cobaltstrike | 94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0

General

Target

94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe
Size

307KB
MD5

b476f73104bbe66c730e4b1052ee1acd
SHA1

5eaaadeeb1e70bf2d2be365e39adb2e6cbd55ea8
SHA256

94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0
SHA512

fdc343c7ad32d86583e5116fa5a20cc33d7c0d84df9ef1d0583c7ce4ec2539d4242ed241a02e28f1e7e6a49d2683a412ea4ad38ed03828dd98397ac6bb1e221b
SSDEEP

6144:2qz+T72Y0SnzinYKTY1SQshfRPVQe1MZkIYSccr7wbstO/PECYeixlYGicwP:2Cq7SSeYsY1UMqMZJYSN7wbstO/8fveR

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

uhwi.exe

pid process

828 uhwi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1724 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe

pid process

1552 94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe

pid	process
1724	cmd.exe

pid	process
1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uhwi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	uhwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Vaud\\uhwi.exe"	uhwi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe

description	pid	process	target process
PID 1552 set thread context of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

uhwi.exe

pid	process
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe
828	uhwi.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exeuhwi.exe

description	pid	process	target process
PID 1552 wrote to memory of 828	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	uhwi.exe
PID 1552 wrote to memory of 828	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	uhwi.exe
PID 1552 wrote to memory of 828	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	uhwi.exe
PID 1552 wrote to memory of 828	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	uhwi.exe
PID 828 wrote to memory of 1140	828	uhwi.exe	taskhost.exe
PID 828 wrote to memory of 1140	828	uhwi.exe	taskhost.exe
PID 828 wrote to memory of 1140	828	uhwi.exe	taskhost.exe
PID 828 wrote to memory of 1140	828	uhwi.exe	taskhost.exe
PID 828 wrote to memory of 1140	828	uhwi.exe	taskhost.exe
PID 828 wrote to memory of 1228	828	uhwi.exe	Dwm.exe
PID 828 wrote to memory of 1228	828	uhwi.exe	Dwm.exe
PID 828 wrote to memory of 1228	828	uhwi.exe	Dwm.exe
PID 828 wrote to memory of 1228	828	uhwi.exe	Dwm.exe
PID 828 wrote to memory of 1228	828	uhwi.exe	Dwm.exe
PID 828 wrote to memory of 1284	828	uhwi.exe	Explorer.EXE
PID 828 wrote to memory of 1284	828	uhwi.exe	Explorer.EXE
PID 828 wrote to memory of 1284	828	uhwi.exe	Explorer.EXE
PID 828 wrote to memory of 1284	828	uhwi.exe	Explorer.EXE
PID 828 wrote to memory of 1284	828	uhwi.exe	Explorer.EXE
PID 828 wrote to memory of 1552	828	uhwi.exe	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe
PID 828 wrote to memory of 1552	828	uhwi.exe	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe
PID 828 wrote to memory of 1552	828	uhwi.exe	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe
PID 828 wrote to memory of 1552	828	uhwi.exe	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe
PID 828 wrote to memory of 1552	828	uhwi.exe	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe
PID 1552 wrote to memory of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe
PID 1552 wrote to memory of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe
PID 1552 wrote to memory of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe
PID 1552 wrote to memory of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe
PID 1552 wrote to memory of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe
PID 1552 wrote to memory of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe
PID 1552 wrote to memory of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe
PID 1552 wrote to memory of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe
PID 1552 wrote to memory of 1724	1552	94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe
"C:\Users\Admin\AppData\Local\Temp\94257457675302e788a4d7f9524ece51548630bf28221c4406c07057ba1d67f0.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\Vaud\uhwi.exe
"C:\Users\Admin\AppData\Roaming\Vaud\uhwi.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8a8e69ff.bat"
3⤵
- Deletes itself
PID:1724

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8a8e69ff.bat
Filesize
307B

MD5
60cdd7d463708487f56a484f5711d983

SHA1
7de74adb3d60e016ac47589c5159af3d90155ba6

SHA256
1e4909bad1a8e37eac604c65109a4ddd489328b431e2474a09080b2f4a9301c4

SHA512
e64a9c0a41fc16128ab7123e58f0017e516c4a6c814afa18de43a5eee403236fc63e4079b32597ba20cd26b2b07f0344e47213e39cf1918e2d44e29825c0d505

Download Submit
C:\Users\Admin\AppData\Roaming\Vaud\uhwi.exe
Filesize
307KB

MD5
ece49826c62210a73091bc79fda4e362

SHA1
c2594ed4a0f67b7c22fee462f51024526f9cbdbc

SHA256
456eb67ccc21b775b221900791f05b2209fdc4a39698eb857206e5641b89477c

SHA512
762fb924fad974a87192fcaf8f95ef67c5426d98bfe306675b4ed5bf13b7eb409024dcfb142f9e27e3aa8bce25be9557cb05b239d484e1cb5cd46313eaf0f4bb

Download Submit
C:\Users\Admin\AppData\Roaming\Vaud\uhwi.exe
Filesize
307KB

MD5
ece49826c62210a73091bc79fda4e362

SHA1
c2594ed4a0f67b7c22fee462f51024526f9cbdbc

SHA256
456eb67ccc21b775b221900791f05b2209fdc4a39698eb857206e5641b89477c

SHA512
762fb924fad974a87192fcaf8f95ef67c5426d98bfe306675b4ed5bf13b7eb409024dcfb142f9e27e3aa8bce25be9557cb05b239d484e1cb5cd46313eaf0f4bb

Download Submit
\Users\Admin\AppData\Roaming\Vaud\uhwi.exe
Filesize
307KB

MD5
ece49826c62210a73091bc79fda4e362

SHA1
c2594ed4a0f67b7c22fee462f51024526f9cbdbc

SHA256
456eb67ccc21b775b221900791f05b2209fdc4a39698eb857206e5641b89477c

SHA512
762fb924fad974a87192fcaf8f95ef67c5426d98bfe306675b4ed5bf13b7eb409024dcfb142f9e27e3aa8bce25be9557cb05b239d484e1cb5cd46313eaf0f4bb

Download Submit
memory/828-106-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/828-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/828-63-0x0000000000800000-0x0000000000850000-memory.dmp

Filesize
320KB

Download
memory/828-61-0x0000000000000000-mapping.dmp

Download
memory/1140-68-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1140-66-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1140-69-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1140-70-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1140-71-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1228-76-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1228-77-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1228-75-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1228-74-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1284-80-0x0000000002A70000-0x0000000002AB4000-memory.dmp

Filesize
272KB

Download
memory/1284-83-0x0000000002A70000-0x0000000002AB4000-memory.dmp

Filesize
272KB

Download
memory/1284-81-0x0000000002A70000-0x0000000002AB4000-memory.dmp

Filesize
272KB

Download
memory/1284-82-0x0000000002A70000-0x0000000002AB4000-memory.dmp

Filesize
272KB

Download
memory/1552-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1552-60-0x0000000000240000-0x0000000000290000-memory.dmp

Filesize
320KB

Download
memory/1552-58-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1552-86-0x0000000000240000-0x0000000000284000-memory.dmp

Filesize
272KB

Download
memory/1552-87-0x0000000000240000-0x0000000000284000-memory.dmp

Filesize
272KB

Download
memory/1552-88-0x0000000000240000-0x0000000000284000-memory.dmp

Filesize
272KB

Download
memory/1552-89-0x0000000000240000-0x0000000000284000-memory.dmp

Filesize
272KB

Download
memory/1552-100-0x0000000001320000-0x0000000001370000-memory.dmp

Filesize
320KB

Download
memory/1552-91-0x0000000000240000-0x0000000000290000-memory.dmp

Filesize
320KB

Download
memory/1552-54-0x0000000001320000-0x0000000001370000-memory.dmp

Filesize
320KB

Download
memory/1552-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1552-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1552-102-0x0000000000240000-0x0000000000284000-memory.dmp

Filesize
272KB

Download
memory/1552-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1724-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1724-99-0x00000000000671E6-mapping.dmp

Download
memory/1724-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1724-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1724-105-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1724-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads