cobaltstrike | df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a

General

Target

df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe
Size

307KB
MD5

131c0d733cab5949f531b08820c2a480
SHA1

63bbe529bd84f4581cf4ac15d1e68ac2b4827557
SHA256

df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a
SHA512

f2f518b7d695314f5cdcaecfe781af96647a93f51ba174286e948170ffe4e2fa4f37c374f1134431f11f42a6bdb500ebd38eaab95223747a597fb5995a32cc31
SSDEEP

6144:HkSz8T72Y0SLzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOnPECYeixlYGicb:HkqA7SSiYsY1UMqMZJYSN7wbstOn8fvp

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

ifdia.exe

pid process

1328 ifdia.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1124 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe

pid process

1716 df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe

pid	process
1124	cmd.exe

pid	process
1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ifdia.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	ifdia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Uvcuh\\ifdia.exe"	ifdia.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe

description	pid	process	target process
PID 1716 set thread context of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

ifdia.exe

pid	process
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe
1328	ifdia.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exeifdia.exe

description	pid	process	target process
PID 1716 wrote to memory of 1328	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	ifdia.exe
PID 1716 wrote to memory of 1328	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	ifdia.exe
PID 1716 wrote to memory of 1328	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	ifdia.exe
PID 1716 wrote to memory of 1328	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	ifdia.exe
PID 1328 wrote to memory of 1108	1328	ifdia.exe	taskhost.exe
PID 1328 wrote to memory of 1108	1328	ifdia.exe	taskhost.exe
PID 1328 wrote to memory of 1108	1328	ifdia.exe	taskhost.exe
PID 1328 wrote to memory of 1108	1328	ifdia.exe	taskhost.exe
PID 1328 wrote to memory of 1108	1328	ifdia.exe	taskhost.exe
PID 1328 wrote to memory of 1188	1328	ifdia.exe	Dwm.exe
PID 1328 wrote to memory of 1188	1328	ifdia.exe	Dwm.exe
PID 1328 wrote to memory of 1188	1328	ifdia.exe	Dwm.exe
PID 1328 wrote to memory of 1188	1328	ifdia.exe	Dwm.exe
PID 1328 wrote to memory of 1188	1328	ifdia.exe	Dwm.exe
PID 1328 wrote to memory of 1248	1328	ifdia.exe	Explorer.EXE
PID 1328 wrote to memory of 1248	1328	ifdia.exe	Explorer.EXE
PID 1328 wrote to memory of 1248	1328	ifdia.exe	Explorer.EXE
PID 1328 wrote to memory of 1248	1328	ifdia.exe	Explorer.EXE
PID 1328 wrote to memory of 1248	1328	ifdia.exe	Explorer.EXE
PID 1328 wrote to memory of 1716	1328	ifdia.exe	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe
PID 1328 wrote to memory of 1716	1328	ifdia.exe	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe
PID 1328 wrote to memory of 1716	1328	ifdia.exe	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe
PID 1328 wrote to memory of 1716	1328	ifdia.exe	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe
PID 1328 wrote to memory of 1716	1328	ifdia.exe	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe
PID 1716 wrote to memory of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe
PID 1716 wrote to memory of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe
PID 1716 wrote to memory of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe
PID 1716 wrote to memory of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe
PID 1716 wrote to memory of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe
PID 1716 wrote to memory of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe
PID 1716 wrote to memory of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe
PID 1716 wrote to memory of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe
PID 1716 wrote to memory of 1124	1716	df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe	cmd.exe
PID 1328 wrote to memory of 968	1328	ifdia.exe	conhost.exe
PID 1328 wrote to memory of 968	1328	ifdia.exe	conhost.exe
PID 1328 wrote to memory of 968	1328	ifdia.exe	conhost.exe
PID 1328 wrote to memory of 968	1328	ifdia.exe	conhost.exe
PID 1328 wrote to memory of 968	1328	ifdia.exe	conhost.exe
PID 1328 wrote to memory of 1612	1328	ifdia.exe	DllHost.exe
PID 1328 wrote to memory of 1612	1328	ifdia.exe	DllHost.exe
PID 1328 wrote to memory of 1612	1328	ifdia.exe	DllHost.exe
PID 1328 wrote to memory of 1612	1328	ifdia.exe	DllHost.exe
PID 1328 wrote to memory of 1612	1328	ifdia.exe	DllHost.exe
PID 1328 wrote to memory of 1972	1328	ifdia.exe	DllHost.exe
PID 1328 wrote to memory of 1972	1328	ifdia.exe	DllHost.exe
PID 1328 wrote to memory of 1972	1328	ifdia.exe	DllHost.exe
PID 1328 wrote to memory of 1972	1328	ifdia.exe	DllHost.exe
PID 1328 wrote to memory of 1972	1328	ifdia.exe	DllHost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe
"C:\Users\Admin\AppData\Local\Temp\df9bb00f51f464c7e8b6a9c0603c44d099f4ec8112973be25e6137010416f63a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Roaming\Uvcuh\ifdia.exe
"C:\Users\Admin\AppData\Roaming\Uvcuh\ifdia.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0660b6d6.bat"
3⤵
- Deletes itself
PID:1124

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1089500876-67305819-14830308-77233065217463389251422372266-945048585-1615838931"
1⤵
PID:968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0660b6d6.bat
Filesize
307B

MD5
e5fb1453be48997e41d55ebce89f8534

SHA1
d65c78c27b736f6be14ede53534f219b8c48fff2

SHA256
2d16776472fe38b6c8f77ee66d29694f207f64565371f5fb7f33de109c57c5e8

SHA512
4a90c819cab0c701a791f4cfdd5ed8f8c25ea95ce76962d81693a538fd2eaa3883a2b9bf6f4bffc662259da473ddbdd4e5ad071c867068be86d7a513d7f41da5

Download Submit
C:\Users\Admin\AppData\Roaming\Uvcuh\ifdia.exe
Filesize
307KB

MD5
50c08188f212e7c574ba3113cdb9a084

SHA1
7c4eb7996153f513038542114c029c08ce2b81ea

SHA256
9598aa375033e9c570ab7cb25ce6fe22a4c5803826f674ab596a8d31f5a7e715

SHA512
06feb5beb1083de40b61225f22f753b0c06acd41a7ef5b8d525ea69c4e3c58f5c8815c4a10b4ae96482308a0c0b7ae6aa21926d4b777245ffde7dfdc632cc74b

Download Submit
C:\Users\Admin\AppData\Roaming\Uvcuh\ifdia.exe
Filesize
307KB

MD5
50c08188f212e7c574ba3113cdb9a084

SHA1
7c4eb7996153f513038542114c029c08ce2b81ea

SHA256
9598aa375033e9c570ab7cb25ce6fe22a4c5803826f674ab596a8d31f5a7e715

SHA512
06feb5beb1083de40b61225f22f753b0c06acd41a7ef5b8d525ea69c4e3c58f5c8815c4a10b4ae96482308a0c0b7ae6aa21926d4b777245ffde7dfdc632cc74b

Download Submit
\Users\Admin\AppData\Roaming\Uvcuh\ifdia.exe
Filesize
307KB

MD5
50c08188f212e7c574ba3113cdb9a084

SHA1
7c4eb7996153f513038542114c029c08ce2b81ea

SHA256
9598aa375033e9c570ab7cb25ce6fe22a4c5803826f674ab596a8d31f5a7e715

SHA512
06feb5beb1083de40b61225f22f753b0c06acd41a7ef5b8d525ea69c4e3c58f5c8815c4a10b4ae96482308a0c0b7ae6aa21926d4b777245ffde7dfdc632cc74b

Download Submit
memory/968-113-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/968-111-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/968-112-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/968-110-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1108-70-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1108-71-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1108-69-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1108-66-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1108-68-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1124-115-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1124-107-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1124-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1124-102-0x00000000000671E6-mapping.dmp

Download
memory/1124-101-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1124-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1124-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1188-74-0x0000000001BC0000-0x0000000001C04000-memory.dmp

Filesize
272KB

Download
memory/1188-75-0x0000000001BC0000-0x0000000001C04000-memory.dmp

Filesize
272KB

Download
memory/1188-76-0x0000000001BC0000-0x0000000001C04000-memory.dmp

Filesize
272KB

Download
memory/1188-77-0x0000000001BC0000-0x0000000001C04000-memory.dmp

Filesize
272KB

Download
memory/1248-81-0x0000000002C20000-0x0000000002C64000-memory.dmp

Filesize
272KB

Download
memory/1248-80-0x0000000002C20000-0x0000000002C64000-memory.dmp

Filesize
272KB

Download
memory/1248-83-0x0000000002C20000-0x0000000002C64000-memory.dmp

Filesize
272KB

Download
memory/1248-82-0x0000000002C20000-0x0000000002C64000-memory.dmp

Filesize
272KB

Download
memory/1328-122-0x0000000001260000-0x00000000012B1000-memory.dmp

Filesize
324KB

Download
memory/1328-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1328-93-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1328-60-0x0000000000000000-mapping.dmp

Download
memory/1328-63-0x0000000001260000-0x00000000012B1000-memory.dmp

Filesize
324KB

Download
memory/1612-121-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1612-120-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1612-119-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1612-118-0x0000000000200000-0x0000000000244000-memory.dmp

Filesize
272KB

Download
memory/1716-86-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1716-55-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1716-104-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1716-105-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1716-54-0x0000000001180000-0x00000000011D1000-memory.dmp

Filesize
324KB

Download
memory/1716-87-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1716-58-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1716-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1716-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1716-103-0x0000000001180000-0x00000000011D1000-memory.dmp

Filesize
324KB

Download
memory/1716-62-0x0000000000290000-0x00000000002E1000-memory.dmp

Filesize
324KB

Download
memory/1716-94-0x0000000000290000-0x00000000002E1000-memory.dmp

Filesize
324KB

Download
memory/1716-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1716-91-0x0000000000290000-0x00000000002E1000-memory.dmp

Filesize
324KB

Download
memory/1716-89-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1716-88-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1972-125-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/1972-126-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/1972-127-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/1972-128-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads