cobaltstrike | ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb

General

Target

ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe
Size

307KB
MD5

af661dfd5095dfd231321be716aa1c4a
SHA1

83b80aefbb41470c5f018c31f6c1d3229ad0a8d9
SHA256

ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb
SHA512

c915c559384ba3736cf25cd93bbbceac5218e58d18734a1136d59768a44cc88bc5efc80a6bef6e4f31da62f5ab9d9985db402b8529e33405e91068c1c08bb99e
SSDEEP

6144:HkSzMT72Y0SuzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOgPECYeixlYGicB:Hkqw7SS5YsY1UMqMZJYSN7wbstOg8fvX

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

erake.exe

pid process

772 erake.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

868 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe

pid process

968 ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe

pid	process
868	cmd.exe

pid	process
968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

erake.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	erake.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Uwpeij\\erake.exe"	erake.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe

description pid process target process

PID 968 set thread context of 868 968 ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe cmd.exe

description	pid	process	target process
PID 968 set thread context of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

erake.exe

pid	process
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe
772	erake.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exeerake.exe

description	pid	process	target process
PID 968 wrote to memory of 772	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	erake.exe
PID 968 wrote to memory of 772	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	erake.exe
PID 968 wrote to memory of 772	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	erake.exe
PID 968 wrote to memory of 772	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	erake.exe
PID 772 wrote to memory of 1140	772	erake.exe	taskhost.exe
PID 772 wrote to memory of 1140	772	erake.exe	taskhost.exe
PID 772 wrote to memory of 1140	772	erake.exe	taskhost.exe
PID 772 wrote to memory of 1140	772	erake.exe	taskhost.exe
PID 772 wrote to memory of 1140	772	erake.exe	taskhost.exe
PID 772 wrote to memory of 1256	772	erake.exe	Dwm.exe
PID 772 wrote to memory of 1256	772	erake.exe	Dwm.exe
PID 772 wrote to memory of 1256	772	erake.exe	Dwm.exe
PID 772 wrote to memory of 1256	772	erake.exe	Dwm.exe
PID 772 wrote to memory of 1256	772	erake.exe	Dwm.exe
PID 772 wrote to memory of 1312	772	erake.exe	Explorer.EXE
PID 772 wrote to memory of 1312	772	erake.exe	Explorer.EXE
PID 772 wrote to memory of 1312	772	erake.exe	Explorer.EXE
PID 772 wrote to memory of 1312	772	erake.exe	Explorer.EXE
PID 772 wrote to memory of 1312	772	erake.exe	Explorer.EXE
PID 772 wrote to memory of 968	772	erake.exe	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe
PID 772 wrote to memory of 968	772	erake.exe	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe
PID 772 wrote to memory of 968	772	erake.exe	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe
PID 772 wrote to memory of 968	772	erake.exe	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe
PID 772 wrote to memory of 968	772	erake.exe	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe
PID 968 wrote to memory of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe
PID 968 wrote to memory of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe
PID 968 wrote to memory of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe
PID 968 wrote to memory of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe
PID 968 wrote to memory of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe
PID 968 wrote to memory of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe
PID 968 wrote to memory of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe
PID 968 wrote to memory of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe
PID 968 wrote to memory of 868	968	ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe
"C:\Users\Admin\AppData\Local\Temp\ce5a6f9a6913997c111d7d6296cb2ac0caaad7096668c324e23e4cfcf9f5abdb.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Roaming\Uwpeij\erake.exe
"C:\Users\Admin\AppData\Roaming\Uwpeij\erake.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpab810908.bat"
3⤵
- Deletes itself
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\oklyuc.hai
Filesize
466B

MD5
9eb7473d89e0399fa9c0b5717c3f2a17

SHA1
5b83006f9bde31ce1424adcb70ed9343dcf97e7f

SHA256
740ba0bd9fb263020bc59724505d669c857d480073f78a44876492cb47ce16f6

SHA512
5e9d6073756817beb42e1b1c7191569255178018c9e422b0788c414bd6b0ce9e88c03c194d5fb2694337f9f5a741b38a059a03d5f0570004943732687d77a575

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpab810908.bat
Filesize
307B

MD5
c38f844b3cbbca6e43b4bd94f7c87825

SHA1
13cd8966dd0ab631f41a8ebe57f4b827ba86ab92

SHA256
05fb191e665e0dbb0723599aa2c0b4dfb1bd2f2c2e379e222880baef2204015a

SHA512
1840af1d04ff579d51b574722ce7c49f720dcb61305fff33f412e1b491beddc381b3a2b5adfc0a89f7bb7acb558b5c3f123c1ff9163bea3e4a1fe525fd254714

Download Submit
C:\Users\Admin\AppData\Roaming\Uwpeij\erake.exe
Filesize
307KB

MD5
0f1b78ae2c0b38eb8124e00cd1706bae

SHA1
77c1ee668dce05460badb3cae79813a09e53b7e6

SHA256
150faf240d91a5364042d11a0fb94109d0075da5a766190cbac984a4e9793ca6

SHA512
6252df7ddc4222f32ef0d0f6399cfcb62d1a6854a836e2f89f31fbe5bbc19db8de81f813ada902aeb5865e9f633acebe6d59245a051d29d350a7264b0f526b0a

Download Submit
C:\Users\Admin\AppData\Roaming\Uwpeij\erake.exe
Filesize
307KB

MD5
0f1b78ae2c0b38eb8124e00cd1706bae

SHA1
77c1ee668dce05460badb3cae79813a09e53b7e6

SHA256
150faf240d91a5364042d11a0fb94109d0075da5a766190cbac984a4e9793ca6

SHA512
6252df7ddc4222f32ef0d0f6399cfcb62d1a6854a836e2f89f31fbe5bbc19db8de81f813ada902aeb5865e9f633acebe6d59245a051d29d350a7264b0f526b0a

Download Submit
\Users\Admin\AppData\Roaming\Uwpeij\erake.exe
Filesize
307KB

MD5
0f1b78ae2c0b38eb8124e00cd1706bae

SHA1
77c1ee668dce05460badb3cae79813a09e53b7e6

SHA256
150faf240d91a5364042d11a0fb94109d0075da5a766190cbac984a4e9793ca6

SHA512
6252df7ddc4222f32ef0d0f6399cfcb62d1a6854a836e2f89f31fbe5bbc19db8de81f813ada902aeb5865e9f633acebe6d59245a051d29d350a7264b0f526b0a

Download Submit
memory/772-108-0x0000000000A50000-0x0000000000AA1000-memory.dmp

Filesize
324KB

Download
memory/772-93-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/772-59-0x0000000000000000-mapping.dmp

Download
memory/772-76-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/772-63-0x0000000000A50000-0x0000000000AA1000-memory.dmp

Filesize
324KB

Download
memory/868-102-0x00000000000671E6-mapping.dmp

Download
memory/868-101-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/868-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/868-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/868-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/868-107-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/968-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/968-103-0x0000000000FB0000-0x0000000001001000-memory.dmp

Filesize
324KB

Download
memory/968-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/968-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/968-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/968-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/968-62-0x00000000001E0000-0x0000000000231000-memory.dmp

Filesize
324KB

Download
memory/968-54-0x0000000000FB0000-0x0000000001001000-memory.dmp

Filesize
324KB

Download
memory/968-94-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/968-87-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/968-88-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/968-89-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/968-90-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/968-91-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1140-68-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1140-71-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1140-70-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1140-69-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1140-66-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1256-74-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1256-78-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1256-77-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1256-75-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1312-84-0x0000000002B20000-0x0000000002B64000-memory.dmp

Filesize
272KB

Download
memory/1312-83-0x0000000002B20000-0x0000000002B64000-memory.dmp

Filesize
272KB

Download
memory/1312-82-0x0000000002B20000-0x0000000002B64000-memory.dmp

Filesize
272KB

Download
memory/1312-81-0x0000000002B20000-0x0000000002B64000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads