cobaltstrike | 9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0

General

Target

9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe
Size

305KB
MD5

504a67c133b8d3aad09c4436fd4b6d88
SHA1

c1cde5a52ef0c948cfb215e2eb66f5f5ce8ef39b
SHA256

9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0
SHA512

401a30d940f331b746fb3d2bc8469075f52caaa512a7add3217e95bf7bca37f37612e1f8a6b9833a22227794bcd2638e7099c70300b4e69e18a0e296c72907b5
SSDEEP

6144:5GSzhT72Y0StzinYKTY1SQshfRPVQe1MZkIYSccr7wbstO1PECYeixlYGicM:5Gqd7SSEYsY1UMqMZJYSN7wbstO18fvO

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

isacwa.exe

pid process

1264 isacwa.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

592 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe

pid process

608 9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe

pid	process
592	cmd.exe

pid	process
608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

isacwa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	isacwa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Hizos\\isacwa.exe"	isacwa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe

description pid process target process

PID 608 set thread context of 592 608 9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe cmd.exe

description	pid	process	target process
PID 608 set thread context of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

isacwa.exe

pid	process
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe
1264	isacwa.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exeisacwa.exe

description	pid	process	target process
PID 608 wrote to memory of 1264	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	isacwa.exe
PID 608 wrote to memory of 1264	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	isacwa.exe
PID 608 wrote to memory of 1264	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	isacwa.exe
PID 608 wrote to memory of 1264	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	isacwa.exe
PID 1264 wrote to memory of 1248	1264	isacwa.exe	taskhost.exe
PID 1264 wrote to memory of 1248	1264	isacwa.exe	taskhost.exe
PID 1264 wrote to memory of 1248	1264	isacwa.exe	taskhost.exe
PID 1264 wrote to memory of 1248	1264	isacwa.exe	taskhost.exe
PID 1264 wrote to memory of 1248	1264	isacwa.exe	taskhost.exe
PID 1264 wrote to memory of 1316	1264	isacwa.exe	Dwm.exe
PID 1264 wrote to memory of 1316	1264	isacwa.exe	Dwm.exe
PID 1264 wrote to memory of 1316	1264	isacwa.exe	Dwm.exe
PID 1264 wrote to memory of 1316	1264	isacwa.exe	Dwm.exe
PID 1264 wrote to memory of 1316	1264	isacwa.exe	Dwm.exe
PID 1264 wrote to memory of 1372	1264	isacwa.exe	Explorer.EXE
PID 1264 wrote to memory of 1372	1264	isacwa.exe	Explorer.EXE
PID 1264 wrote to memory of 1372	1264	isacwa.exe	Explorer.EXE
PID 1264 wrote to memory of 1372	1264	isacwa.exe	Explorer.EXE
PID 1264 wrote to memory of 1372	1264	isacwa.exe	Explorer.EXE
PID 1264 wrote to memory of 608	1264	isacwa.exe	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe
PID 1264 wrote to memory of 608	1264	isacwa.exe	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe
PID 1264 wrote to memory of 608	1264	isacwa.exe	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe
PID 1264 wrote to memory of 608	1264	isacwa.exe	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe
PID 1264 wrote to memory of 608	1264	isacwa.exe	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe
PID 608 wrote to memory of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe
PID 608 wrote to memory of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe
PID 608 wrote to memory of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe
PID 608 wrote to memory of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe
PID 608 wrote to memory of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe
PID 608 wrote to memory of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe
PID 608 wrote to memory of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe
PID 608 wrote to memory of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe
PID 608 wrote to memory of 592	608	9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe	cmd.exe
PID 1264 wrote to memory of 524	1264	isacwa.exe	DllHost.exe
PID 1264 wrote to memory of 524	1264	isacwa.exe	DllHost.exe
PID 1264 wrote to memory of 524	1264	isacwa.exe	DllHost.exe
PID 1264 wrote to memory of 524	1264	isacwa.exe	DllHost.exe
PID 1264 wrote to memory of 524	1264	isacwa.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe
"C:\Users\Admin\AppData\Local\Temp\9042c84e4d4137a7fee0e156dc27673c49e2f8bb80d69abd57b8a42c5fa217a0.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Roaming\Hizos\isacwa.exe
"C:\Users\Admin\AppData\Roaming\Hizos\isacwa.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpde41c78a.bat"
3⤵
- Deletes itself
PID:592

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1316

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpde41c78a.bat
Filesize
307B

MD5
b50c86f18f319168da278213e573030c

SHA1
7b897bca6dd0ca6f4a3a9df9740b568436217b24

SHA256
3ba33622f2f5cfc0fab4cb7fba88ab38f799956b2878f88f5c7c6f4ae12c726e

SHA512
938c528fb48596a4244be987fdb03a8afdd10d1b1ec285147a6bb42e8aaf7d8718cc3db6f79d2e9507095aad55cb134a1e5c97bf8087a20cfcead66c1a8c5de0

Download Submit
C:\Users\Admin\AppData\Roaming\Hizos\isacwa.exe
Filesize
305KB

MD5
a58882eca3ba500c91e4042b3f22d215

SHA1
236e704bd3799ada1afdf886f21f92db9aab6be7

SHA256
3a118fbe265f07ee23a32f97f86e7231ee5450f23dc5fef326acbf6f10aa9ee8

SHA512
cbb47fca320cf393c9f5bc5735636a184a0d92b34b847675ed7dcf917312d90c5cade3e495d57dc357c0872844561d15f7ad4ba3b46aa42a866ed3cf2b8706a2

Download Submit
C:\Users\Admin\AppData\Roaming\Hizos\isacwa.exe
Filesize
305KB

MD5
a58882eca3ba500c91e4042b3f22d215

SHA1
236e704bd3799ada1afdf886f21f92db9aab6be7

SHA256
3a118fbe265f07ee23a32f97f86e7231ee5450f23dc5fef326acbf6f10aa9ee8

SHA512
cbb47fca320cf393c9f5bc5735636a184a0d92b34b847675ed7dcf917312d90c5cade3e495d57dc357c0872844561d15f7ad4ba3b46aa42a866ed3cf2b8706a2

Download Submit
\Users\Admin\AppData\Roaming\Hizos\isacwa.exe
Filesize
305KB

MD5
a58882eca3ba500c91e4042b3f22d215

SHA1
236e704bd3799ada1afdf886f21f92db9aab6be7

SHA256
3a118fbe265f07ee23a32f97f86e7231ee5450f23dc5fef326acbf6f10aa9ee8

SHA512
cbb47fca320cf393c9f5bc5735636a184a0d92b34b847675ed7dcf917312d90c5cade3e495d57dc357c0872844561d15f7ad4ba3b46aa42a866ed3cf2b8706a2

Download Submit
memory/524-110-0x0000000001C20000-0x0000000001C64000-memory.dmp

Filesize
272KB

Download
memory/524-109-0x0000000001C20000-0x0000000001C64000-memory.dmp

Filesize
272KB

Download
memory/524-111-0x0000000001C20000-0x0000000001C64000-memory.dmp

Filesize
272KB

Download
memory/524-112-0x0000000001C20000-0x0000000001C64000-memory.dmp

Filesize
272KB

Download
memory/592-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/592-105-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/592-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/592-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/592-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/592-99-0x00000000000671E6-mapping.dmp

Download
memory/608-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/608-91-0x0000000000090000-0x00000000000E0000-memory.dmp

Filesize
320KB

Download
memory/608-102-0x0000000000090000-0x00000000000D4000-memory.dmp

Filesize
272KB

Download
memory/608-62-0x0000000000090000-0x00000000000E0000-memory.dmp

Filesize
320KB

Download
memory/608-100-0x0000000000DC0000-0x0000000000E10000-memory.dmp

Filesize
320KB

Download
memory/608-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/608-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/608-55-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/608-54-0x0000000000DC0000-0x0000000000E10000-memory.dmp

Filesize
320KB

Download
memory/608-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/608-86-0x0000000000090000-0x00000000000D4000-memory.dmp

Filesize
272KB

Download
memory/608-87-0x0000000000090000-0x00000000000D4000-memory.dmp

Filesize
272KB

Download
memory/608-88-0x0000000000090000-0x00000000000D4000-memory.dmp

Filesize
272KB

Download
memory/608-89-0x0000000000090000-0x00000000000D4000-memory.dmp

Filesize
272KB

Download
memory/1248-66-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1248-68-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1248-70-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1248-69-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1248-71-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1264-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1264-59-0x0000000000000000-mapping.dmp

Download
memory/1264-63-0x0000000000CC0000-0x0000000000D10000-memory.dmp

Filesize
320KB

Download
memory/1264-106-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1316-74-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/1316-75-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/1316-76-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/1316-77-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/1372-80-0x0000000002700000-0x0000000002744000-memory.dmp

Filesize
272KB

Download
memory/1372-81-0x0000000002700000-0x0000000002744000-memory.dmp

Filesize
272KB

Download
memory/1372-82-0x0000000002700000-0x0000000002744000-memory.dmp

Filesize
272KB

Download
memory/1372-83-0x0000000002700000-0x0000000002744000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads