cobaltstrike | cbae182671c1d12bb0f548ff686b68101704751a1b592a12482a3526ae043558

General

Target

rundll32.exe
Size

72KB
MD5

0ae6801746fc951ea748bd6fcebd7ea4
SHA1

154145167949420056d7a1566740ff99b2765199
SHA256

cbae182671c1d12bb0f548ff686b68101704751a1b592a12482a3526ae043558
SHA512

6bc8f76711f0a0a85327a4b57a50cd2cdc47de0419d7bd4971a0db7fedcb572b8bb698620367ee331a38a37345ec261ea1956e66f406eb64f4544fcf87454572

Score

10^/10

cobaltstrike metasploit backdoor persistence trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies boot configuration data using bcdedit 4 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

308 bcdedit.exe
1960 bcdedit.exe
1940 bcdedit.exe
1556 bcdedit.exe

pid	process
308	bcdedit.exe
1960	bcdedit.exe
1940	bcdedit.exe
1556	bcdedit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\SIAsvkREL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzwQuAOjucJR.vbs"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

whoami.exerundll32.exewhoami.exe

description	pid	process
Token: SeDebugPrivilege	1640	whoami.exe
Token: SeAssignPrimaryTokenPrivilege	1284	rundll32.exe
Token: SeAuditPrivilege	1284	rundll32.exe
Token: SeBackupPrivilege	1284	rundll32.exe
Token: SeChangeNotifyPrivilege	1284	rundll32.exe
Token: SeCreateGlobalPrivilege	1284	rundll32.exe
Token: SeCreatePagefilePrivilege	1284	rundll32.exe
Token: SeCreatePermanentPrivilege	1284	rundll32.exe
Token: 35	1284	rundll32.exe
Token: SeCreateTokenPrivilege	1284	rundll32.exe
Token: SeDebugPrivilege	1284	rundll32.exe
Token: SeEnableDelegationPrivilege	1284	rundll32.exe
Token: SeImpersonatePrivilege	1284	rundll32.exe
Token: SeIncBasePriorityPrivilege	1284	rundll32.exe
Token: SeIncreaseQuotaPrivilege	1284	rundll32.exe
Token: 33	1284	rundll32.exe
Token: SeLoadDriverPrivilege	1284	rundll32.exe
Token: SeLockMemoryPrivilege	1284	rundll32.exe
Token: SeMachineAccountPrivilege	1284	rundll32.exe
Token: SeManageVolumePrivilege	1284	rundll32.exe
Token: SeProfSingleProcessPrivilege	1284	rundll32.exe
Token: 32	1284	rundll32.exe
Token: SeRemoteShutdownPrivilege	1284	rundll32.exe
Token: SeRestorePrivilege	1284	rundll32.exe
Token: SeSecurityPrivilege	1284	rundll32.exe
Token: SeShutdownPrivilege	1284	rundll32.exe
Token: SeSyncAgentPrivilege	1284	rundll32.exe
Token: SeSystemEnvironmentPrivilege	1284	rundll32.exe
Token: SeSystemProfilePrivilege	1284	rundll32.exe
Token: SeSystemtimePrivilege	1284	rundll32.exe
Token: SeTakeOwnershipPrivilege	1284	rundll32.exe
Token: SeTcbPrivilege	1284	rundll32.exe
Token: 34	1284	rundll32.exe
Token: 31	1284	rundll32.exe
Token: SeUndockPrivilege	1284	rundll32.exe
Token: 0	1284	rundll32.exe
Token: SeDebugPrivilege	1768	whoami.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.execmd.execmd.exe

description	pid	process	target process
PID 1284 wrote to memory of 1928	1284	rundll32.exe	cmd.exe
PID 1284 wrote to memory of 1928	1284	rundll32.exe	cmd.exe
PID 1284 wrote to memory of 1928	1284	rundll32.exe	cmd.exe
PID 1284 wrote to memory of 1928	1284	rundll32.exe	cmd.exe
PID 1928 wrote to memory of 1640	1928	cmd.exe	whoami.exe
PID 1928 wrote to memory of 1640	1928	cmd.exe	whoami.exe
PID 1928 wrote to memory of 1640	1928	cmd.exe	whoami.exe
PID 1928 wrote to memory of 1640	1928	cmd.exe	whoami.exe
PID 1520 wrote to memory of 1768	1520	cmd.exe	whoami.exe
PID 1520 wrote to memory of 1768	1520	cmd.exe	whoami.exe
PID 1520 wrote to memory of 1768	1520	cmd.exe	whoami.exe
PID 1520 wrote to memory of 1648	1520	cmd.exe	winlogon.exe
PID 1520 wrote to memory of 1648	1520	cmd.exe	winlogon.exe
PID 1520 wrote to memory of 1648	1520	cmd.exe	winlogon.exe
PID 1520 wrote to memory of 308	1520	cmd.exe	bcdedit.exe
PID 1520 wrote to memory of 308	1520	cmd.exe	bcdedit.exe
PID 1520 wrote to memory of 308	1520	cmd.exe	bcdedit.exe
PID 1520 wrote to memory of 1960	1520	cmd.exe	bcdedit.exe
PID 1520 wrote to memory of 1960	1520	cmd.exe	bcdedit.exe
PID 1520 wrote to memory of 1960	1520	cmd.exe	bcdedit.exe
PID 1520 wrote to memory of 1940	1520	cmd.exe	bcdedit.exe
PID 1520 wrote to memory of 1940	1520	cmd.exe	bcdedit.exe
PID 1520 wrote to memory of 1940	1520	cmd.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\rundll32.exe
"C:\Users\Admin\AppData\Local\Temp\rundll32.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\winlogon.exe
winlogon
3⤵
PID:1648

C:\Windows\system32\bcdedit.exe
bcdedit /enum
3⤵
- Modifies boot configuration data using bcdedit
PID:308

C:\Windows\system32\bcdedit.exe
bcdedit /set recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1960

C:\Windows\system32\bcdedit.exe
bcdedit /enum
3⤵
- Modifies boot configuration data using bcdedit
PID:1940

C:\Windows\system32\bcdedit.exe
bcdedit /set recoveryenabled yes
3⤵
- Modifies boot configuration data using bcdedit
PID:1556

C:\Windows\system32\cmd.exe
cmd.exe /c echo srrfya > \\.\pipe\srrfya
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-66-0x0000000000000000-mapping.dmp

Download
memory/1284-61-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1284-56-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/1284-58-0x00000000023D0000-0x00000000024D0000-memory.dmp

Filesize
1024KB

Download
memory/1284-59-0x0000000000420000-0x000000000047F000-memory.dmp

Filesize
380KB

Download
memory/1284-60-0x0000000000574000-0x0000000000591000-memory.dmp

Filesize
116KB

Download
memory/1284-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1284-55-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/1556-69-0x0000000000000000-mapping.dmp

Download
memory/1640-63-0x0000000000000000-mapping.dmp

Download
memory/1648-65-0x0000000000000000-mapping.dmp

Download
memory/1768-64-0x0000000000000000-mapping.dmp

Download
memory/1928-62-0x0000000000000000-mapping.dmp

Download
memory/1940-68-0x0000000000000000-mapping.dmp

Download
memory/1960-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads