13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn WindowsUpdate /tr C:\Users\Public\svchcst.exe /sc minute /mo 14⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C SCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN WindewsUpdate /TR C:\Users\Public\svchcst.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN WindewsUpdate /TR C:\Users\Public\svchcst.exe4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C attrib C:sersPublicsvchcst.exe +s +h3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib C:sersPublicsvchcst.exe +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C schtasks /create /tn WindowsUpdate /tr C:\Users\Public\svchcst.exe /sc minute /mo 12⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WindowsUpdate /tr C:\Users\Public\svchcst.exe /sc minute /mo 13⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C SCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN WindewsUpdate /TR C:\Users\Public\svchcst.exe2⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN WindewsUpdate /TR C:\Users\Public\svchcst.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load" /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds policy Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
- Adds policy Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit /v WindowsUpdate /t REG_SZ /d C:\Users\Public\svchcst.exe /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C attrib C:sersPublicsvchcst.exe +s +h2⤵
-
C:\Windows\system32\attrib.exeattrib C:sersPublicsvchcst.exe +s +h3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/64-41-0x0000000000000000-mapping.dmp
-
memory/216-29-0x0000000000000000-mapping.dmp
-
memory/576-56-0x0000000000000000-mapping.dmp
-
memory/584-3-0x0000000000000000-mapping.dmp
-
memory/812-47-0x0000000000000000-mapping.dmp
-
memory/828-4-0x0000000000000000-mapping.dmp
-
memory/832-57-0x0000000000000000-mapping.dmp
-
memory/888-59-0x0000000000000000-mapping.dmp
-
memory/928-5-0x0000000000000000-mapping.dmp
-
memory/1044-6-0x0000000000000000-mapping.dmp
-
memory/1068-34-0x0000000000000000-mapping.dmp
-
memory/1144-7-0x0000000000000000-mapping.dmp
-
memory/1168-58-0x0000000000000000-mapping.dmp
-
memory/1336-60-0x0000000000000000-mapping.dmp
-
memory/1344-8-0x0000000000000000-mapping.dmp
-
memory/1408-31-0x0000000000000000-mapping.dmp
-
memory/1416-9-0x0000000000000000-mapping.dmp
-
memory/1712-10-0x0000000000000000-mapping.dmp
-
memory/1828-11-0x0000000000000000-mapping.dmp
-
memory/1976-28-0x0000000000000000-mapping.dmp
-
memory/2076-37-0x0000000000000000-mapping.dmp
-
memory/2304-20-0x0000000000000000-mapping.dmp
-
memory/2496-21-0x0000000000000000-mapping.dmp
-
memory/2540-22-0x0000000000000000-mapping.dmp
-
memory/2956-0-0x0000000000610000-0x0000000000650000-memory.dmpFilesize
256KB
-
memory/3096-24-0x0000000000000000-mapping.dmp
-
memory/3180-15-0x0000000000000000-mapping.dmp
-
memory/3208-23-0x0000000000000000-mapping.dmp
-
memory/3244-12-0x0000000000000000-mapping.dmp
-
memory/3252-55-0x0000000000000000-mapping.dmp
-
memory/3264-43-0x0000000000000000-mapping.dmp
-
memory/3340-46-0x0000000000000000-mapping.dmp
-
memory/3572-40-0x0000000000000000-mapping.dmp
-
memory/3640-25-0x0000000000000000-mapping.dmp
-
memory/3796-42-0x0000000000000000-mapping.dmp
-
memory/3908-1-0x0000000000000000-mapping.dmp
-
memory/3972-38-0x0000000000000000-mapping.dmp
-
memory/4092-13-0x0000000000000000-mapping.dmp
-
memory/4160-51-0x0000000000000000-mapping.dmp
-
memory/4176-50-0x0000000000000000-mapping.dmp
-
memory/4192-54-0x0000000000000000-mapping.dmp
-
memory/4260-2-0x0000000000000000-mapping.dmp
-
memory/4292-14-0x0000000000000000-mapping.dmp
-
memory/4352-17-0x0000000000000000-mapping.dmp
-
memory/4364-16-0x0000000000000000-mapping.dmp
-
memory/4436-18-0x0000000000000000-mapping.dmp
-
memory/4480-19-0x0000000000000000-mapping.dmp
-
memory/4512-30-0x0000000000000000-mapping.dmp
-
memory/4532-32-0x0000000000000000-mapping.dmp
-
memory/4552-35-0x0000000000000000-mapping.dmp
-
memory/4608-26-0x0000000000000000-mapping.dmp
-
memory/4616-27-0x0000000000000000-mapping.dmp
-
memory/4628-33-0x0000000000000000-mapping.dmp
-
memory/4684-49-0x0000000000000000-mapping.dmp
-
memory/4736-45-0x0000000000000000-mapping.dmp
-
memory/4756-44-0x0000000000000000-mapping.dmp
-
memory/4808-53-0x0000000000000000-mapping.dmp
-
memory/4820-52-0x0000000000000000-mapping.dmp
-
memory/4836-48-0x0000000000000000-mapping.dmp
-
memory/4848-36-0x0000000000000000-mapping.dmp
-
memory/5056-39-0x0000000000000000-mapping.dmp