cobaltstrike | a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559

General

Target

a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe
Size

307KB
MD5

72d1a9a47b4d88869387dadf34a56b7f
SHA1

61eb36e4c7bb300ccb044003bb66244548393d96
SHA256

a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559
SHA512

c47521211fd560478708b4790094608823eaac18e2185a6fd2745dc18000ba0381052c364de32785584f995ee328d1d31c79997daf4c7a93cf19a9f56e333c6c
SSDEEP

6144:K0vzyT72Y0SPzinYKTY1SQshfRPVQe1MZkIYSccr7wbstO7PECYeixlYGicZ:K0bW7SSWYsY1UMqMZJYSN7wbstO78fvP

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

uvpu.exe

pid process

944 uvpu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1704 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe

pid process

1520 a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe

pid	process
1704	cmd.exe

pid	process
1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uvpu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	uvpu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Miviz\\uvpu.exe"	uvpu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe

description	pid	process	target process
PID 1520 set thread context of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

uvpu.exe

pid	process
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe
944	uvpu.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exeuvpu.exe

description	pid	process	target process
PID 1520 wrote to memory of 944	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	uvpu.exe
PID 1520 wrote to memory of 944	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	uvpu.exe
PID 1520 wrote to memory of 944	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	uvpu.exe
PID 1520 wrote to memory of 944	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	uvpu.exe
PID 944 wrote to memory of 1260	944	uvpu.exe	taskhost.exe
PID 944 wrote to memory of 1260	944	uvpu.exe	taskhost.exe
PID 944 wrote to memory of 1260	944	uvpu.exe	taskhost.exe
PID 944 wrote to memory of 1260	944	uvpu.exe	taskhost.exe
PID 944 wrote to memory of 1260	944	uvpu.exe	taskhost.exe
PID 944 wrote to memory of 1336	944	uvpu.exe	Dwm.exe
PID 944 wrote to memory of 1336	944	uvpu.exe	Dwm.exe
PID 944 wrote to memory of 1336	944	uvpu.exe	Dwm.exe
PID 944 wrote to memory of 1336	944	uvpu.exe	Dwm.exe
PID 944 wrote to memory of 1336	944	uvpu.exe	Dwm.exe
PID 944 wrote to memory of 1412	944	uvpu.exe	Explorer.EXE
PID 944 wrote to memory of 1412	944	uvpu.exe	Explorer.EXE
PID 944 wrote to memory of 1412	944	uvpu.exe	Explorer.EXE
PID 944 wrote to memory of 1412	944	uvpu.exe	Explorer.EXE
PID 944 wrote to memory of 1412	944	uvpu.exe	Explorer.EXE
PID 944 wrote to memory of 1520	944	uvpu.exe	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe
PID 944 wrote to memory of 1520	944	uvpu.exe	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe
PID 944 wrote to memory of 1520	944	uvpu.exe	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe
PID 944 wrote to memory of 1520	944	uvpu.exe	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe
PID 944 wrote to memory of 1520	944	uvpu.exe	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe
PID 1520 wrote to memory of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe
PID 1520 wrote to memory of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe
PID 1520 wrote to memory of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe
PID 1520 wrote to memory of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe
PID 1520 wrote to memory of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe
PID 1520 wrote to memory of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe
PID 1520 wrote to memory of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe
PID 1520 wrote to memory of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe
PID 1520 wrote to memory of 1704	1520	a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe
"C:\Users\Admin\AppData\Local\Temp\a75dd473dd226db1dca1b97f814aa1085936fb33ccc983fe359cc645a1ccf559.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Roaming\Miviz\uvpu.exe
"C:\Users\Admin\AppData\Roaming\Miviz\uvpu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa6b4ac22.bat"
3⤵
- Deletes itself
PID:1704

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpa6b4ac22.bat
Filesize
307B

MD5
9c7239f55c8effb40723eb2062799578

SHA1
d8993284ea4657c1a145a5482684874713413862

SHA256
6b82c8acf89ff34ce51ea9bb38e8be07c65b022a3c3b5de46705861dd9e3214e

SHA512
cce226fcf157f7b40073f5690ee06de7dc193ce62c80ae95b47e55a8d3d41602b4aa743a4917e9a0450d5a24cb43c11793f944f0e0d5ee86ba5962eef001a9e9

Download Submit
C:\Users\Admin\AppData\Roaming\Miviz\uvpu.exe
Filesize
307KB

MD5
6d3fe38971edc88041a8f99094d7dabd

SHA1
ccbd6b34c25055d924cde9624f0633a8b0cb3d3b

SHA256
fcf338364a9be5256b50ab9145cd5a4a30eb96f09132c4eb5fb87122124d15e4

SHA512
a7ea697d401a165f95610f55fd990684c2770e00a2fc4b9d5a32c9fa458a8cb9473ac410cc3efb7bd0016ee3c1162d941d8029ce3957b0904d7f256fa01286ef

Download Submit
C:\Users\Admin\AppData\Roaming\Miviz\uvpu.exe
Filesize
307KB

MD5
6d3fe38971edc88041a8f99094d7dabd

SHA1
ccbd6b34c25055d924cde9624f0633a8b0cb3d3b

SHA256
fcf338364a9be5256b50ab9145cd5a4a30eb96f09132c4eb5fb87122124d15e4

SHA512
a7ea697d401a165f95610f55fd990684c2770e00a2fc4b9d5a32c9fa458a8cb9473ac410cc3efb7bd0016ee3c1162d941d8029ce3957b0904d7f256fa01286ef

Download Submit
\Users\Admin\AppData\Roaming\Miviz\uvpu.exe
Filesize
307KB

MD5
6d3fe38971edc88041a8f99094d7dabd

SHA1
ccbd6b34c25055d924cde9624f0633a8b0cb3d3b

SHA256
fcf338364a9be5256b50ab9145cd5a4a30eb96f09132c4eb5fb87122124d15e4

SHA512
a7ea697d401a165f95610f55fd990684c2770e00a2fc4b9d5a32c9fa458a8cb9473ac410cc3efb7bd0016ee3c1162d941d8029ce3957b0904d7f256fa01286ef

Download Submit
memory/944-63-0x00000000009B0000-0x0000000000A00000-memory.dmp

Filesize
320KB

Download
memory/944-106-0x00000000009B0000-0x0000000000A00000-memory.dmp

Filesize
320KB

Download
memory/944-105-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/944-104-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/944-59-0x0000000000000000-mapping.dmp

Download
memory/1260-68-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1260-66-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1260-69-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1260-70-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1260-71-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1336-77-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1336-76-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1336-74-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1336-75-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1412-80-0x0000000002660000-0x00000000026A4000-memory.dmp

Filesize
272KB

Download
memory/1412-82-0x0000000002660000-0x00000000026A4000-memory.dmp

Filesize
272KB

Download
memory/1412-83-0x0000000002660000-0x00000000026A4000-memory.dmp

Filesize
272KB

Download
memory/1412-81-0x0000000002660000-0x00000000026A4000-memory.dmp

Filesize
272KB

Download
memory/1520-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1520-100-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1520-86-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1520-87-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1520-88-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1520-89-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/1520-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1520-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1520-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1520-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1520-54-0x0000000001090000-0x00000000010E0000-memory.dmp

Filesize
320KB

Download
memory/1520-98-0x0000000001090000-0x00000000010E0000-memory.dmp

Filesize
320KB

Download
memory/1520-62-0x00000000002E0000-0x0000000000330000-memory.dmp

Filesize
320KB

Download
memory/1704-97-0x00000000000E71E6-mapping.dmp

Download
memory/1704-95-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/1704-103-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/1704-96-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/1704-94-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/1704-92-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads