cobaltstrike | a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64

Analysis

max time kernel
186s
max time network
186s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe
Size

315KB
MD5

fc0c329d5f7d709ac54bcabc29cb68a5
SHA1

d6d26ee2e3d43f6b38da33e284ec31810f9d26fa
SHA256

a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64
SHA512

2890b9b64c6b9bfa45ac65b47528e159dd901598f861615872f4aa9682adbe31dc8b4f0d5a867fb76c70cc1b32fe3432ff953dc1228179cb3d86fab8527dc0ac
SSDEEP

6144:Hq3gCcNoqWYHtSdYnI+tnYDcMbY4FmNzNwm+MhUaYxO1BcC1cgi:Hq3Gz1NlnI+1Kb5KzNVNlPcngi

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
584	xyirdy.exe

Deletes itself 1 IoCs

pid	Process
1576	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	xyirdy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Gyxa\\xyirdy.exe"	xyirdy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1188 set thread context of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe
584	xyirdy.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 584	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	28
PID 1188 wrote to memory of 584	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	28
PID 1188 wrote to memory of 584	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	28
PID 1188 wrote to memory of 584	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	28
PID 584 wrote to memory of 1124	584	xyirdy.exe	18
PID 584 wrote to memory of 1124	584	xyirdy.exe	18
PID 584 wrote to memory of 1124	584	xyirdy.exe	18
PID 584 wrote to memory of 1124	584	xyirdy.exe	18
PID 584 wrote to memory of 1124	584	xyirdy.exe	18
PID 584 wrote to memory of 1208	584	xyirdy.exe	17
PID 584 wrote to memory of 1208	584	xyirdy.exe	17
PID 584 wrote to memory of 1208	584	xyirdy.exe	17
PID 584 wrote to memory of 1208	584	xyirdy.exe	17
PID 584 wrote to memory of 1208	584	xyirdy.exe	17
PID 584 wrote to memory of 1244	584	xyirdy.exe	16
PID 584 wrote to memory of 1244	584	xyirdy.exe	16
PID 584 wrote to memory of 1244	584	xyirdy.exe	16
PID 584 wrote to memory of 1244	584	xyirdy.exe	16
PID 584 wrote to memory of 1244	584	xyirdy.exe	16
PID 584 wrote to memory of 1188	584	xyirdy.exe	13
PID 584 wrote to memory of 1188	584	xyirdy.exe	13
PID 584 wrote to memory of 1188	584	xyirdy.exe	13
PID 584 wrote to memory of 1188	584	xyirdy.exe	13
PID 584 wrote to memory of 1188	584	xyirdy.exe	13
PID 1188 wrote to memory of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29
PID 1188 wrote to memory of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29
PID 1188 wrote to memory of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29
PID 1188 wrote to memory of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29
PID 1188 wrote to memory of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29
PID 1188 wrote to memory of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29
PID 1188 wrote to memory of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29
PID 1188 wrote to memory of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29
PID 1188 wrote to memory of 1576	1188	a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe	29
PID 584 wrote to memory of 600	584	xyirdy.exe	30
PID 584 wrote to memory of 600	584	xyirdy.exe	30
PID 584 wrote to memory of 600	584	xyirdy.exe	30
PID 584 wrote to memory of 600	584	xyirdy.exe	30
PID 584 wrote to memory of 600	584	xyirdy.exe	30

C:\Users\Admin\AppData\Local\Temp\a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe
"C:\Users\Admin\AppData\Local\Temp\a8301f7da762a3574370e89584970392c1d9242ab40ab43ec092e24f7357df64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Roaming\Gyxa\xyirdy.exe
  "C:\Users\Admin\AppData\Roaming\Gyxa\xyirdy.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpca41ec31.bat"
  2⤵
  - Deletes itself
  PID:1576

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1610666947-6133363717995325851953933309-949269844-1792436431-2088822021-1699625263"
1⤵
PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\luwat.adu

Filesize
466B

MD5
4c68c25e2c8bf666dbd5b2d9490333d4

SHA1
71099b5c9b060ddbb6e4862047ffdf0bc0dcdced

SHA256
b193ed3c50bb3ba391cfefe0bc9ab61cb6bb42595f03aee33185894018d4991c

SHA512
bec876af82cf52937c6b72f8b5c11104a482ef14b705e65ea427f8dc92e49ca45152ae8d7bd7b98f9135ae8d8d1a6e452a418f4947e22783176e15b4a6b4e745

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpca41ec31.bat

Filesize
307B

MD5
85de81e089bfe40f15701356943aa67a

SHA1
4270fcf3e29e83a40f55ce435f0b899998d734cc

SHA256
fb3cba941cb2119e3dd7ef65c2b355c21b89af92e42a536789c24332d3f9b37b

SHA512
17f433f229c22bf54c4230022481c535c23e67bc4366f652ed072b3f8a57a02352307c818e3a9ee258f636b7c5c438193da8247e99accb5af1f01d0f9e86eb97

Download Submit
C:\Users\Admin\AppData\Roaming\Gyxa\xyirdy.exe

Filesize
315KB

MD5
e41ba673c863cf21849f0bf84e1e0f5e

SHA1
e0f18b5fa61014820d2bcb1246b8ceee5f3192e6

SHA256
5d96c2cc9c1712fd8f5520b667dd87e3a200bbca97508e6ae039547040d30abe

SHA512
21cdde8a97dcdca287c4e8a34ea1be8be757566c616969a2f2017dbe1805c4bdc99168510eb0842eac0825ddc2d3882f91b7322d34607bb9d0401f0b5c5b2f64

Download Submit
C:\Users\Admin\AppData\Roaming\Gyxa\xyirdy.exe

Filesize
315KB

MD5
e41ba673c863cf21849f0bf84e1e0f5e

SHA1
e0f18b5fa61014820d2bcb1246b8ceee5f3192e6

SHA256
5d96c2cc9c1712fd8f5520b667dd87e3a200bbca97508e6ae039547040d30abe

SHA512
21cdde8a97dcdca287c4e8a34ea1be8be757566c616969a2f2017dbe1805c4bdc99168510eb0842eac0825ddc2d3882f91b7322d34607bb9d0401f0b5c5b2f64

Download Submit
\Users\Admin\AppData\Roaming\Gyxa\xyirdy.exe

Filesize
315KB

MD5
e41ba673c863cf21849f0bf84e1e0f5e

SHA1
e0f18b5fa61014820d2bcb1246b8ceee5f3192e6

SHA256
5d96c2cc9c1712fd8f5520b667dd87e3a200bbca97508e6ae039547040d30abe

SHA512
21cdde8a97dcdca287c4e8a34ea1be8be757566c616969a2f2017dbe1805c4bdc99168510eb0842eac0825ddc2d3882f91b7322d34607bb9d0401f0b5c5b2f64

Download Submit
memory/584-115-0x0000000000BC0000-0x0000000000C1B000-memory.dmp

Filesize
364KB

Download
memory/584-112-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/584-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/584-63-0x0000000000BC0000-0x0000000000C1B000-memory.dmp

Filesize
364KB

Download
memory/600-110-0x0000000002010000-0x0000000002054000-memory.dmp

Filesize
272KB

Download
memory/600-109-0x0000000002010000-0x0000000002054000-memory.dmp

Filesize
272KB

Download
memory/600-108-0x0000000002010000-0x0000000002054000-memory.dmp

Filesize
272KB

Download
memory/600-111-0x0000000002010000-0x0000000002054000-memory.dmp

Filesize
272KB

Download
memory/1124-66-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1124-68-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1124-69-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1124-70-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1124-71-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1188-86-0x00000000004D0000-0x0000000000514000-memory.dmp

Filesize
272KB

Download
memory/1188-100-0x0000000000350000-0x00000000003AB000-memory.dmp

Filesize
364KB

Download
memory/1188-55-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1188-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1188-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1188-54-0x0000000000350000-0x00000000003AB000-memory.dmp

Filesize
364KB

Download
memory/1188-87-0x00000000004D0000-0x0000000000514000-memory.dmp

Filesize
272KB

Download
memory/1188-88-0x00000000004D0000-0x0000000000514000-memory.dmp

Filesize
272KB

Download
memory/1188-89-0x00000000004D0000-0x0000000000514000-memory.dmp

Filesize
272KB

Download
memory/1188-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1188-91-0x00000000004D0000-0x0000000000514000-memory.dmp

Filesize
272KB

Download
memory/1188-62-0x0000000001F10000-0x0000000001F6B000-memory.dmp

Filesize
364KB

Download
memory/1188-102-0x00000000004D0000-0x0000000000514000-memory.dmp

Filesize
272KB

Download
memory/1188-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1208-74-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1208-76-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1208-77-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1208-75-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1244-80-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1244-83-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1244-82-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1244-81-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1576-105-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/1576-94-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/1576-98-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/1576-96-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/1576-97-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download
memory/1576-114-0x00000000000C0000-0x0000000000104000-memory.dmp

Filesize
272KB

Download