cobaltstrike | 915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f

General

Target

915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe
Size

315KB
MD5

9b56ade373a6f238e5d053aee56b35a4
SHA1

aafb4c9a53caf8e390167b82e5770151a1f436fb
SHA256

915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f
SHA512

ac9b938601e22924ec04d9aefda1b67f16886dca4aa6501e847689c480e699794398ee82f5abf545836f10e6bfa49eac817d5b033865af8867f44527fbbcec66
SSDEEP

6144:Hq3gCk4oqWYHtSuYnI+tnYDcMbY4FmNzNwm+MhUaNxO1BcC1cH:Hq3bz1NsnI+1Kb5KzNVNqPcnH

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

taaxp.exe

pid process

964 taaxp.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1864 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe

pid process

1636 915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe

pid	process
1864	cmd.exe

pid	process
1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

taaxp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	taaxp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Moyr\\taaxp.exe"	taaxp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe

description	pid	process	target process
PID 1636 set thread context of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

taaxp.exe

pid	process
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe
964	taaxp.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exetaaxp.exe

description	pid	process	target process
PID 1636 wrote to memory of 964	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	taaxp.exe
PID 1636 wrote to memory of 964	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	taaxp.exe
PID 1636 wrote to memory of 964	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	taaxp.exe
PID 1636 wrote to memory of 964	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	taaxp.exe
PID 964 wrote to memory of 1120	964	taaxp.exe	taskhost.exe
PID 964 wrote to memory of 1120	964	taaxp.exe	taskhost.exe
PID 964 wrote to memory of 1120	964	taaxp.exe	taskhost.exe
PID 964 wrote to memory of 1120	964	taaxp.exe	taskhost.exe
PID 964 wrote to memory of 1120	964	taaxp.exe	taskhost.exe
PID 964 wrote to memory of 1200	964	taaxp.exe	Dwm.exe
PID 964 wrote to memory of 1200	964	taaxp.exe	Dwm.exe
PID 964 wrote to memory of 1200	964	taaxp.exe	Dwm.exe
PID 964 wrote to memory of 1200	964	taaxp.exe	Dwm.exe
PID 964 wrote to memory of 1200	964	taaxp.exe	Dwm.exe
PID 964 wrote to memory of 1244	964	taaxp.exe	Explorer.EXE
PID 964 wrote to memory of 1244	964	taaxp.exe	Explorer.EXE
PID 964 wrote to memory of 1244	964	taaxp.exe	Explorer.EXE
PID 964 wrote to memory of 1244	964	taaxp.exe	Explorer.EXE
PID 964 wrote to memory of 1244	964	taaxp.exe	Explorer.EXE
PID 964 wrote to memory of 1636	964	taaxp.exe	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe
PID 964 wrote to memory of 1636	964	taaxp.exe	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe
PID 964 wrote to memory of 1636	964	taaxp.exe	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe
PID 964 wrote to memory of 1636	964	taaxp.exe	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe
PID 964 wrote to memory of 1636	964	taaxp.exe	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe
PID 1636 wrote to memory of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe
PID 1636 wrote to memory of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe
PID 1636 wrote to memory of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe
PID 1636 wrote to memory of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe
PID 1636 wrote to memory of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe
PID 1636 wrote to memory of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe
PID 1636 wrote to memory of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe
PID 1636 wrote to memory of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe
PID 1636 wrote to memory of 1864	1636	915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe
"C:\Users\Admin\AppData\Local\Temp\915d48833809b413355935bb252abeda7b7bf4e589f9021719ffcb539100c36f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\Moyr\taaxp.exe
"C:\Users\Admin\AppData\Roaming\Moyr\taaxp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp54d4d87c.bat"
2⤵
- Deletes itself
PID:1864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp54d4d87c.bat
Filesize
307B

MD5
8e487a25d9d295efd8bf0b940b40685c

SHA1
3a6414e10e5c587d18e9f33de79dbc39d607f789

SHA256
5331df23ed7b04a35db429a01d6cb576285a0da3d931548ded3fcd274a7da5a8

SHA512
ba791cac412d9c687807208951a357e2dbb17a6a393e3eb17ed085ffb7f5d4f1461b143ccb4a51634a3f9b4174456bad32b68c62149357410615359483d37849

Download Submit
C:\Users\Admin\AppData\Roaming\Moyr\taaxp.exe
Filesize
315KB

MD5
b3f31c288987d40890842d06bb7ccf0d

SHA1
9b2bb01cc515d72cbd3136e361c8d3cc62d448ea

SHA256
6e57f5193e548ac877da78eff89360998ef5e8013e65170419a5f94bd9a8c970

SHA512
6dca26851228601ebb96fcb17414367b559416d216650f53201a92067987e2bd535770691e1c8bbe385181aae69b82af473e030ac3262bae3792086ca6b48606

Download Submit
C:\Users\Admin\AppData\Roaming\Moyr\taaxp.exe
Filesize
315KB

MD5
b3f31c288987d40890842d06bb7ccf0d

SHA1
9b2bb01cc515d72cbd3136e361c8d3cc62d448ea

SHA256
6e57f5193e548ac877da78eff89360998ef5e8013e65170419a5f94bd9a8c970

SHA512
6dca26851228601ebb96fcb17414367b559416d216650f53201a92067987e2bd535770691e1c8bbe385181aae69b82af473e030ac3262bae3792086ca6b48606

Download Submit
\Users\Admin\AppData\Roaming\Moyr\taaxp.exe
Filesize
315KB

MD5
b3f31c288987d40890842d06bb7ccf0d

SHA1
9b2bb01cc515d72cbd3136e361c8d3cc62d448ea

SHA256
6e57f5193e548ac877da78eff89360998ef5e8013e65170419a5f94bd9a8c970

SHA512
6dca26851228601ebb96fcb17414367b559416d216650f53201a92067987e2bd535770691e1c8bbe385181aae69b82af473e030ac3262bae3792086ca6b48606

Download Submit
memory/964-63-0x0000000000B90000-0x0000000000BEB000-memory.dmp

Filesize
364KB

Download
memory/964-108-0x0000000000B90000-0x0000000000BEB000-memory.dmp

Filesize
364KB

Download
memory/964-107-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/964-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/964-60-0x0000000000000000-mapping.dmp

Download
memory/1120-68-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1120-66-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1120-69-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1120-70-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1120-71-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1200-75-0x0000000001D70000-0x0000000001DB4000-memory.dmp

Filesize
272KB

Download
memory/1200-76-0x0000000001D70000-0x0000000001DB4000-memory.dmp

Filesize
272KB

Download
memory/1200-74-0x0000000001D70000-0x0000000001DB4000-memory.dmp

Filesize
272KB

Download
memory/1200-77-0x0000000001D70000-0x0000000001DB4000-memory.dmp

Filesize
272KB

Download
memory/1244-80-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1244-82-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1244-83-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1244-81-0x0000000002140000-0x0000000002184000-memory.dmp

Filesize
272KB

Download
memory/1636-102-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1636-103-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1636-86-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1636-87-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1636-88-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1636-89-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1636-91-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1636-58-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1636-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1636-55-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/1636-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1636-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1636-54-0x0000000000F30000-0x0000000000F8B000-memory.dmp

Filesize
364KB

Download
memory/1636-62-0x00000000008E0000-0x000000000093B000-memory.dmp

Filesize
364KB

Download
memory/1636-101-0x0000000000F30000-0x0000000000F8B000-memory.dmp

Filesize
364KB

Download
memory/1864-100-0x00000000000671E6-mapping.dmp

Download
memory/1864-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1864-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1864-106-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1864-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1864-95-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads