cobaltstrike | c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2

General

Target

c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe
Size

207KB
MD5

ce1b9487d9979fa105a6e89e9e367ec1
SHA1

35b44e1870f22e30732592551281b895495d0f40
SHA256

c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2
SHA512

f78b4817669a6565b8056598693ec2b32535b0ac8423415bb259e43e6c44de6c76b0bb2d0cd2f498a5efae1c09a82e7516d9c1fe9cadc9c4f9e065c38778195e
SSDEEP

3072:DI/gLTIYyRy7LfS2glhRXJehyBJUEoJAcdehEFYw8o:UYLTI+Pi9JehNAcxso

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

CacheMgr.exe

pid process

1608 CacheMgr.exe
Loads dropped DLL 1 IoCs

Processes:

c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe

pid process

1036 c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe

pid	process
1608	CacheMgr.exe

pid	process
1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\StubPath = "\"C:\\Setup\\CacheMgr.exe\" -as"	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe

description	pid	process	target process
PID 1036 wrote to memory of 968	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	cmd.exe
PID 1036 wrote to memory of 968	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	cmd.exe
PID 1036 wrote to memory of 968	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	cmd.exe
PID 1036 wrote to memory of 968	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	cmd.exe
PID 1036 wrote to memory of 892	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	cmd.exe
PID 1036 wrote to memory of 892	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	cmd.exe
PID 1036 wrote to memory of 892	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	cmd.exe
PID 1036 wrote to memory of 892	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	cmd.exe
PID 1036 wrote to memory of 1608	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	CacheMgr.exe
PID 1036 wrote to memory of 1608	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	CacheMgr.exe
PID 1036 wrote to memory of 1608	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	CacheMgr.exe
PID 1036 wrote to memory of 1608	1036	c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe	CacheMgr.exe

C:\Users\Admin\AppData\Local\Temp\c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe
"C:\Users\Admin\AppData\Local\Temp\c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /q /c md "C:\Setup"
2⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
cmd.exe /q /c copy "C:\Users\Admin\AppData\Local\Temp\c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2.exe" "C:\Setup\CacheMgr.exe"
2⤵
PID:892

C:\Setup\CacheMgr.exe
"C:\Setup\CacheMgr.exe" -as
2⤵
- Executes dropped EXE
PID:1608

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Setup\CacheMgr.exe
Filesize
207KB

MD5
ce1b9487d9979fa105a6e89e9e367ec1

SHA1
35b44e1870f22e30732592551281b895495d0f40

SHA256
c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2

SHA512
f78b4817669a6565b8056598693ec2b32535b0ac8423415bb259e43e6c44de6c76b0bb2d0cd2f498a5efae1c09a82e7516d9c1fe9cadc9c4f9e065c38778195e

Download Submit
C:\Setup\CacheMgr.exe
Filesize
207KB

MD5
ce1b9487d9979fa105a6e89e9e367ec1

SHA1
35b44e1870f22e30732592551281b895495d0f40

SHA256
c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2

SHA512
f78b4817669a6565b8056598693ec2b32535b0ac8423415bb259e43e6c44de6c76b0bb2d0cd2f498a5efae1c09a82e7516d9c1fe9cadc9c4f9e065c38778195e

Download Submit
\Setup\CacheMgr.exe
Filesize
207KB

MD5
ce1b9487d9979fa105a6e89e9e367ec1

SHA1
35b44e1870f22e30732592551281b895495d0f40

SHA256
c3881e0343e920ec7f8eeb86edaace066d20491353e55d77ea35dec327d54ec2

SHA512
f78b4817669a6565b8056598693ec2b32535b0ac8423415bb259e43e6c44de6c76b0bb2d0cd2f498a5efae1c09a82e7516d9c1fe9cadc9c4f9e065c38778195e

Download Submit
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/968-55-0x0000000000000000-mapping.dmp

Download
memory/1036-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1036-62-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1036-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1608-59-0x0000000000000000-mapping.dmp

Download
memory/1608-64-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1608-65-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/1608-66-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing