cobaltstrike | 8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d

Analysis

max time kernel
170s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 21:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe
Size

215KB
MD5

c8db1b52e171aa0364bb82bd6977ab3d
SHA1

d439a2954b7961d88e57a09ed7a0f986b04d2107
SHA256

8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d
SHA512

7311dc574195d52e6d1c686405744a08cd47917fc4fb5a2b163918af353966f68319453e5c341078cc68c830b6bd26534a2fa532a7c8729070538579a40c286c
SSDEEP

1536:uvIC6+gLE5QLPoSVyRy7QVgfSyrMSglKcN5RkysdxEJPk7hy97Y6UESbMonA+:lC/gLTTyRy7LfS2glhRXJehyBJUEoJA+

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
2196	CacheMgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StubPath = "\"C:\\Setup\\CacheMgr.exe\" -as"	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 5088	4296	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe	82
PID 4296 wrote to memory of 5088	4296	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe	82
PID 4296 wrote to memory of 5088	4296	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe	82
PID 4296 wrote to memory of 5000	4296	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe	84
PID 4296 wrote to memory of 5000	4296	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe	84
PID 4296 wrote to memory of 5000	4296	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe	84
PID 4296 wrote to memory of 2196	4296	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe	86
PID 4296 wrote to memory of 2196	4296	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe	86
PID 4296 wrote to memory of 2196	4296	8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe	86

C:\Users\Admin\AppData\Local\Temp\8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe
"C:\Users\Admin\AppData\Local\Temp\8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /q /c md "C:\Setup"
  2⤵
  PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /q /c copy "C:\Users\Admin\AppData\Local\Temp\8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d.exe" "C:\Setup\CacheMgr.exe"
  2⤵
  PID:5000
- C:\Setup\CacheMgr.exe
  "C:\Setup\CacheMgr.exe" -as
  2⤵
  - Executes dropped EXE
  PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Setup\CacheMgr.exe

Filesize
215KB

MD5
c8db1b52e171aa0364bb82bd6977ab3d

SHA1
d439a2954b7961d88e57a09ed7a0f986b04d2107

SHA256
8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d

SHA512
7311dc574195d52e6d1c686405744a08cd47917fc4fb5a2b163918af353966f68319453e5c341078cc68c830b6bd26534a2fa532a7c8729070538579a40c286c

Download Submit
C:\Setup\CacheMgr.exe

Filesize
215KB

MD5
c8db1b52e171aa0364bb82bd6977ab3d

SHA1
d439a2954b7961d88e57a09ed7a0f986b04d2107

SHA256
8c3d6b00f5bbb2fad314b78fd437dd3427ed83a7cbdff6394f46d9b0e344266d

SHA512
7311dc574195d52e6d1c686405744a08cd47917fc4fb5a2b163918af353966f68319453e5c341078cc68c830b6bd26534a2fa532a7c8729070538579a40c286c

Download Submit
memory/2196-140-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/2196-141-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2196-142-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/4296-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4296-138-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4296-139-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download