cobaltstrike | a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe
Size

307KB
MD5

e38ad6ff85b84bcbe2985145adcd588d
SHA1

834d822a79e7403fed613506c73f8537760ab6d5
SHA256

a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3
SHA512

57bf6d672f2bbdb334b9102b5203c847f7f0be823d7c7c711f37100e1b0d0219baca028afec1a429aa7e01fa3de9feb593befd41e08a5fa54ef18d76320a45a9
SSDEEP

6144:mTfzqT72Y0SEuzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOHPECYeixlYGicc:mTre7SSE5YsY1UMqMZJYSN7wbstOH8f+

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

tyjy.exe

pid process

2036 tyjy.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1316 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe

pid process

1756 a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe

pid	process
1316	cmd.exe

pid	process
1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tyjy.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	tyjy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Uzut\\tyjy.exe"	tyjy.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe

description	pid	process	target process
PID 1756 set thread context of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

tyjy.exe

pid	process
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe
2036	tyjy.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exetyjy.exe

description	pid	process	target process
PID 1756 wrote to memory of 2036	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	tyjy.exe
PID 1756 wrote to memory of 2036	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	tyjy.exe
PID 1756 wrote to memory of 2036	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	tyjy.exe
PID 1756 wrote to memory of 2036	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	tyjy.exe
PID 2036 wrote to memory of 1224	2036	tyjy.exe	taskhost.exe
PID 2036 wrote to memory of 1224	2036	tyjy.exe	taskhost.exe
PID 2036 wrote to memory of 1224	2036	tyjy.exe	taskhost.exe
PID 2036 wrote to memory of 1224	2036	tyjy.exe	taskhost.exe
PID 2036 wrote to memory of 1224	2036	tyjy.exe	taskhost.exe
PID 2036 wrote to memory of 1340	2036	tyjy.exe	Dwm.exe
PID 2036 wrote to memory of 1340	2036	tyjy.exe	Dwm.exe
PID 2036 wrote to memory of 1340	2036	tyjy.exe	Dwm.exe
PID 2036 wrote to memory of 1340	2036	tyjy.exe	Dwm.exe
PID 2036 wrote to memory of 1340	2036	tyjy.exe	Dwm.exe
PID 2036 wrote to memory of 1396	2036	tyjy.exe	Explorer.EXE
PID 2036 wrote to memory of 1396	2036	tyjy.exe	Explorer.EXE
PID 2036 wrote to memory of 1396	2036	tyjy.exe	Explorer.EXE
PID 2036 wrote to memory of 1396	2036	tyjy.exe	Explorer.EXE
PID 2036 wrote to memory of 1396	2036	tyjy.exe	Explorer.EXE
PID 2036 wrote to memory of 1756	2036	tyjy.exe	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe
PID 2036 wrote to memory of 1756	2036	tyjy.exe	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe
PID 2036 wrote to memory of 1756	2036	tyjy.exe	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe
PID 2036 wrote to memory of 1756	2036	tyjy.exe	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe
PID 2036 wrote to memory of 1756	2036	tyjy.exe	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe
PID 1756 wrote to memory of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe
PID 1756 wrote to memory of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe
PID 1756 wrote to memory of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe
PID 1756 wrote to memory of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe
PID 1756 wrote to memory of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe
PID 1756 wrote to memory of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe
PID 1756 wrote to memory of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe
PID 1756 wrote to memory of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe
PID 1756 wrote to memory of 1316	1756	a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe
  "C:\Users\Admin\AppData\Local\Temp\a62fa1e40096a202f5b2c0413d9039001269a00f6f66b81ccfaec7926667bda3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Roaming\Uzut\tyjy.exe
    "C:\Users\Admin\AppData\Roaming\Uzut\tyjy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp03a4bc6c.bat"
    3⤵
    - Deletes itself
    PID:1316

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\odci.bei

Filesize
466B

MD5
0a9cd4a017eec3ac955ae0c872308bf6

SHA1
6e036760bf0a86bb944ab0e09c708c94494d2bb0

SHA256
246bf2f74a63e5978662467489a3702ac19b3c2231825a6564750721a3811205

SHA512
2e00b8f47493065c661de62aaf9535749c34d6ba7e63a4131e5a77c94cfe06673246b6d0932d91b83df34f3be6bb7cc39d392f9a0d3734ee30c03babdaf62c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp03a4bc6c.bat

Filesize
307B

MD5
f6ed0d9eeb9cec0b2fd44075bb3a7f0c

SHA1
b3b85dcefa1073d4b9a7571b86d352624a2a6091

SHA256
c993ec457b04eead39cd1c800eb8f71b122bc04d36680eb0aa1d5e21a10300fe

SHA512
f975c2becd724bbbe45928c5b522327d470888db675402cf72a85aa7097ba94435c65f0fced566746b08d864b7e51a3b62d22fb98ef812c592ec52630a322d0a

Download Submit
C:\Users\Admin\AppData\Roaming\Uzut\tyjy.exe

Filesize
307KB

MD5
835f13ab78f3c295b17ada79e72ebde2

SHA1
3ebffe3fb4e0ef69d3c2bb1f7319ffce61d186f0

SHA256
35fcb69c0092833f5dada1d02033226fb1d18caf437aa346163c7e4e715202cb

SHA512
0e5587c37db9d92f258a18225e15a3afe80ecc9d6c74556f3f52ba75401c0e824d53fc6d1420736b9c9de6987930b92c64aefef09d7b41acbdf6c8429a03d15e

Download Submit
C:\Users\Admin\AppData\Roaming\Uzut\tyjy.exe

Filesize
307KB

MD5
835f13ab78f3c295b17ada79e72ebde2

SHA1
3ebffe3fb4e0ef69d3c2bb1f7319ffce61d186f0

SHA256
35fcb69c0092833f5dada1d02033226fb1d18caf437aa346163c7e4e715202cb

SHA512
0e5587c37db9d92f258a18225e15a3afe80ecc9d6c74556f3f52ba75401c0e824d53fc6d1420736b9c9de6987930b92c64aefef09d7b41acbdf6c8429a03d15e

Download Submit
\Users\Admin\AppData\Roaming\Uzut\tyjy.exe

Filesize
307KB

MD5
835f13ab78f3c295b17ada79e72ebde2

SHA1
3ebffe3fb4e0ef69d3c2bb1f7319ffce61d186f0

SHA256
35fcb69c0092833f5dada1d02033226fb1d18caf437aa346163c7e4e715202cb

SHA512
0e5587c37db9d92f258a18225e15a3afe80ecc9d6c74556f3f52ba75401c0e824d53fc6d1420736b9c9de6987930b92c64aefef09d7b41acbdf6c8429a03d15e

Download Submit
memory/1224-71-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1224-69-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1224-70-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1224-68-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1224-66-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1316-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1316-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1316-109-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1316-107-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1316-102-0x00000000000671E6-mapping.dmp

Download
memory/1316-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1316-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1340-75-0x0000000001D80000-0x0000000001DC4000-memory.dmp

Filesize
272KB

Download
memory/1340-76-0x0000000001D80000-0x0000000001DC4000-memory.dmp

Filesize
272KB

Download
memory/1340-77-0x0000000001D80000-0x0000000001DC4000-memory.dmp

Filesize
272KB

Download
memory/1340-74-0x0000000001D80000-0x0000000001DC4000-memory.dmp

Filesize
272KB

Download
memory/1396-80-0x00000000026C0000-0x0000000002704000-memory.dmp

Filesize
272KB

Download
memory/1396-81-0x00000000026C0000-0x0000000002704000-memory.dmp

Filesize
272KB

Download
memory/1396-82-0x00000000026C0000-0x0000000002704000-memory.dmp

Filesize
272KB

Download
memory/1396-83-0x00000000026C0000-0x0000000002704000-memory.dmp

Filesize
272KB

Download
memory/1756-89-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1756-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1756-62-0x00000000001D0000-0x0000000000220000-memory.dmp

Filesize
320KB

Download
memory/1756-55-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1756-91-0x00000000001D0000-0x0000000000220000-memory.dmp

Filesize
320KB

Download
memory/1756-87-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1756-86-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1756-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1756-54-0x0000000000CF0000-0x0000000000D40000-memory.dmp

Filesize
320KB

Download
memory/1756-88-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1756-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1756-101-0x00000000001D0000-0x0000000000220000-memory.dmp

Filesize
320KB

Download
memory/1756-58-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1756-103-0x0000000000CF0000-0x0000000000D40000-memory.dmp

Filesize
320KB

Download
memory/1756-104-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/2036-100-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2036-60-0x0000000000000000-mapping.dmp

Download
memory/2036-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2036-63-0x0000000000EB0000-0x0000000000F00000-memory.dmp

Filesize
320KB

Download
memory/2036-110-0x0000000000EB0000-0x0000000000F00000-memory.dmp

Filesize
320KB

Download