cobaltstrike | affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329

General

Target

affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe
Size

312KB
MD5

afe5710285ce157eca219dddd24f2c24
SHA1

78cbab36a2a0b4b55b40758b1dec794cdfb332b7
SHA256

affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329
SHA512

863a2ce35bea3cd8640d9d24bc0cf63d9e6726ad8482f504eaf1a3b797cb8a0e3f077786e3102d3259717f0cefdd3c9b5c78bd190fe84a4e6dbfa3d8a9401850
SSDEEP

6144:I+1VyBvdl40pPzMHLdL1hALe+2NirdrQdZpwUKD0+W:IEyl4wzMdoLT2NKc7wQ

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

tyorq.exe

pid process

2020 tyorq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1492 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe

pid process

1260 affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe

pid	process
1492	cmd.exe

pid	process
1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tyorq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	tyorq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Iqufa\\tyorq.exe"	tyorq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe

description	pid	process	target process
PID 1260 set thread context of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

tyorq.exe

pid	process
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe
2020	tyorq.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exetyorq.exe

description	pid	process	target process
PID 1260 wrote to memory of 2020	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	tyorq.exe
PID 1260 wrote to memory of 2020	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	tyorq.exe
PID 1260 wrote to memory of 2020	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	tyorq.exe
PID 1260 wrote to memory of 2020	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	tyorq.exe
PID 2020 wrote to memory of 1128	2020	tyorq.exe	taskhost.exe
PID 2020 wrote to memory of 1128	2020	tyorq.exe	taskhost.exe
PID 2020 wrote to memory of 1128	2020	tyorq.exe	taskhost.exe
PID 2020 wrote to memory of 1128	2020	tyorq.exe	taskhost.exe
PID 2020 wrote to memory of 1128	2020	tyorq.exe	taskhost.exe
PID 2020 wrote to memory of 1192	2020	tyorq.exe	Dwm.exe
PID 2020 wrote to memory of 1192	2020	tyorq.exe	Dwm.exe
PID 2020 wrote to memory of 1192	2020	tyorq.exe	Dwm.exe
PID 2020 wrote to memory of 1192	2020	tyorq.exe	Dwm.exe
PID 2020 wrote to memory of 1192	2020	tyorq.exe	Dwm.exe
PID 2020 wrote to memory of 1244	2020	tyorq.exe	Explorer.EXE
PID 2020 wrote to memory of 1244	2020	tyorq.exe	Explorer.EXE
PID 2020 wrote to memory of 1244	2020	tyorq.exe	Explorer.EXE
PID 2020 wrote to memory of 1244	2020	tyorq.exe	Explorer.EXE
PID 2020 wrote to memory of 1244	2020	tyorq.exe	Explorer.EXE
PID 2020 wrote to memory of 1260	2020	tyorq.exe	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe
PID 2020 wrote to memory of 1260	2020	tyorq.exe	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe
PID 2020 wrote to memory of 1260	2020	tyorq.exe	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe
PID 2020 wrote to memory of 1260	2020	tyorq.exe	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe
PID 2020 wrote to memory of 1260	2020	tyorq.exe	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe
PID 1260 wrote to memory of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe
PID 1260 wrote to memory of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe
PID 1260 wrote to memory of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe
PID 1260 wrote to memory of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe
PID 1260 wrote to memory of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe
PID 1260 wrote to memory of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe
PID 1260 wrote to memory of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe
PID 1260 wrote to memory of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe
PID 1260 wrote to memory of 1492	1260	affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe	cmd.exe
PID 2020 wrote to memory of 956	2020	tyorq.exe	conhost.exe
PID 2020 wrote to memory of 956	2020	tyorq.exe	conhost.exe
PID 2020 wrote to memory of 956	2020	tyorq.exe	conhost.exe
PID 2020 wrote to memory of 956	2020	tyorq.exe	conhost.exe
PID 2020 wrote to memory of 956	2020	tyorq.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe
"C:\Users\Admin\AppData\Local\Temp\affe8c1a8fb87dfb8500ffa0e69262a88eb2fd9632f01276c16f5038bf326329.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\Iqufa\tyorq.exe
"C:\Users\Admin\AppData\Roaming\Iqufa\tyorq.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa305f9a3.bat"
3⤵
- Deletes itself
PID:1492

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-522998858-2100644627-1192300921-364256560-1724140054-1091759942-13410084001638321678"
1⤵
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\bute.fea
Filesize
466B

MD5
4946c391a60fa5455c304676f6239a85

SHA1
c168572bbfe1b79d431d98bfb76c0c823de4b95e

SHA256
42d8a9f8e1a931308c2e8cc0d49a600916acacc0ca636d60fece1d51300ad2e0

SHA512
ad209b1ac513f791b06bbb88a91f3a54426d19cc018c232894b2e65a6e00c7afacd314c80811237b3bb911abb96ec5c07a09a48c21836b059503d78d8c0bc0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa305f9a3.bat
Filesize
307B

MD5
79d1c7b4cb57fe946749c22557c8f2c1

SHA1
e393d43cbdd0a8a7d05ae2975ac2cb43e84272b0

SHA256
e2f6b7cd8a9433cc9287dab6bd46077cddd666fe5fd48e255d2adfafa07022f1

SHA512
ac7f995a21efc53a8eca9f1d85d3244df542ca42d0c4bd9cac19e2d19b59fd377e38e9fb312674813378ea038a6148839365e51158a8f1a279cbdbe38849cec3

Download Submit
C:\Users\Admin\AppData\Roaming\Iqufa\tyorq.exe
Filesize
312KB

MD5
2961ce9d64793341406b68f9658607a6

SHA1
d047b81824f01e284b6fdadbe58b2f3ecc8cc683

SHA256
2a352cb792ddd790bb866d4b0cdbde87484a0c61b86839580993076abe311b23

SHA512
50b8a46974f3e1eb9335f201ded8f3becfe67da1a2ee89ce33951128af69a4f49653bb4d4df5890cd5d793d5da8ef2460c55d0a35bfa466e24e0f410c91a2644

Download Submit
C:\Users\Admin\AppData\Roaming\Iqufa\tyorq.exe
Filesize
312KB

MD5
2961ce9d64793341406b68f9658607a6

SHA1
d047b81824f01e284b6fdadbe58b2f3ecc8cc683

SHA256
2a352cb792ddd790bb866d4b0cdbde87484a0c61b86839580993076abe311b23

SHA512
50b8a46974f3e1eb9335f201ded8f3becfe67da1a2ee89ce33951128af69a4f49653bb4d4df5890cd5d793d5da8ef2460c55d0a35bfa466e24e0f410c91a2644

Download Submit
\Users\Admin\AppData\Roaming\Iqufa\tyorq.exe
Filesize
312KB

MD5
2961ce9d64793341406b68f9658607a6

SHA1
d047b81824f01e284b6fdadbe58b2f3ecc8cc683

SHA256
2a352cb792ddd790bb866d4b0cdbde87484a0c61b86839580993076abe311b23

SHA512
50b8a46974f3e1eb9335f201ded8f3becfe67da1a2ee89ce33951128af69a4f49653bb4d4df5890cd5d793d5da8ef2460c55d0a35bfa466e24e0f410c91a2644

Download Submit
memory/956-109-0x0000000001B60000-0x0000000001BA4000-memory.dmp

Filesize
272KB

Download
memory/956-108-0x0000000001B60000-0x0000000001BA4000-memory.dmp

Filesize
272KB

Download
memory/956-110-0x0000000001B60000-0x0000000001BA4000-memory.dmp

Filesize
272KB

Download
memory/956-111-0x0000000001B60000-0x0000000001BA4000-memory.dmp

Filesize
272KB

Download
memory/1128-66-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1128-68-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1128-69-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1128-70-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1128-71-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1192-76-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1192-77-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1192-74-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1192-75-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1244-82-0x0000000002610000-0x0000000002654000-memory.dmp

Filesize
272KB

Download
memory/1244-83-0x0000000002610000-0x0000000002654000-memory.dmp

Filesize
272KB

Download
memory/1244-84-0x0000000002610000-0x0000000002654000-memory.dmp

Filesize
272KB

Download
memory/1244-81-0x0000000002610000-0x0000000002654000-memory.dmp

Filesize
272KB

Download
memory/1260-102-0x0000000000F60000-0x0000000000FB9000-memory.dmp

Filesize
356KB

Download
memory/1260-62-0x00000000008A0000-0x00000000008F9000-memory.dmp

Filesize
356KB

Download
memory/1260-55-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1260-87-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1260-88-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1260-89-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1260-90-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1260-91-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1260-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1260-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1260-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1260-58-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1260-54-0x0000000000F60000-0x0000000000FB9000-memory.dmp

Filesize
356KB

Download
memory/1492-100-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/1492-101-0x00000000000D71E6-mapping.dmp

Download
memory/1492-99-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/1492-105-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/1492-98-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/1492-96-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/2020-63-0x0000000000F20000-0x0000000000F79000-memory.dmp

Filesize
356KB

Download
memory/2020-60-0x0000000000000000-mapping.dmp

Download
memory/2020-93-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2020-79-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2020-113-0x0000000000F20000-0x0000000000F79000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads