cobaltstrike | 877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe
Size

307KB
MD5

3cf595ebfdf7daccaf739bfc7e00b74c
SHA1

1eaee033514ecd257a779b3a6b596ab56bc65e84
SHA256

877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248
SHA512

3d97db8099972d4c1032b3bced4ffd9eedcfb27dd5164b4c3e0ec3e6ec075b737acb21de4c577b76d83f31145f73edd2cbdd845c0e8416436ea56b3ea2687031
SSDEEP

6144:bqzWT72Y0S4zinYKTY1SQshfRPVQe1MZkIYSccr7wbstO+PECYeixlYGicOG:bCS7SSrYsY1UMqMZJYSN7wbstO+8fve2

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
1088	rasau.exe

Deletes itself 1 IoCs

pid	Process
536	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Yjzoes\\rasau.exe"	rasau.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	rasau.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe
1088	rasau.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1088	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	27
PID 1880 wrote to memory of 1088	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	27
PID 1880 wrote to memory of 1088	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	27
PID 1880 wrote to memory of 1088	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	27
PID 1088 wrote to memory of 1200	1088	rasau.exe	18
PID 1088 wrote to memory of 1200	1088	rasau.exe	18
PID 1088 wrote to memory of 1200	1088	rasau.exe	18
PID 1088 wrote to memory of 1200	1088	rasau.exe	18
PID 1088 wrote to memory of 1200	1088	rasau.exe	18
PID 1088 wrote to memory of 1304	1088	rasau.exe	11
PID 1088 wrote to memory of 1304	1088	rasau.exe	11
PID 1088 wrote to memory of 1304	1088	rasau.exe	11
PID 1088 wrote to memory of 1304	1088	rasau.exe	11
PID 1088 wrote to memory of 1304	1088	rasau.exe	11
PID 1088 wrote to memory of 1344	1088	rasau.exe	17
PID 1088 wrote to memory of 1344	1088	rasau.exe	17
PID 1088 wrote to memory of 1344	1088	rasau.exe	17
PID 1088 wrote to memory of 1344	1088	rasau.exe	17
PID 1088 wrote to memory of 1344	1088	rasau.exe	17
PID 1088 wrote to memory of 1880	1088	rasau.exe	26
PID 1088 wrote to memory of 1880	1088	rasau.exe	26
PID 1088 wrote to memory of 1880	1088	rasau.exe	26
PID 1088 wrote to memory of 1880	1088	rasau.exe	26
PID 1088 wrote to memory of 1880	1088	rasau.exe	26
PID 1880 wrote to memory of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28
PID 1880 wrote to memory of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28
PID 1880 wrote to memory of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28
PID 1880 wrote to memory of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28
PID 1880 wrote to memory of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28
PID 1880 wrote to memory of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28
PID 1880 wrote to memory of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28
PID 1880 wrote to memory of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28
PID 1880 wrote to memory of 536	1880	877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe	28

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1304

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1344
- C:\Users\Admin\AppData\Local\Temp\877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe
  "C:\Users\Admin\AppData\Local\Temp\877050c00267419ddad96201ce36f818fe6b6f10352b96146c4f04efdb87d248.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Roaming\Yjzoes\rasau.exe
    "C:\Users\Admin\AppData\Roaming\Yjzoes\rasau.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp201850e6.bat"
    3⤵
    - Deletes itself
    PID:536

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp201850e6.bat

Filesize
307B

MD5
2cf3fb6c111adeec1f8e94f6d343bc76

SHA1
43e6ab7e8071f20ff6a96211856219a7f0c94a8e

SHA256
133b9162250caffec3f2e5c7de616eaf92905556502beff654dc0153f736111f

SHA512
1303af3b4db6d2695254124ac19b34b41c8322eb7b48265349cea89df71ed265f858f5c9157bec8115377d8fd7a9d79cdedebc9540556fe663fa4b28a612c166

Download Submit
C:\Users\Admin\AppData\Roaming\Yjzoes\rasau.exe

Filesize
307KB

MD5
30b13b8a01e9d73ee90f2ef97c01d0e0

SHA1
b6c2ab15a0b5692ecaa33cd88511a4697fa46577

SHA256
aa7cca140f36aaef7700faf9eb0d4abbf84055370c8b34c5e670434f479b5131

SHA512
98aef56f5733c9d2ccb15cb0a6132e23b97b1d6255b81d1bc6d400351a27a9919ece130932cb078d34feca85bcd5978212f28a13778d7026b5a1a26857637439

Download Submit
C:\Users\Admin\AppData\Roaming\Yjzoes\rasau.exe

Filesize
307KB

MD5
30b13b8a01e9d73ee90f2ef97c01d0e0

SHA1
b6c2ab15a0b5692ecaa33cd88511a4697fa46577

SHA256
aa7cca140f36aaef7700faf9eb0d4abbf84055370c8b34c5e670434f479b5131

SHA512
98aef56f5733c9d2ccb15cb0a6132e23b97b1d6255b81d1bc6d400351a27a9919ece130932cb078d34feca85bcd5978212f28a13778d7026b5a1a26857637439

Download Submit
\Users\Admin\AppData\Roaming\Yjzoes\rasau.exe

Filesize
307KB

MD5
30b13b8a01e9d73ee90f2ef97c01d0e0

SHA1
b6c2ab15a0b5692ecaa33cd88511a4697fa46577

SHA256
aa7cca140f36aaef7700faf9eb0d4abbf84055370c8b34c5e670434f479b5131

SHA512
98aef56f5733c9d2ccb15cb0a6132e23b97b1d6255b81d1bc6d400351a27a9919ece130932cb078d34feca85bcd5978212f28a13778d7026b5a1a26857637439

Download Submit
memory/536-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/536-103-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/536-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/536-95-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/536-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1088-106-0x0000000000A90000-0x0000000000AE0000-memory.dmp

Filesize
320KB

Download
memory/1088-104-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1088-63-0x0000000000A90000-0x0000000000AE0000-memory.dmp

Filesize
320KB

Download
memory/1088-105-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1200-71-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1200-70-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1200-68-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1200-69-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1200-66-0x0000000001DF0000-0x0000000001E34000-memory.dmp

Filesize
272KB

Download
memory/1304-75-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1304-74-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1304-76-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1304-77-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1344-82-0x0000000002740000-0x0000000002784000-memory.dmp

Filesize
272KB

Download
memory/1344-80-0x0000000002740000-0x0000000002784000-memory.dmp

Filesize
272KB

Download
memory/1344-83-0x0000000002740000-0x0000000002784000-memory.dmp

Filesize
272KB

Download
memory/1344-81-0x0000000002740000-0x0000000002784000-memory.dmp

Filesize
272KB

Download
memory/1880-86-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1880-88-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1880-54-0x00000000010D0000-0x0000000001120000-memory.dmp

Filesize
320KB

Download
memory/1880-87-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1880-100-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1880-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1880-98-0x00000000010D0000-0x0000000001120000-memory.dmp

Filesize
320KB

Download
memory/1880-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1880-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1880-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1880-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1880-89-0x0000000000410000-0x0000000000454000-memory.dmp

Filesize
272KB

Download
memory/1880-62-0x0000000000410000-0x0000000000460000-memory.dmp

Filesize
320KB

Download