cobaltstrike | a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e

General

Target

a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe
Size

325KB
MD5

079521dc3fdb077435b56aa494de8cea
SHA1

558ad08678c53a065445d46e25514cffc6198ae4
SHA256

a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e
SHA512

8f72880023260ee07ecc4488551e57a0271aac5ae261c525639ac19917e796b845f1938044beb88a2507b358ecd0fc3622a4de4680707554709b1ba452afbf17
SSDEEP

3072:cv5hm7VmBP7PtReQJUhMLgEE5RXE54RA1V5aSPne+W5:y5wAJyQJKMLgEX4q1V5a4ne+W5

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
1252	CacheMgr.exe

Loads dropped DLL 1 IoCs

pid	Process
1424	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\StubPath = "\"C:\\ProgramData\\CacheMgr.exe\" -as"	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1052	1424	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe	26
PID 1424 wrote to memory of 1052	1424	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe	26
PID 1424 wrote to memory of 1052	1424	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe	26
PID 1424 wrote to memory of 1052	1424	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe	26
PID 1424 wrote to memory of 1252	1424	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe	28
PID 1424 wrote to memory of 1252	1424	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe	28
PID 1424 wrote to memory of 1252	1424	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe	28
PID 1424 wrote to memory of 1252	1424	a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe	28

C:\Users\Admin\AppData\Local\Temp\a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe
"C:\Users\Admin\AppData\Local\Temp\a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e.exe" "C:\ProgramData\CacheMgr.exe"
  2⤵
  PID:1052
- C:\ProgramData\CacheMgr.exe
  "C:\ProgramData\CacheMgr.exe" -as
  2⤵
  - Executes dropped EXE
  PID:1252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CacheMgr.exe

Filesize
325KB

MD5
079521dc3fdb077435b56aa494de8cea

SHA1
558ad08678c53a065445d46e25514cffc6198ae4

SHA256
a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e

SHA512
8f72880023260ee07ecc4488551e57a0271aac5ae261c525639ac19917e796b845f1938044beb88a2507b358ecd0fc3622a4de4680707554709b1ba452afbf17

Download Submit
C:\ProgramData\CacheMgr.exe

Filesize
325KB

MD5
079521dc3fdb077435b56aa494de8cea

SHA1
558ad08678c53a065445d46e25514cffc6198ae4

SHA256
a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e

SHA512
8f72880023260ee07ecc4488551e57a0271aac5ae261c525639ac19917e796b845f1938044beb88a2507b358ecd0fc3622a4de4680707554709b1ba452afbf17

Download Submit
\ProgramData\CacheMgr.exe

Filesize
325KB

MD5
079521dc3fdb077435b56aa494de8cea

SHA1
558ad08678c53a065445d46e25514cffc6198ae4

SHA256
a1bc525f00e7884a003fb73b72939af5895aa48dc83270ea5eb8bbf53b0de44e

SHA512
8f72880023260ee07ecc4488551e57a0271aac5ae261c525639ac19917e796b845f1938044beb88a2507b358ecd0fc3622a4de4680707554709b1ba452afbf17

Download Submit
memory/1252-69-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1252-68-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/1252-70-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1252-71-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/1252-72-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1424-58-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1424-57-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/1424-66-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1424-64-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1424-56-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1424-55-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing