cobaltstrike | cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa

General

Target

cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe
Size

307KB
MD5

4d53cdb522a85911f08935285bd710cb
SHA1

197fa11e5641f902cc5a7e5e005c63ceddd26084
SHA256

cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa
SHA512

44f6413de907370f510da78e4521cc3048f2ca468b3875e500179e95251c74672bd394e49f80660811276231a4c28e39f5e9c016c3f20aa49d5acb0097a46a18
SSDEEP

6144:2qzUT72Y0SdzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOlPECYeixlYGiccj:2CI7SSUYsY1UMqMZJYSN7wbstOl8fve1

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

pudaf.exe

pid process

976 pudaf.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1340 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe

pid process

1376 cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe

pid	process
1340	cmd.exe

pid	process
1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pudaf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	pudaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Myetjo\\pudaf.exe"	pudaf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe

description	pid	process	target process
PID 1376 set thread context of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

pudaf.exe

pid	process
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe
976	pudaf.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exepudaf.exe

description	pid	process	target process
PID 1376 wrote to memory of 976	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	pudaf.exe
PID 1376 wrote to memory of 976	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	pudaf.exe
PID 1376 wrote to memory of 976	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	pudaf.exe
PID 1376 wrote to memory of 976	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	pudaf.exe
PID 976 wrote to memory of 1192	976	pudaf.exe	taskhost.exe
PID 976 wrote to memory of 1192	976	pudaf.exe	taskhost.exe
PID 976 wrote to memory of 1192	976	pudaf.exe	taskhost.exe
PID 976 wrote to memory of 1192	976	pudaf.exe	taskhost.exe
PID 976 wrote to memory of 1192	976	pudaf.exe	taskhost.exe
PID 976 wrote to memory of 1220	976	pudaf.exe	Dwm.exe
PID 976 wrote to memory of 1220	976	pudaf.exe	Dwm.exe
PID 976 wrote to memory of 1220	976	pudaf.exe	Dwm.exe
PID 976 wrote to memory of 1220	976	pudaf.exe	Dwm.exe
PID 976 wrote to memory of 1220	976	pudaf.exe	Dwm.exe
PID 976 wrote to memory of 1284	976	pudaf.exe	Explorer.EXE
PID 976 wrote to memory of 1284	976	pudaf.exe	Explorer.EXE
PID 976 wrote to memory of 1284	976	pudaf.exe	Explorer.EXE
PID 976 wrote to memory of 1284	976	pudaf.exe	Explorer.EXE
PID 976 wrote to memory of 1284	976	pudaf.exe	Explorer.EXE
PID 976 wrote to memory of 1376	976	pudaf.exe	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe
PID 976 wrote to memory of 1376	976	pudaf.exe	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe
PID 976 wrote to memory of 1376	976	pudaf.exe	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe
PID 976 wrote to memory of 1376	976	pudaf.exe	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe
PID 976 wrote to memory of 1376	976	pudaf.exe	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe
PID 1376 wrote to memory of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe
PID 1376 wrote to memory of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe
PID 1376 wrote to memory of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe
PID 1376 wrote to memory of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe
PID 1376 wrote to memory of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe
PID 1376 wrote to memory of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe
PID 1376 wrote to memory of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe
PID 1376 wrote to memory of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe
PID 1376 wrote to memory of 1340	1376	cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe	cmd.exe
PID 976 wrote to memory of 1176	976	pudaf.exe	DllHost.exe
PID 976 wrote to memory of 1176	976	pudaf.exe	DllHost.exe
PID 976 wrote to memory of 1176	976	pudaf.exe	DllHost.exe
PID 976 wrote to memory of 1176	976	pudaf.exe	DllHost.exe
PID 976 wrote to memory of 1176	976	pudaf.exe	DllHost.exe
PID 976 wrote to memory of 2020	976	pudaf.exe	DllHost.exe
PID 976 wrote to memory of 2020	976	pudaf.exe	DllHost.exe
PID 976 wrote to memory of 2020	976	pudaf.exe	DllHost.exe
PID 976 wrote to memory of 2020	976	pudaf.exe	DllHost.exe
PID 976 wrote to memory of 2020	976	pudaf.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe
"C:\Users\Admin\AppData\Local\Temp\cf799e2653967d10af88cb348e0b15acfe642002980b76b3740abec7d0f1a3aa.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Roaming\Myetjo\pudaf.exe
"C:\Users\Admin\AppData\Roaming\Myetjo\pudaf.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe6464799.bat"
3⤵
- Deletes itself
PID:1340

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe6464799.bat
Filesize
307B

MD5
389eba9d828fb93786e3d7dba1093247

SHA1
5e3be6a526413291fed8d5885f962970e01d3e71

SHA256
3275ac189a3a8bed4f7eb500fecc086d9fd56dee1af774ffcdcc86acfd0394a8

SHA512
7e835e347aab793447177612631044d8a3575e7bf81984fad883c60048f926276c72f702a9a9e0746d0ac3e3d2c81fea74d5a53eb505b4f39cac4dee9a943b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Myetjo\pudaf.exe
Filesize
307KB

MD5
3466596be809bf770c2c756d30dc6596

SHA1
cc36b2a3283ba63a5c7dff9dc4594f2a453d0247

SHA256
c6004b963fe714da7a77e2041b2b6c6502d9c994f706529e7e82cfbb19b54bf8

SHA512
940fc8dc6174681cfa99922fd38d09a7d7c98d8ddbd39c335f4cac00b48deb1e5ca3626865a86da0eeee763364760fa2348ceb32dff40d81b48164f1e768c5b0

Download Submit
C:\Users\Admin\AppData\Roaming\Myetjo\pudaf.exe
Filesize
307KB

MD5
3466596be809bf770c2c756d30dc6596

SHA1
cc36b2a3283ba63a5c7dff9dc4594f2a453d0247

SHA256
c6004b963fe714da7a77e2041b2b6c6502d9c994f706529e7e82cfbb19b54bf8

SHA512
940fc8dc6174681cfa99922fd38d09a7d7c98d8ddbd39c335f4cac00b48deb1e5ca3626865a86da0eeee763364760fa2348ceb32dff40d81b48164f1e768c5b0

Download Submit
\Users\Admin\AppData\Roaming\Myetjo\pudaf.exe
Filesize
307KB

MD5
3466596be809bf770c2c756d30dc6596

SHA1
cc36b2a3283ba63a5c7dff9dc4594f2a453d0247

SHA256
c6004b963fe714da7a77e2041b2b6c6502d9c994f706529e7e82cfbb19b54bf8

SHA512
940fc8dc6174681cfa99922fd38d09a7d7c98d8ddbd39c335f4cac00b48deb1e5ca3626865a86da0eeee763364760fa2348ceb32dff40d81b48164f1e768c5b0

Download Submit
memory/976-106-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/976-59-0x0000000000000000-mapping.dmp

Download
memory/976-63-0x00000000008F0000-0x0000000000940000-memory.dmp

Filesize
320KB

Download
memory/976-119-0x00000000008F0000-0x0000000000940000-memory.dmp

Filesize
320KB

Download
memory/976-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1176-110-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/1176-109-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/1176-112-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/1176-111-0x0000000000710000-0x0000000000754000-memory.dmp

Filesize
272KB

Download
memory/1192-69-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1192-70-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1192-71-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1192-68-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1192-66-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1220-74-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1220-75-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1220-76-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1220-77-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1284-82-0x0000000002C10000-0x0000000002C54000-memory.dmp

Filesize
272KB

Download
memory/1284-83-0x0000000002C10000-0x0000000002C54000-memory.dmp

Filesize
272KB

Download
memory/1284-81-0x0000000002C10000-0x0000000002C54000-memory.dmp

Filesize
272KB

Download
memory/1284-80-0x0000000002C10000-0x0000000002C54000-memory.dmp

Filesize
272KB

Download
memory/1340-97-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1340-105-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1340-99-0x00000000001A71E6-mapping.dmp

Download
memory/1340-98-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1340-94-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1340-96-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1376-86-0x00000000003E0000-0x0000000000424000-memory.dmp

Filesize
272KB

Download
memory/1376-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1376-89-0x00000000003E0000-0x0000000000424000-memory.dmp

Filesize
272KB

Download
memory/1376-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1376-102-0x00000000003E0000-0x0000000000424000-memory.dmp

Filesize
272KB

Download
memory/1376-100-0x0000000000200000-0x0000000000250000-memory.dmp

Filesize
320KB

Download
memory/1376-88-0x00000000003E0000-0x0000000000424000-memory.dmp

Filesize
272KB

Download
memory/1376-87-0x00000000003E0000-0x0000000000424000-memory.dmp

Filesize
272KB

Download
memory/1376-62-0x00000000003E0000-0x0000000000430000-memory.dmp

Filesize
320KB

Download
memory/1376-91-0x00000000003E0000-0x0000000000430000-memory.dmp

Filesize
320KB

Download
memory/1376-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1376-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1376-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1376-54-0x0000000000200000-0x0000000000250000-memory.dmp

Filesize
320KB

Download
memory/2020-116-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/2020-117-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/2020-118-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/2020-115-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads