cobaltstrike | bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6

General

Target

bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe
Size

307KB
MD5

47d8ca10e1cc66584cbf1763c05ddf56
SHA1

0dbecf4a2eb2db2924c5ca0bac68d8bd62571d9e
SHA256

bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6
SHA512

9c63b7d624572e1595a805e62d32c7439c006679394012e712709f47ebc855b04c730d98b168cb0e501e8939368f137ad470c2a82df889704a1321c7afaf54de
SSDEEP

6144:mTfzqT72Y0SkzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOhwPECYeixlYGicYl:mTre7SS3YsY1UMqMZJYSN7wbstOq8fv2

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

ishauk.exe

pid process

904 ishauk.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

772 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe

pid process

1476 bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe

pid	process
772	cmd.exe

pid	process
1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ishauk.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	ishauk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E8A35E48-3774-AD4D-52EE-D422474DF73F} = "C:\\Users\\Admin\\AppData\\Roaming\\Bofe\\ishauk.exe"	ishauk.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe

description pid process target process

PID 1476 set thread context of 772 1476 bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe cmd.exe

description	pid	process	target process
PID 1476 set thread context of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ishauk.exe

pid	process
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe
904	ishauk.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exeishauk.exe

description	pid	process	target process
PID 1476 wrote to memory of 904	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	ishauk.exe
PID 1476 wrote to memory of 904	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	ishauk.exe
PID 1476 wrote to memory of 904	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	ishauk.exe
PID 1476 wrote to memory of 904	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	ishauk.exe
PID 904 wrote to memory of 1132	904	ishauk.exe	taskhost.exe
PID 904 wrote to memory of 1132	904	ishauk.exe	taskhost.exe
PID 904 wrote to memory of 1132	904	ishauk.exe	taskhost.exe
PID 904 wrote to memory of 1132	904	ishauk.exe	taskhost.exe
PID 904 wrote to memory of 1132	904	ishauk.exe	taskhost.exe
PID 904 wrote to memory of 1192	904	ishauk.exe	Dwm.exe
PID 904 wrote to memory of 1192	904	ishauk.exe	Dwm.exe
PID 904 wrote to memory of 1192	904	ishauk.exe	Dwm.exe
PID 904 wrote to memory of 1192	904	ishauk.exe	Dwm.exe
PID 904 wrote to memory of 1192	904	ishauk.exe	Dwm.exe
PID 904 wrote to memory of 1260	904	ishauk.exe	Explorer.EXE
PID 904 wrote to memory of 1260	904	ishauk.exe	Explorer.EXE
PID 904 wrote to memory of 1260	904	ishauk.exe	Explorer.EXE
PID 904 wrote to memory of 1260	904	ishauk.exe	Explorer.EXE
PID 904 wrote to memory of 1260	904	ishauk.exe	Explorer.EXE
PID 904 wrote to memory of 1476	904	ishauk.exe	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe
PID 904 wrote to memory of 1476	904	ishauk.exe	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe
PID 904 wrote to memory of 1476	904	ishauk.exe	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe
PID 904 wrote to memory of 1476	904	ishauk.exe	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe
PID 904 wrote to memory of 1476	904	ishauk.exe	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe
PID 1476 wrote to memory of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe
PID 1476 wrote to memory of 772	1476	bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe	cmd.exe
PID 904 wrote to memory of 1952	904	ishauk.exe	conhost.exe
PID 904 wrote to memory of 1952	904	ishauk.exe	conhost.exe
PID 904 wrote to memory of 1952	904	ishauk.exe	conhost.exe
PID 904 wrote to memory of 1952	904	ishauk.exe	conhost.exe
PID 904 wrote to memory of 1952	904	ishauk.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe
"C:\Users\Admin\AppData\Local\Temp\bb10b6fa2c0ea28096e9c2a9cbd95e393514faa9d743dd908d801336fad6dbb6.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Roaming\Bofe\ishauk.exe
"C:\Users\Admin\AppData\Roaming\Bofe\ishauk.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9ef09ff8.bat"
3⤵
- Deletes itself
PID:772

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18384591207301281711714364056707320209-470974169-638785921831421913-903701249"
1⤵
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\kyevu.liy
Filesize
466B

MD5
5bc64b4ed16ab6425c1cd36e75e1589c

SHA1
7213eae36dacd605da817c1b8139962468a38b0c

SHA256
891341ea058a6054b96640df9d253187160490844803c20e20d95b83a7819b3c

SHA512
d898d2f28338ebb191be110a0dde61296b05a284007dee7df55074f47cce9cd846f9c8c77cfbbd6ff68acef708ec14a1f72cc8524cd2137027644ded0248f4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9ef09ff8.bat
Filesize
307B

MD5
d572ed2d0717f6a418ee06ffa092b446

SHA1
ec5cb1b5c2ba35d977e7af546cff4bbaa027834f

SHA256
8ba23a0cd525d1bd6df9edf4c6e39da0dc8be140bae5f5c62775c3dc4ac621a9

SHA512
c752d8480d177e0cc124f5c04e2e52cd0660908575aa9d0dd0b1b554bd7e4b9595ff2118bf24df0230f33802ba3de9356149157f1b8cdc9ef26319874f0ddd23

Download Submit
C:\Users\Admin\AppData\Roaming\Bofe\ishauk.exe
Filesize
307KB

MD5
55d4bd34bc1df6cb528be542e461baba

SHA1
c2c77130c37f26fa71851aa743084d02773d00e3

SHA256
220fd0c25130b342108ce7d5a74fbefd13ebe65d3a18f4f659e5014260ceab9a

SHA512
53da9c358d7d944d9829cfaf88b693e6b729aa8bfd561777fdcefabd7b8f36a12b8e568c57a67ae0497b89fc14d9c18737faa3b427a918a95b8e2e4c7d7177a3

Download Submit
C:\Users\Admin\AppData\Roaming\Bofe\ishauk.exe
Filesize
307KB

MD5
55d4bd34bc1df6cb528be542e461baba

SHA1
c2c77130c37f26fa71851aa743084d02773d00e3

SHA256
220fd0c25130b342108ce7d5a74fbefd13ebe65d3a18f4f659e5014260ceab9a

SHA512
53da9c358d7d944d9829cfaf88b693e6b729aa8bfd561777fdcefabd7b8f36a12b8e568c57a67ae0497b89fc14d9c18737faa3b427a918a95b8e2e4c7d7177a3

Download Submit
\Users\Admin\AppData\Roaming\Bofe\ishauk.exe
Filesize
307KB

MD5
55d4bd34bc1df6cb528be542e461baba

SHA1
c2c77130c37f26fa71851aa743084d02773d00e3

SHA256
220fd0c25130b342108ce7d5a74fbefd13ebe65d3a18f4f659e5014260ceab9a

SHA512
53da9c358d7d944d9829cfaf88b693e6b729aa8bfd561777fdcefabd7b8f36a12b8e568c57a67ae0497b89fc14d9c18737faa3b427a918a95b8e2e4c7d7177a3

Download Submit
memory/772-113-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/772-115-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/772-102-0x00000000000671E6-mapping.dmp

Download
memory/772-101-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/772-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/772-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/772-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/904-60-0x0000000000000000-mapping.dmp

Download
memory/904-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/904-63-0x0000000000A50000-0x0000000000AA0000-memory.dmp

Filesize
320KB

Download
memory/904-116-0x0000000000A50000-0x0000000000AA0000-memory.dmp

Filesize
320KB

Download
memory/904-93-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1132-68-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1132-66-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1132-69-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1132-70-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1132-71-0x0000000001FF0000-0x0000000002034000-memory.dmp

Filesize
272KB

Download
memory/1192-74-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1192-77-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1192-76-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1192-75-0x0000000001AC0000-0x0000000001B04000-memory.dmp

Filesize
272KB

Download
memory/1260-80-0x00000000029F0000-0x0000000002A34000-memory.dmp

Filesize
272KB

Download
memory/1260-81-0x00000000029F0000-0x0000000002A34000-memory.dmp

Filesize
272KB

Download
memory/1260-82-0x00000000029F0000-0x0000000002A34000-memory.dmp

Filesize
272KB

Download
memory/1260-83-0x00000000029F0000-0x0000000002A34000-memory.dmp

Filesize
272KB

Download
memory/1476-87-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1476-86-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1476-94-0x0000000000560000-0x00000000005B0000-memory.dmp

Filesize
320KB

Download
memory/1476-91-0x0000000000560000-0x00000000005B0000-memory.dmp

Filesize
320KB

Download
memory/1476-89-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1476-88-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1476-54-0x0000000000970000-0x00000000009C0000-memory.dmp

Filesize
320KB

Download
memory/1476-103-0x0000000000970000-0x00000000009C0000-memory.dmp

Filesize
320KB

Download
memory/1476-104-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1476-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1476-55-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/1476-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1476-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1476-59-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1476-62-0x0000000000560000-0x00000000005B0000-memory.dmp

Filesize
320KB

Download
memory/1952-110-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1952-109-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1952-108-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1952-107-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads