cobaltstrike | 5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09

Analysis

max time kernel
150s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe
Size

115KB
MD5

b63c8475e11d103700fbe99c039631c4
SHA1

29fe04808da5222c07bcf3b0a942ae0cfff20ce7
SHA256

5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09
SHA512

d6ca54a09efbe3a0b1e189e58ddb31cd1b1ca40cc59d40c49d2839d0f013a761799fc67d9107c9521b0e2c65dbb73dd1868241576a17b69d05cbe78f8db11cf4
SSDEEP

1536:1++fq6M5b9NqTxV67wAInyAeG+90MHJaOsp1gMIEELZ2G6CNgRtOOOOOOOOEQ6:1++VMoTxyi9e7O1IXLoSWRq

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

CacheMgr.exe

pid process

4196 CacheMgr.exe

pid	process
4196	CacheMgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\CacheMgr.exe\" -as"	5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe

description	pid	process	target process
PID 3868 wrote to memory of 1960	3868	5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe	cmd.exe
PID 3868 wrote to memory of 1960	3868	5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe	cmd.exe
PID 3868 wrote to memory of 1960	3868	5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe	cmd.exe
PID 3868 wrote to memory of 4196	3868	5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe	CacheMgr.exe
PID 3868 wrote to memory of 4196	3868	5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe	CacheMgr.exe
PID 3868 wrote to memory of 4196	3868	5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe	CacheMgr.exe

C:\Users\Admin\AppData\Local\Temp\5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe
"C:\Users\Admin\AppData\Local\Temp\5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09.exe" "C:\Users\Admin\AppData\Roaming\CacheMgr.exe"
2⤵
PID:1960

C:\Users\Admin\AppData\Roaming\CacheMgr.exe
"C:\Users\Admin\AppData\Roaming\CacheMgr.exe" -as
2⤵
- Executes dropped EXE
PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CacheMgr.exe
Filesize
115KB

MD5
b63c8475e11d103700fbe99c039631c4

SHA1
29fe04808da5222c07bcf3b0a942ae0cfff20ce7

SHA256
5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09

SHA512
d6ca54a09efbe3a0b1e189e58ddb31cd1b1ca40cc59d40c49d2839d0f013a761799fc67d9107c9521b0e2c65dbb73dd1868241576a17b69d05cbe78f8db11cf4

Download Submit
C:\Users\Admin\AppData\Roaming\CacheMgr.exe
Filesize
115KB

MD5
b63c8475e11d103700fbe99c039631c4

SHA1
29fe04808da5222c07bcf3b0a942ae0cfff20ce7

SHA256
5ce6b3c1198cffce13064a60f9e2a9ff391d50462934312fb81b721be0633e09

SHA512
d6ca54a09efbe3a0b1e189e58ddb31cd1b1ca40cc59d40c49d2839d0f013a761799fc67d9107c9521b0e2c65dbb73dd1868241576a17b69d05cbe78f8db11cf4

Download Submit
memory/1960-133-0x0000000000000000-mapping.dmp

Download
memory/3868-136-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/3868-135-0x0000000000980000-0x0000000000A80000-memory.dmp

Filesize
1024KB

Download
memory/3868-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3868-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3868-142-0x0000000000480000-0x0000000000495000-memory.dmp

Filesize
84KB

Download
memory/4196-137-0x0000000000000000-mapping.dmp

Download
memory/4196-143-0x0000000000590000-0x00000000005A5000-memory.dmp

Filesize
84KB

Download
memory/4196-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4196-145-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download
memory/4196-146-0x0000000000590000-0x00000000005A5000-memory.dmp

Filesize
84KB

Download
memory/4196-147-0x00000000008C0000-0x00000000009C0000-memory.dmp

Filesize
1024KB

Download