cobaltstrike | b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21

Analysis

Target

b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe
Size

731KB
MD5

067242b22f1d94603af1172447a7623a
SHA1

838f20f8e64bb28f384cfa0491297d0a524d3eb3
SHA256

b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21
SHA512

68445291ad3a2d39467c505dfbb65d06a0d5cdf6da7ed440b9b5263f0173ad030797f187627d9cb50a15787746dd7190288e463e1e00cf41d8e91e4549e4892c

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3308 reg.exe

pid	process
3308	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.execmd.exe

description	pid	process	target process
PID 1824 wrote to memory of 884	1824	b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe	cmd.exe
PID 1824 wrote to memory of 884	1824	b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe	cmd.exe
PID 1824 wrote to memory of 884	1824	b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe	cmd.exe
PID 884 wrote to memory of 3308	884	cmd.exe	reg.exe
PID 884 wrote to memory of 3308	884	cmd.exe	reg.exe
PID 884 wrote to memory of 3308	884	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe
"C:\Users\Admin\AppData\Local\Temp\b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo uNmYoWHHyAxswpC=2110 & reg add HKCU\SOFTWARE\AUzAefSwXJMOr /v HYYCFCRzHLpdjAm /t REG_DWORD /d 9932 & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\SOFTWARE\AUzAefSwXJMOr /v HYYCFCRzHLpdjAm /t REG_DWORD /d 9932
3⤵
- Modifies registry key
PID:3308

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/884-130-0x0000000000000000-mapping.dmp

Download
memory/1824-132-0x0000000000710000-0x0000000000743000-memory.dmp

Filesize
204KB

Download
memory/1824-133-0x0000000000FB0000-0x0000000000FED000-memory.dmp

Filesize
244KB

Download
memory/1824-134-0x0000000000FB0000-0x0000000000FED000-memory.dmp

Filesize
244KB

Download
memory/3308-131-0x0000000000000000-mapping.dmp

Download