cobaltstrike | 788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b

General

Target

788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe
Size

307KB
MD5

ef8d96e256e8635f16ee27ba42fd0b2e
SHA1

ad6b06dae512d2dc6ceb461b9fdfa6784d2e3333
SHA256

788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b
SHA512

e94777399c46d3ef73ca6a42711d456da374c8028668872f94835d5d2b092b4e2a896f9b64267c844c4a03834656f10f9085e5ede5e44f37084f29dcd7a651a2
SSDEEP

6144:2qzJT72Y0SXzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOWQPECYeixlYGicfM:2CV7SSuYsY1UMqMZJYSN7wbstOWQ8fvi

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

tyixja.exe

pid process

584 tyixja.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1200 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe

pid process

528 788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe

pid	process
1200	cmd.exe

pid	process
528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tyixja.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	tyixja.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E8A35E48-3774-AD4D-52EE-D422474DF73F} = "C:\\Users\\Admin\\AppData\\Roaming\\Juani\\tyixja.exe"	tyixja.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe

description pid process target process

PID 528 set thread context of 1200 528 788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe cmd.exe

description	pid	process	target process
PID 528 set thread context of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

tyixja.exe

pid	process
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe
584	tyixja.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exetyixja.exe

description	pid	process	target process
PID 528 wrote to memory of 584	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	tyixja.exe
PID 528 wrote to memory of 584	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	tyixja.exe
PID 528 wrote to memory of 584	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	tyixja.exe
PID 528 wrote to memory of 584	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	tyixja.exe
PID 584 wrote to memory of 1124	584	tyixja.exe	taskhost.exe
PID 584 wrote to memory of 1124	584	tyixja.exe	taskhost.exe
PID 584 wrote to memory of 1124	584	tyixja.exe	taskhost.exe
PID 584 wrote to memory of 1124	584	tyixja.exe	taskhost.exe
PID 584 wrote to memory of 1124	584	tyixja.exe	taskhost.exe
PID 584 wrote to memory of 1188	584	tyixja.exe	Dwm.exe
PID 584 wrote to memory of 1188	584	tyixja.exe	Dwm.exe
PID 584 wrote to memory of 1188	584	tyixja.exe	Dwm.exe
PID 584 wrote to memory of 1188	584	tyixja.exe	Dwm.exe
PID 584 wrote to memory of 1188	584	tyixja.exe	Dwm.exe
PID 584 wrote to memory of 1248	584	tyixja.exe	Explorer.EXE
PID 584 wrote to memory of 1248	584	tyixja.exe	Explorer.EXE
PID 584 wrote to memory of 1248	584	tyixja.exe	Explorer.EXE
PID 584 wrote to memory of 1248	584	tyixja.exe	Explorer.EXE
PID 584 wrote to memory of 1248	584	tyixja.exe	Explorer.EXE
PID 584 wrote to memory of 528	584	tyixja.exe	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe
PID 584 wrote to memory of 528	584	tyixja.exe	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe
PID 584 wrote to memory of 528	584	tyixja.exe	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe
PID 584 wrote to memory of 528	584	tyixja.exe	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe
PID 584 wrote to memory of 528	584	tyixja.exe	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe
PID 528 wrote to memory of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe
PID 528 wrote to memory of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe
PID 528 wrote to memory of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe
PID 528 wrote to memory of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe
PID 528 wrote to memory of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe
PID 528 wrote to memory of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe
PID 528 wrote to memory of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe
PID 528 wrote to memory of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe
PID 528 wrote to memory of 1200	528	788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe	cmd.exe
PID 584 wrote to memory of 1972	584	tyixja.exe	conhost.exe
PID 584 wrote to memory of 1972	584	tyixja.exe	conhost.exe
PID 584 wrote to memory of 1972	584	tyixja.exe	conhost.exe
PID 584 wrote to memory of 1972	584	tyixja.exe	conhost.exe
PID 584 wrote to memory of 1972	584	tyixja.exe	conhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe
"C:\Users\Admin\AppData\Local\Temp\788612aab694fdcfc1fddf3da14b9fa1a2ff630f6f7c5faa67bc4a49ab19140b.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Roaming\Juani\tyixja.exe
"C:\Users\Admin\AppData\Roaming\Juani\tyixja.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb9a0a7f5.bat"
3⤵
- Deletes itself
PID:1200

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-134448324195451724-1829782836-846088612-1764322107-899481351-2091580157-884668070"
1⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\ulagje.hep
Filesize
466B

MD5
edc292397c83bdd4a5722145dae08e5b

SHA1
e90ade45a7ebc99bbec6e19b8cdaa0273d7aa54f

SHA256
f9d4c8fff09afca35dc6cd0c2428083de4c17316acd438e856ca4323ad9d9122

SHA512
326d297f7edb9bf3c6fca84d72881918db6bc6310f9c0e46ac4c4ec020bd6db61a0fc73a11bed0a10ed0efd7e6cd0ece04df9ac6637ed241f652eb2eb4b98e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpb9a0a7f5.bat
Filesize
307B

MD5
60668d78e3de49c6b4425528b9d28e2b

SHA1
0cf16a309bace401da075d9a0ab7b8fc3e227ea2

SHA256
37948a7cba011904fe8f42a57cda7453fd63a6aabd0c57d6cc66d40aa2a009e9

SHA512
056e66e90fa900d088f85331e13f13e01eb33900934d05964fb7e02351d10c10154d9170cc1a882b811b4fb3587ce3dcb37dcc69943e78a1cd7625f00b20154d

Download Submit
C:\Users\Admin\AppData\Roaming\Juani\tyixja.exe
Filesize
307KB

MD5
09ab9ab8c8bdb8176117c6289480c1ab

SHA1
d9bdee0bd2fd2160c87dd9a621ed2ad52fc600bd

SHA256
b8ca848e9be6fd37256970518ba6a02f9a08b7194a04becf16ad740d7de5326a

SHA512
1359f55e248369cfb5fdaac3b34b9313f5f4759f2a0870c395722b9f19ecad19092d562568b5d05f85800ba095e2a02c6903d640a93fddda54219af4f1c3d512

Download Submit
C:\Users\Admin\AppData\Roaming\Juani\tyixja.exe
Filesize
307KB

MD5
09ab9ab8c8bdb8176117c6289480c1ab

SHA1
d9bdee0bd2fd2160c87dd9a621ed2ad52fc600bd

SHA256
b8ca848e9be6fd37256970518ba6a02f9a08b7194a04becf16ad740d7de5326a

SHA512
1359f55e248369cfb5fdaac3b34b9313f5f4759f2a0870c395722b9f19ecad19092d562568b5d05f85800ba095e2a02c6903d640a93fddda54219af4f1c3d512

Download Submit
\Users\Admin\AppData\Roaming\Juani\tyixja.exe
Filesize
307KB

MD5
09ab9ab8c8bdb8176117c6289480c1ab

SHA1
d9bdee0bd2fd2160c87dd9a621ed2ad52fc600bd

SHA256
b8ca848e9be6fd37256970518ba6a02f9a08b7194a04becf16ad740d7de5326a

SHA512
1359f55e248369cfb5fdaac3b34b9313f5f4759f2a0870c395722b9f19ecad19092d562568b5d05f85800ba095e2a02c6903d640a93fddda54219af4f1c3d512

Download Submit
memory/528-86-0x0000000000180000-0x00000000001C4000-memory.dmp

Filesize
272KB

Download
memory/528-102-0x0000000000180000-0x00000000001C4000-memory.dmp

Filesize
272KB

Download
memory/528-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/528-62-0x0000000000180000-0x00000000001D0000-memory.dmp

Filesize
320KB

Download
memory/528-55-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/528-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/528-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/528-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/528-101-0x0000000000840000-0x0000000000890000-memory.dmp

Filesize
320KB

Download
memory/528-54-0x0000000000840000-0x0000000000890000-memory.dmp

Filesize
320KB

Download
memory/528-91-0x0000000000180000-0x00000000001D0000-memory.dmp

Filesize
320KB

Download
memory/528-87-0x0000000000180000-0x00000000001C4000-memory.dmp

Filesize
272KB

Download
memory/528-89-0x0000000000180000-0x00000000001C4000-memory.dmp

Filesize
272KB

Download
memory/528-88-0x0000000000180000-0x00000000001C4000-memory.dmp

Filesize
272KB

Download
memory/584-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/584-114-0x0000000000DF0000-0x0000000000E40000-memory.dmp

Filesize
320KB

Download
memory/584-59-0x0000000000000000-mapping.dmp

Download
memory/584-112-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/584-63-0x0000000000DF0000-0x0000000000E40000-memory.dmp

Filesize
320KB

Download
memory/1124-68-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1124-69-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1124-71-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1124-70-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1124-66-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1188-77-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1188-76-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1188-75-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1188-74-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1200-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1200-100-0x00000000000671E6-mapping.dmp

Download
memory/1200-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1200-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1200-105-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1200-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1248-82-0x0000000002A20000-0x0000000002A64000-memory.dmp

Filesize
272KB

Download
memory/1248-83-0x0000000002A20000-0x0000000002A64000-memory.dmp

Filesize
272KB

Download
memory/1248-80-0x0000000002A20000-0x0000000002A64000-memory.dmp

Filesize
272KB

Download
memory/1248-81-0x0000000002A20000-0x0000000002A64000-memory.dmp

Filesize
272KB

Download
memory/1972-108-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1972-111-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1972-110-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download
memory/1972-109-0x0000000001C00000-0x0000000001C44000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads