cobaltstrike | hxxps://daftar[.]site/bootstrap_bin/css__styles/tool[.]exe

General

Target

https://daftar.site/bootstrap_bin/css__styles/tool.exe

Score

10^/10

cobaltstrike backdoor cryptone packer trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

CobaltStrike 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2996-137-0x0000000000680000-0x00000000006B3000-memory.dmp	CobaltStrike
behavioral2/memory/2996-138-0x00000000022A0000-0x00000000022DD000-memory.dmp	CobaltStrike
behavioral2/memory/3348-142-0x00000000024B0000-0x00000000024ED000-memory.dmp	CobaltStrike
behavioral2/memory/3020-146-0x00000000024E0000-0x000000000251D000-memory.dmp	CobaltStrike

CryptOne packer 4 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\tool.exe.472r0h6.partial	cryptone
C:\Users\Admin\Downloads\tool.exe	cryptone
C:\Users\Admin\Downloads\tool.exe	cryptone
C:\Users\Admin\Downloads\tool.exe	cryptone

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

tool.exetool.exetool.exe

pid process

2996 tool.exe
3348 tool.exe
3020 tool.exe

pid	process
2996	tool.exe
3348	tool.exe
3020	tool.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 2bab45dfb408d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2879003980"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{73F472A4-E02D-404B-9658-D1947D08153E}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000200000000000000ffffffffffffffffffffffffffffffff7800000048000000f802000028020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D72CFDC4-A600-11EC-B9A4-F24C39D5F1CE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "354293283"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947853"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2879003980"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947853"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2324 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2324	taskmgr.exe
Token: SeSystemProfilePrivilege	2324	taskmgr.exe
Token: SeCreateGlobalPrivilege	2324	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exetaskmgr.exe

pid	process
220	iexplore.exe
220	iexplore.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
220	iexplore.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe
2324	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

220 iexplore.exe
220 iexplore.exe
1944 IEXPLORE.EXE
1944 IEXPLORE.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 220 wrote to memory of 1944	220	iexplore.exe	IEXPLORE.EXE
PID 220 wrote to memory of 1944	220	iexplore.exe	IEXPLORE.EXE
PID 220 wrote to memory of 1944	220	iexplore.exe	IEXPLORE.EXE
PID 220 wrote to memory of 2996	220	iexplore.exe	tool.exe
PID 220 wrote to memory of 2996	220	iexplore.exe	tool.exe
PID 220 wrote to memory of 2996	220	iexplore.exe	tool.exe
PID 220 wrote to memory of 3348	220	iexplore.exe	tool.exe
PID 220 wrote to memory of 3348	220	iexplore.exe	tool.exe
PID 220 wrote to memory of 3348	220	iexplore.exe	tool.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://daftar.site/bootstrap_bin/css__styles/tool.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Users\Admin\Downloads\tool.exe
"C:\Users\Admin\Downloads\tool.exe"
2⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\Downloads\tool.exe
"C:\Users\Admin\Downloads\tool.exe"
2⤵
- Executes dropped EXE
PID:3348

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:456

C:\Users\Admin\Downloads\tool.exe
"C:\Users\Admin\Downloads\tool.exe"
1⤵
- Executes dropped EXE
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\tool.exe
MD5
518d125bb64a8f8dc8b94054daf5e6df

SHA1
549735f585590452985451faf8ab1e6f22903abf

SHA256
950008035d225dd5f4c3a229082f1206eb9bce8c4aa4822b130db065da54e224

SHA512
59ba254d3f7a37a760d709807de28b1b99bb0f92304e2177e67c30ca24b7fc4428608d392513706e663a49449f065c3719e318ddc7752d414441fe2895b1cb89

Download Submit
C:\Users\Admin\Downloads\tool.exe
MD5
518d125bb64a8f8dc8b94054daf5e6df

SHA1
549735f585590452985451faf8ab1e6f22903abf

SHA256
950008035d225dd5f4c3a229082f1206eb9bce8c4aa4822b130db065da54e224

SHA512
59ba254d3f7a37a760d709807de28b1b99bb0f92304e2177e67c30ca24b7fc4428608d392513706e663a49449f065c3719e318ddc7752d414441fe2895b1cb89

Download Submit
C:\Users\Admin\Downloads\tool.exe
MD5
518d125bb64a8f8dc8b94054daf5e6df

SHA1
549735f585590452985451faf8ab1e6f22903abf

SHA256
950008035d225dd5f4c3a229082f1206eb9bce8c4aa4822b130db065da54e224

SHA512
59ba254d3f7a37a760d709807de28b1b99bb0f92304e2177e67c30ca24b7fc4428608d392513706e663a49449f065c3719e318ddc7752d414441fe2895b1cb89

Download Submit
C:\Users\Admin\Downloads\tool.exe.472r0h6.partial
MD5
518d125bb64a8f8dc8b94054daf5e6df

SHA1
549735f585590452985451faf8ab1e6f22903abf

SHA256
950008035d225dd5f4c3a229082f1206eb9bce8c4aa4822b130db065da54e224

SHA512
59ba254d3f7a37a760d709807de28b1b99bb0f92304e2177e67c30ca24b7fc4428608d392513706e663a49449f065c3719e318ddc7752d414441fe2895b1cb89

Download Submit
memory/2996-135-0x00000000005B0000-0x00000000005F7000-memory.dmp

Filesize
284KB

Download
memory/2996-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2996-137-0x0000000000680000-0x00000000006B3000-memory.dmp

Filesize
204KB

Download
memory/2996-138-0x00000000022A0000-0x00000000022DD000-memory.dmp

Filesize
244KB

Download
memory/3020-144-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3020-146-0x00000000024E0000-0x000000000251D000-memory.dmp

Filesize
244KB

Download
memory/3348-140-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3348-142-0x00000000024B0000-0x00000000024ED000-memory.dmp

Filesize
244KB

Download

pid	process
220	iexplore.exe
220	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads