cobaltstrike | c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f

General

Target

c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe
Size

307KB
MD5

3796b7685a5bd4e11472c05cbf124466
SHA1

018c5f3f5a2469460eb346833998d34e393f43fe
SHA256

c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f
SHA512

8ce1fc0438db46e426fa9c97376d598a5ecbab8c4733edc0114a9365c03bb0dba6d134063b501ca07d7bdc31c8672515a5f5e41a5f15d067eab8ebfa2303d6ce
SSDEEP

6144:RGXz+T72Y0SizinYKTY1SQshfRPVQe1MZkIYSccr7wbstOUPECYeixlYGicN:RGDq7SSNYsY1UMqMZJYSN7wbstOU8fvf

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

olicak.exe

pid process

892 olicak.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1308 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe

pid process

1460 c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe

pid	process
1308	cmd.exe

pid	process
1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

olicak.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	olicak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Ymeb\\olicak.exe"	olicak.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe

description	pid	process	target process
PID 1460 set thread context of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

olicak.exe

pid	process
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe
892	olicak.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exeolicak.exe

description	pid	process	target process
PID 1460 wrote to memory of 892	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	olicak.exe
PID 1460 wrote to memory of 892	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	olicak.exe
PID 1460 wrote to memory of 892	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	olicak.exe
PID 1460 wrote to memory of 892	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	olicak.exe
PID 892 wrote to memory of 1108	892	olicak.exe	taskhost.exe
PID 892 wrote to memory of 1108	892	olicak.exe	taskhost.exe
PID 892 wrote to memory of 1108	892	olicak.exe	taskhost.exe
PID 892 wrote to memory of 1108	892	olicak.exe	taskhost.exe
PID 892 wrote to memory of 1108	892	olicak.exe	taskhost.exe
PID 892 wrote to memory of 1172	892	olicak.exe	Dwm.exe
PID 892 wrote to memory of 1172	892	olicak.exe	Dwm.exe
PID 892 wrote to memory of 1172	892	olicak.exe	Dwm.exe
PID 892 wrote to memory of 1172	892	olicak.exe	Dwm.exe
PID 892 wrote to memory of 1172	892	olicak.exe	Dwm.exe
PID 892 wrote to memory of 1208	892	olicak.exe	Explorer.EXE
PID 892 wrote to memory of 1208	892	olicak.exe	Explorer.EXE
PID 892 wrote to memory of 1208	892	olicak.exe	Explorer.EXE
PID 892 wrote to memory of 1208	892	olicak.exe	Explorer.EXE
PID 892 wrote to memory of 1208	892	olicak.exe	Explorer.EXE
PID 892 wrote to memory of 1460	892	olicak.exe	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe
PID 892 wrote to memory of 1460	892	olicak.exe	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe
PID 892 wrote to memory of 1460	892	olicak.exe	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe
PID 892 wrote to memory of 1460	892	olicak.exe	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe
PID 892 wrote to memory of 1460	892	olicak.exe	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe
PID 1460 wrote to memory of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe
PID 1460 wrote to memory of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe
PID 1460 wrote to memory of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe
PID 1460 wrote to memory of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe
PID 1460 wrote to memory of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe
PID 1460 wrote to memory of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe
PID 1460 wrote to memory of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe
PID 1460 wrote to memory of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe
PID 1460 wrote to memory of 1308	1460	c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe
"C:\Users\Admin\AppData\Local\Temp\c47a564084c6f2fbd4f0e5515c57d41502993dab36668ff44f23da16f8cffe8f.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\Ymeb\olicak.exe
"C:\Users\Admin\AppData\Roaming\Ymeb\olicak.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpcbb28958.bat"
3⤵
- Deletes itself
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcbb28958.bat
Filesize
307B

MD5
1cc453188b112e1e7d5b66e6e16ded66

SHA1
c6178c299a1a10d87d342e3666f8700399e056d2

SHA256
d5c02a7b0b076166e5f9af3d054be2aa3954148bf335fde76b0365bd09bea501

SHA512
b1d098d89fe828a05e2fabed46933ca2b5d65e1c093870a53431a51d7239f21cd3709b3d617c29e6fb09b644f10803847ec022661468136f333dc694b02b61a9

Download Submit
C:\Users\Admin\AppData\Roaming\Ymeb\olicak.exe
Filesize
307KB

MD5
d9b346e8c703a502bf21deb81b3e6ac4

SHA1
90db1a6ec0522f54082b09360a213e3ddd460993

SHA256
4d2a6a81f6b9fb289eab10be4088b62b613093245aac6972644bedcbc89a01e3

SHA512
a8e5d74d4abd4b28d4c96a9341b66b7b0665f46b77ce83fd1fea2d6a568080f772b29169bdd3a768aefb422605652ebd20832c14cea3491a03bd9222019454d8

Download Submit
C:\Users\Admin\AppData\Roaming\Ymeb\olicak.exe
Filesize
307KB

MD5
d9b346e8c703a502bf21deb81b3e6ac4

SHA1
90db1a6ec0522f54082b09360a213e3ddd460993

SHA256
4d2a6a81f6b9fb289eab10be4088b62b613093245aac6972644bedcbc89a01e3

SHA512
a8e5d74d4abd4b28d4c96a9341b66b7b0665f46b77ce83fd1fea2d6a568080f772b29169bdd3a768aefb422605652ebd20832c14cea3491a03bd9222019454d8

Download Submit
\Users\Admin\AppData\Roaming\Ymeb\olicak.exe
Filesize
307KB

MD5
d9b346e8c703a502bf21deb81b3e6ac4

SHA1
90db1a6ec0522f54082b09360a213e3ddd460993

SHA256
4d2a6a81f6b9fb289eab10be4088b62b613093245aac6972644bedcbc89a01e3

SHA512
a8e5d74d4abd4b28d4c96a9341b66b7b0665f46b77ce83fd1fea2d6a568080f772b29169bdd3a768aefb422605652ebd20832c14cea3491a03bd9222019454d8

Download Submit
memory/892-63-0x0000000001160000-0x00000000011B0000-memory.dmp

Filesize
320KB

Download
memory/892-107-0x0000000001160000-0x00000000011B0000-memory.dmp

Filesize
320KB

Download
memory/892-100-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/892-59-0x0000000000000000-mapping.dmp

Download
memory/892-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1108-68-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1108-66-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1108-69-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1108-70-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1108-71-0x0000000001D30000-0x0000000001D74000-memory.dmp

Filesize
272KB

Download
memory/1172-77-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1172-76-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1172-74-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1172-75-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1208-80-0x0000000002AB0000-0x0000000002AF4000-memory.dmp

Filesize
272KB

Download
memory/1208-81-0x0000000002AB0000-0x0000000002AF4000-memory.dmp

Filesize
272KB

Download
memory/1208-82-0x0000000002AB0000-0x0000000002AF4000-memory.dmp

Filesize
272KB

Download
memory/1208-83-0x0000000002AB0000-0x0000000002AF4000-memory.dmp

Filesize
272KB

Download
memory/1308-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1308-106-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1308-102-0x00000000000671E6-mapping.dmp

Download
memory/1308-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1308-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1308-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1460-91-0x00000000007C0000-0x0000000000804000-memory.dmp

Filesize
272KB

Download
memory/1460-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1460-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1460-89-0x00000000007C0000-0x0000000000804000-memory.dmp

Filesize
272KB

Download
memory/1460-88-0x00000000007C0000-0x0000000000804000-memory.dmp

Filesize
272KB

Download
memory/1460-87-0x00000000007C0000-0x0000000000804000-memory.dmp

Filesize
272KB

Download
memory/1460-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1460-62-0x0000000001160000-0x00000000011B0000-memory.dmp

Filesize
320KB

Download
memory/1460-101-0x00000000007C0000-0x0000000000804000-memory.dmp

Filesize
272KB

Download
memory/1460-86-0x00000000007C0000-0x0000000000804000-memory.dmp

Filesize
272KB

Download
memory/1460-103-0x00000000013A0000-0x00000000013F0000-memory.dmp

Filesize
320KB

Download
memory/1460-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1460-54-0x00000000013A0000-0x00000000013F0000-memory.dmp

Filesize
320KB

Download
memory/1460-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads