cobaltstrike | 2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48

General

Target

2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
Size

622KB
MD5

fcbe5dc9130908099b88a2f098c2063c
SHA1

d0d73c0ad73b36513874d2caa646de75d31b3564
SHA256

2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48
SHA512

2850b22081a11cde2b4a550a39c33438b0cdc8aa11d23b0c06b3bb718c65fdaa2ee27f1065f3684a13c30935882a4ccd96e30c615f9beab7cf27ad5584da170f
SSDEEP

12288:iMmloWGY0oMDjraKQ8LfSAV3uT/TnhbrVB9Qg695sIFFAR4fD9pER:iHF0oMDHaP8OAduT/T5rVGHsaAmf6

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000b274ecd0654c595e8288f1ec1f909d79b7e0e4ef7b09519d2e96773b06385a06000000000e80000000020000200000000a599487418f0e072408c265023ece9570955d9eb0090aa9a31b94c6879f47ba200000008a41bfde7171d2eb9c0b408d0209ad4c7fd1bf3510752edd44029e35f0b2ee2940000000dbd02cae7908b87411fe3fda4357acf32672e465dde0b425af34ab86cc6ea8138b59673c7c7068dc8ea346cec97c269e06c329a45fe8616db57f74fb442234e7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0195ebf8103d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000001315f0c6ab8f1954475abb5f6fda3db1f7c9dccba3814be141531eeb2177c570000000000e80000000020000200000009e7c2e65712bc112f0bd525c8ef1fef6cebc8e903b7d19b5de620743e5c5889b20000000fa998e2b9ec2100f269bb7ea719cb1217d420cc3f8f9033fde4506ad0f85bc0240000000c7c91228c5048c1d5c42222cd20e79eff543d3b097c513ae0bbf4fc24ad2c5b092c81d1313e05235a4db25951ec77775b57f638af4558eeb7d8977928ff3f69b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0da43bf8103d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DD4D7F92-6F74-11ED-A0EE-C65219BF0A09} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EA7635A0-6F74-11ED-A0EE-C65219BF0A09} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe

pid	process
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
4972	2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1180 iexplore.exe
4264 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid process

1180 iexplore.exe
1180 iexplore.exe
4916 IEXPLORE.EXE
4916 IEXPLORE.EXE
4264 iexplore.exe
4264 iexplore.exe
4560 IEXPLORE.EXE
4560 IEXPLORE.EXE

pid	process
1180	iexplore.exe
4264	iexplore.exe

pid	process
1180	iexplore.exe
1180	iexplore.exe
4916	IEXPLORE.EXE
4916	IEXPLORE.EXE
4264	iexplore.exe
4264	iexplore.exe
4560	IEXPLORE.EXE
4560	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

iexplore.exeiexplore.exe

description	pid	process	target process
PID 1180 wrote to memory of 4916	1180	iexplore.exe	IEXPLORE.EXE
PID 1180 wrote to memory of 4916	1180	iexplore.exe	IEXPLORE.EXE
PID 1180 wrote to memory of 4916	1180	iexplore.exe	IEXPLORE.EXE
PID 4264 wrote to memory of 4560	4264	iexplore.exe	IEXPLORE.EXE
PID 4264 wrote to memory of 4560	4264	iexplore.exe	IEXPLORE.EXE
PID 4264 wrote to memory of 4560	4264	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe
"C:\Users\Admin\AppData\Local\Temp\2e72d1e69119c7e762f9809d3d1e6c3ad5e1266274d1cc9005942c1fb5871e48.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4264 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DD4D7F92-6F74-11ED-A0EE-C65219BF0A09}.dat
Filesize
5KB

MD5
6aff790c65679a032c595805f27dbc9f

SHA1
6f734bf919cf653d5d07042f49374cb79f38ee6b

SHA256
4bc9f0b3ff2f2749bcda847b116be00d3ace0e71277fd7073cd0b0a8a866ee65

SHA512
bf3699023a8193d74ccc2797fb9b77c420b3bc47f94a6e17363521097a34f6144135b7e1c0a784bb37917a33fde9db9d1972288e06c37f8e7a6b9cd735cdf80b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DD4D7F94-6F74-11ED-A0EE-C65219BF0A09}.dat
Filesize
4KB

MD5
6cf7140b92e36187a4ae18a5480c519d

SHA1
109d97b2d79c50dee3f0cd740daa1c0b5f32f7b6

SHA256
40ae7fca02da14e7c2673ac80a63b1965cd3086381f7d521bc57261bf0ce1801

SHA512
fa3f00d4b06b965b70b1d3c2603e35e0a36c2eeb1b519aeff84fe68cb8753bb857bea072dbd5eb7c4aa925e1d686be450b0f1a0dfb76c1b47e1b6236a5f593b4

Download Submit
memory/4972-132-0x0000000002620000-0x0000000002647000-memory.dmp

Filesize
156KB

Download
memory/4972-133-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4972-135-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4972-136-0x0000000002620000-0x0000000002647000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads