cobaltstrike | 96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651

Analysis

max time kernel
152s
max time network
202s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe
Size

307KB
MD5

4c460eee73242287483d95dba11b9aea
SHA1

8c92413171df477459d80021bb06d3c716d53bb9
SHA256

96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651
SHA512

adacdf17ffaeda0ef4fbfa941dae44cd45f251e9897e8b9e9e5fa39d8451792f9c9edfabaf9432cba343266a8775c088b3c7de9d063a40130c7275c0e1d19c7a
SSDEEP

6144:mTfz/T72Y0SCzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOYPECYeixlYGicA:mTrb7SStYsY1UMqMZJYSN7wbstOY8fvi

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
1472	zucuef.exe

Deletes itself 1 IoCs

pid	Process
1368	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Sebuqy\\zucuef.exe"	zucuef.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	zucuef.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe
1472	zucuef.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1472	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	28
PID 1956 wrote to memory of 1472	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	28
PID 1956 wrote to memory of 1472	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	28
PID 1956 wrote to memory of 1472	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	28
PID 1472 wrote to memory of 1120	1472	zucuef.exe	17
PID 1472 wrote to memory of 1120	1472	zucuef.exe	17
PID 1472 wrote to memory of 1120	1472	zucuef.exe	17
PID 1472 wrote to memory of 1120	1472	zucuef.exe	17
PID 1472 wrote to memory of 1120	1472	zucuef.exe	17
PID 1472 wrote to memory of 1176	1472	zucuef.exe	16
PID 1472 wrote to memory of 1176	1472	zucuef.exe	16
PID 1472 wrote to memory of 1176	1472	zucuef.exe	16
PID 1472 wrote to memory of 1176	1472	zucuef.exe	16
PID 1472 wrote to memory of 1176	1472	zucuef.exe	16
PID 1472 wrote to memory of 1204	1472	zucuef.exe	15
PID 1472 wrote to memory of 1204	1472	zucuef.exe	15
PID 1472 wrote to memory of 1204	1472	zucuef.exe	15
PID 1472 wrote to memory of 1204	1472	zucuef.exe	15
PID 1472 wrote to memory of 1204	1472	zucuef.exe	15
PID 1472 wrote to memory of 1956	1472	zucuef.exe	18
PID 1472 wrote to memory of 1956	1472	zucuef.exe	18
PID 1472 wrote to memory of 1956	1472	zucuef.exe	18
PID 1472 wrote to memory of 1956	1472	zucuef.exe	18
PID 1472 wrote to memory of 1956	1472	zucuef.exe	18
PID 1956 wrote to memory of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29
PID 1956 wrote to memory of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29
PID 1956 wrote to memory of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29
PID 1956 wrote to memory of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29
PID 1956 wrote to memory of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29
PID 1956 wrote to memory of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29
PID 1956 wrote to memory of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29
PID 1956 wrote to memory of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29
PID 1956 wrote to memory of 1368	1956	96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe
  "C:\Users\Admin\AppData\Local\Temp\96a14b9d739b4fd978c3149b5fe2a77143a66c0a0028870c72681848d8c34651.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Roaming\Sebuqy\zucuef.exe
    "C:\Users\Admin\AppData\Roaming\Sebuqy\zucuef.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpca9f0363.bat"
    3⤵
    - Deletes itself
    PID:1368

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\jife.nys

Filesize
466B

MD5
3207e19c24a839c9ccdc2369c98136f3

SHA1
b5b441aa918cc7687bad971ee09ae1e49e394634

SHA256
b0f43a22f4a00a72713c97405b056d9d9e2f1c8ca666b958fa434795fe6344a4

SHA512
5e59e9e6c356229441b5b7af8058cc44d015c597ed383c7a0f28f97b789143fb70b1f13f6504d3ef904ebe061e74f24fe5ef74dc46f5ec2ca04d5245b36fc77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpca9f0363.bat

Filesize
307B

MD5
eb9680e48ca8fbb0de3c728035566fda

SHA1
6ef187992c24a6f80ab1a3a26752a8c002ba6f8e

SHA256
3a27bdf2730769924db5ca52bf633769aba426034ff4c5d3c85f4df032688d90

SHA512
a8c07e9cfdf20b0387df08532e73ad76c691bffb9e1fd5cda8dfc32a6c489b69b0e49006f524895a996d5a83c5b4faae41cd8877060014a838aab389345e8748

Download Submit
C:\Users\Admin\AppData\Roaming\Sebuqy\zucuef.exe

Filesize
307KB

MD5
f6bfa373b896456ba08e5ac11ee8607a

SHA1
5cfe423c544356bb2ac0c8f0628e4dc5f0eb856b

SHA256
eaff81e8cfac4fefbd26b5480a342153bd34da62dee40429655727e1541b5ced

SHA512
0e2f3b42925d5086fcaa5d388bfdee2083e9848e6e49e4c1e8893421704fbe80a9be6bc948717d65c6cb39fd10fca441bbfc45be70a91c76c731a3b0ddbdb0a8

Download Submit
C:\Users\Admin\AppData\Roaming\Sebuqy\zucuef.exe

Filesize
307KB

MD5
f6bfa373b896456ba08e5ac11ee8607a

SHA1
5cfe423c544356bb2ac0c8f0628e4dc5f0eb856b

SHA256
eaff81e8cfac4fefbd26b5480a342153bd34da62dee40429655727e1541b5ced

SHA512
0e2f3b42925d5086fcaa5d388bfdee2083e9848e6e49e4c1e8893421704fbe80a9be6bc948717d65c6cb39fd10fca441bbfc45be70a91c76c731a3b0ddbdb0a8

Download Submit
\Users\Admin\AppData\Roaming\Sebuqy\zucuef.exe

Filesize
307KB

MD5
f6bfa373b896456ba08e5ac11ee8607a

SHA1
5cfe423c544356bb2ac0c8f0628e4dc5f0eb856b

SHA256
eaff81e8cfac4fefbd26b5480a342153bd34da62dee40429655727e1541b5ced

SHA512
0e2f3b42925d5086fcaa5d388bfdee2083e9848e6e49e4c1e8893421704fbe80a9be6bc948717d65c6cb39fd10fca441bbfc45be70a91c76c731a3b0ddbdb0a8

Download Submit
memory/1120-70-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1120-69-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1120-68-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1120-66-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1120-71-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1176-77-0x0000000001B00000-0x0000000001B44000-memory.dmp

Filesize
272KB

Download
memory/1176-74-0x0000000001B00000-0x0000000001B44000-memory.dmp

Filesize
272KB

Download
memory/1176-75-0x0000000001B00000-0x0000000001B44000-memory.dmp

Filesize
272KB

Download
memory/1176-76-0x0000000001B00000-0x0000000001B44000-memory.dmp

Filesize
272KB

Download
memory/1204-80-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1204-82-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1204-81-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1204-83-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1368-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1368-106-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1368-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1368-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1368-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1472-107-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1472-108-0x0000000000E00000-0x0000000000E50000-memory.dmp

Filesize
320KB

Download
memory/1472-63-0x0000000000E00000-0x0000000000E50000-memory.dmp

Filesize
320KB

Download
memory/1472-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1956-91-0x0000000000860000-0x00000000008B0000-memory.dmp

Filesize
320KB

Download
memory/1956-89-0x0000000000860000-0x00000000008A4000-memory.dmp

Filesize
272KB

Download
memory/1956-88-0x0000000000860000-0x00000000008A4000-memory.dmp

Filesize
272KB

Download
memory/1956-87-0x0000000000860000-0x00000000008A4000-memory.dmp

Filesize
272KB

Download
memory/1956-86-0x0000000000860000-0x00000000008A4000-memory.dmp

Filesize
272KB

Download
memory/1956-54-0x0000000001030000-0x0000000001080000-memory.dmp

Filesize
320KB

Download
memory/1956-100-0x0000000001030000-0x0000000001080000-memory.dmp

Filesize
320KB

Download
memory/1956-102-0x0000000000860000-0x00000000008A4000-memory.dmp

Filesize
272KB

Download
memory/1956-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1956-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1956-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1956-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1956-58-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1956-60-0x0000000000860000-0x00000000008B0000-memory.dmp

Filesize
320KB

Download