cobaltstrike | c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816

General

Target

c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe
Size

315KB
MD5

90ec4b922195c30feb3f8897bc7933ba
SHA1

940c762796222f2b523e817170c994983188cb52
SHA256

c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816
SHA512

0ac000a4314978023158d081e4bf232216a45e24d74acb17344c9c08c3f58ebc897420ad6b0bd86386f072de55e73a403c6fbb64a1949b9f5a43a4b8e903b01b
SSDEEP

6144:Hq3gCProqWYHtSVYnI+tnYDcMbY4FmNzNwm+MhUa4xO1BcC1cT:Hq3hz1NFnI+1Kb5KzNVNFPcnT

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

ajol.exe

pid process

1284 ajol.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1716 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe

pid process

1348 c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe

pid	process
1716	cmd.exe

pid	process
1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ajol.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	ajol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Aqgoe\\ajol.exe"	ajol.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe

description	pid	process	target process
PID 1348 set thread context of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

ajol.exe

pid	process
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe
1284	ajol.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exeajol.exe

description	pid	process	target process
PID 1348 wrote to memory of 1284	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	ajol.exe
PID 1348 wrote to memory of 1284	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	ajol.exe
PID 1348 wrote to memory of 1284	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	ajol.exe
PID 1348 wrote to memory of 1284	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	ajol.exe
PID 1284 wrote to memory of 1104	1284	ajol.exe	taskhost.exe
PID 1284 wrote to memory of 1104	1284	ajol.exe	taskhost.exe
PID 1284 wrote to memory of 1104	1284	ajol.exe	taskhost.exe
PID 1284 wrote to memory of 1104	1284	ajol.exe	taskhost.exe
PID 1284 wrote to memory of 1104	1284	ajol.exe	taskhost.exe
PID 1284 wrote to memory of 1164	1284	ajol.exe	Dwm.exe
PID 1284 wrote to memory of 1164	1284	ajol.exe	Dwm.exe
PID 1284 wrote to memory of 1164	1284	ajol.exe	Dwm.exe
PID 1284 wrote to memory of 1164	1284	ajol.exe	Dwm.exe
PID 1284 wrote to memory of 1164	1284	ajol.exe	Dwm.exe
PID 1284 wrote to memory of 1188	1284	ajol.exe	Explorer.EXE
PID 1284 wrote to memory of 1188	1284	ajol.exe	Explorer.EXE
PID 1284 wrote to memory of 1188	1284	ajol.exe	Explorer.EXE
PID 1284 wrote to memory of 1188	1284	ajol.exe	Explorer.EXE
PID 1284 wrote to memory of 1188	1284	ajol.exe	Explorer.EXE
PID 1284 wrote to memory of 1348	1284	ajol.exe	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe
PID 1284 wrote to memory of 1348	1284	ajol.exe	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe
PID 1284 wrote to memory of 1348	1284	ajol.exe	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe
PID 1284 wrote to memory of 1348	1284	ajol.exe	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe
PID 1284 wrote to memory of 1348	1284	ajol.exe	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe
PID 1348 wrote to memory of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe
PID 1348 wrote to memory of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe
PID 1348 wrote to memory of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe
PID 1348 wrote to memory of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe
PID 1348 wrote to memory of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe
PID 1348 wrote to memory of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe
PID 1348 wrote to memory of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe
PID 1348 wrote to memory of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe
PID 1348 wrote to memory of 1716	1348	c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe
"C:\Users\Admin\AppData\Local\Temp\c1a1e4619dda48fced7b552c57dfc255b63aa08edf4ae4813368192ce465c816.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Roaming\Aqgoe\ajol.exe
"C:\Users\Admin\AppData\Roaming\Aqgoe\ajol.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpef366fdf.bat"
3⤵
- Deletes itself
PID:1716

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpef366fdf.bat
Filesize
307B

MD5
2291fada36f8ac2aaa6f691823fd563b

SHA1
dff8d5b912c740fad4fa7fea5dcaa2ae5b6b74a4

SHA256
a88048312555120352c08e9532b05c57f225ff698a1159dc43147782ff254940

SHA512
2f87102686cea222f2e73c52a4909672700236c999c798905e22b0767fc5e6e1d36696468665c9a8890a0cac0bf6117a083371b89271244773b033be760c978b

Download Submit
C:\Users\Admin\AppData\Roaming\Aqgoe\ajol.exe
Filesize
315KB

MD5
3746db717c160cc56f541a71cb48e413

SHA1
d92ff23d9edbb2c960bed2ddefdb113acc3ba0cc

SHA256
d4ab1273073951d6ca2f4e3a1411d220b40eefef4795a2bd85d9e6d1c4489b31

SHA512
35360e09de26216e7927b01911dd7f52e7d12a5bcdfcd1d3311a26228fb888a55fec83be357489bcbcd5fe8c94faba5799b48499cb6d8cd4eb331c6d13990589

Download Submit
C:\Users\Admin\AppData\Roaming\Aqgoe\ajol.exe
Filesize
315KB

MD5
3746db717c160cc56f541a71cb48e413

SHA1
d92ff23d9edbb2c960bed2ddefdb113acc3ba0cc

SHA256
d4ab1273073951d6ca2f4e3a1411d220b40eefef4795a2bd85d9e6d1c4489b31

SHA512
35360e09de26216e7927b01911dd7f52e7d12a5bcdfcd1d3311a26228fb888a55fec83be357489bcbcd5fe8c94faba5799b48499cb6d8cd4eb331c6d13990589

Download Submit
\Users\Admin\AppData\Roaming\Aqgoe\ajol.exe
Filesize
315KB

MD5
3746db717c160cc56f541a71cb48e413

SHA1
d92ff23d9edbb2c960bed2ddefdb113acc3ba0cc

SHA256
d4ab1273073951d6ca2f4e3a1411d220b40eefef4795a2bd85d9e6d1c4489b31

SHA512
35360e09de26216e7927b01911dd7f52e7d12a5bcdfcd1d3311a26228fb888a55fec83be357489bcbcd5fe8c94faba5799b48499cb6d8cd4eb331c6d13990589

Download Submit
memory/1104-70-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1104-71-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1104-69-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1104-66-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1104-68-0x0000000001BB0000-0x0000000001BF4000-memory.dmp

Filesize
272KB

Download
memory/1164-75-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1164-76-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1164-74-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1164-77-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1188-80-0x0000000002C80000-0x0000000002CC4000-memory.dmp

Filesize
272KB

Download
memory/1188-82-0x0000000002C80000-0x0000000002CC4000-memory.dmp

Filesize
272KB

Download
memory/1188-81-0x0000000002C80000-0x0000000002CC4000-memory.dmp

Filesize
272KB

Download
memory/1188-83-0x0000000002C80000-0x0000000002CC4000-memory.dmp

Filesize
272KB

Download
memory/1284-63-0x0000000000810000-0x000000000086B000-memory.dmp

Filesize
364KB

Download
memory/1284-106-0x0000000000810000-0x000000000086B000-memory.dmp

Filesize
364KB

Download
memory/1284-59-0x0000000000000000-mapping.dmp

Download
memory/1284-105-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1284-104-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1348-54-0x00000000003C0000-0x000000000041B000-memory.dmp

Filesize
364KB

Download
memory/1348-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-88-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/1348-89-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/1348-86-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/1348-62-0x0000000000100000-0x000000000015B000-memory.dmp

Filesize
364KB

Download
memory/1348-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1348-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1348-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1348-87-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/1348-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1348-100-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/1348-98-0x00000000003C0000-0x000000000041B000-memory.dmp

Filesize
364KB

Download
memory/1716-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1716-103-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1716-97-0x00000000000671E6-mapping.dmp

Download
memory/1716-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1716-95-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1716-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads