cobaltstrike | b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77

General

Target

b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe
Size

312KB
MD5

918b36ccf7ad9279a730de0605c1090f
SHA1

9279497f46447f186c829e44f6e806b2a83058a1
SHA256

b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77
SHA512

2c71f4e74e67d435069ebf543d2230b02e4103ecbe4d0f588793f0d14d1a94db344db49853f60d67e6e2ef8f8d9354dbbd5654cb3eb0da65c13130e6760f852e
SSDEEP

6144:xWI+jNXUeLFTiCRTy7wzFzRODpyUOr2//m2TnLo0Dzs:EIQU2iCvxzKy1rc/msa

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

otidaq.exe

pid process

268 otidaq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1352 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe

pid process

1220 b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe

pid	process
1352	cmd.exe

pid	process
1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

otidaq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	otidaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Xoiko\\otidaq.exe"	otidaq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe

description	pid	process	target process
PID 1220 set thread context of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

otidaq.exe

pid	process
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe
268	otidaq.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exeotidaq.exe

description	pid	process	target process
PID 1220 wrote to memory of 268	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	otidaq.exe
PID 1220 wrote to memory of 268	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	otidaq.exe
PID 1220 wrote to memory of 268	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	otidaq.exe
PID 1220 wrote to memory of 268	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	otidaq.exe
PID 268 wrote to memory of 1140	268	otidaq.exe	taskhost.exe
PID 268 wrote to memory of 1140	268	otidaq.exe	taskhost.exe
PID 268 wrote to memory of 1140	268	otidaq.exe	taskhost.exe
PID 268 wrote to memory of 1140	268	otidaq.exe	taskhost.exe
PID 268 wrote to memory of 1140	268	otidaq.exe	taskhost.exe
PID 268 wrote to memory of 1240	268	otidaq.exe	Dwm.exe
PID 268 wrote to memory of 1240	268	otidaq.exe	Dwm.exe
PID 268 wrote to memory of 1240	268	otidaq.exe	Dwm.exe
PID 268 wrote to memory of 1240	268	otidaq.exe	Dwm.exe
PID 268 wrote to memory of 1240	268	otidaq.exe	Dwm.exe
PID 268 wrote to memory of 1272	268	otidaq.exe	Explorer.EXE
PID 268 wrote to memory of 1272	268	otidaq.exe	Explorer.EXE
PID 268 wrote to memory of 1272	268	otidaq.exe	Explorer.EXE
PID 268 wrote to memory of 1272	268	otidaq.exe	Explorer.EXE
PID 268 wrote to memory of 1272	268	otidaq.exe	Explorer.EXE
PID 268 wrote to memory of 1220	268	otidaq.exe	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe
PID 268 wrote to memory of 1220	268	otidaq.exe	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe
PID 268 wrote to memory of 1220	268	otidaq.exe	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe
PID 268 wrote to memory of 1220	268	otidaq.exe	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe
PID 268 wrote to memory of 1220	268	otidaq.exe	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe
PID 1220 wrote to memory of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe
PID 1220 wrote to memory of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe
PID 1220 wrote to memory of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe
PID 1220 wrote to memory of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe
PID 1220 wrote to memory of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe
PID 1220 wrote to memory of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe
PID 1220 wrote to memory of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe
PID 1220 wrote to memory of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe
PID 1220 wrote to memory of 1352	1220	b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe	cmd.exe
PID 268 wrote to memory of 1736	268	otidaq.exe	DllHost.exe
PID 268 wrote to memory of 1736	268	otidaq.exe	DllHost.exe
PID 268 wrote to memory of 1736	268	otidaq.exe	DllHost.exe
PID 268 wrote to memory of 1736	268	otidaq.exe	DllHost.exe
PID 268 wrote to memory of 1736	268	otidaq.exe	DllHost.exe
PID 268 wrote to memory of 1448	268	otidaq.exe	DllHost.exe
PID 268 wrote to memory of 1448	268	otidaq.exe	DllHost.exe
PID 268 wrote to memory of 1448	268	otidaq.exe	DllHost.exe
PID 268 wrote to memory of 1448	268	otidaq.exe	DllHost.exe
PID 268 wrote to memory of 1448	268	otidaq.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe
"C:\Users\Admin\AppData\Local\Temp\b454d38095c759da1ab2f89b5fe17955c53b5ae02dccad8852cc035f35c42b77.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Roaming\Xoiko\otidaq.exe
"C:\Users\Admin\AppData\Roaming\Xoiko\otidaq.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpb27f7cfa.bat"
3⤵
- Deletes itself
PID:1352

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpb27f7cfa.bat
Filesize
307B

MD5
ee400e5a2d79366f9ee73ff260efeb8d

SHA1
d253d0a883632bca12bf5ad588c14a768c0ee461

SHA256
fb4f6e0f0bde8a70cc65010272c8991c71f8c8987c81b9ce5470bfb94669d5fa

SHA512
caf36ba7f6a0d9c00dd47226defd199dab7b71cd4d54e9578730d8f3c8793433af4a1e33d84bc49df458b6c4a3ac7604c5e5fdf77934d7d9f5ff57faeaaeddfd

Download Submit
C:\Users\Admin\AppData\Roaming\Xoiko\otidaq.exe
Filesize
312KB

MD5
e169b13e0008f0af658db3d1b803a548

SHA1
7a8e0298efd3013003ff0f79d1c31650d94fcc22

SHA256
adc3b77219be969f66a3a402d3bd43db235a1af7c5c2b7cc6d049f26e9316dcd

SHA512
35619a89d4f00ea9fa7017fdd9a432b1a5e8e34a056816638d98c09756dee26df1fce579140da9b7020140ee4ba56d5e10c7acfa5fee487325d9665fd8059583

Download Submit
C:\Users\Admin\AppData\Roaming\Xoiko\otidaq.exe
Filesize
312KB

MD5
e169b13e0008f0af658db3d1b803a548

SHA1
7a8e0298efd3013003ff0f79d1c31650d94fcc22

SHA256
adc3b77219be969f66a3a402d3bd43db235a1af7c5c2b7cc6d049f26e9316dcd

SHA512
35619a89d4f00ea9fa7017fdd9a432b1a5e8e34a056816638d98c09756dee26df1fce579140da9b7020140ee4ba56d5e10c7acfa5fee487325d9665fd8059583

Download Submit
\Users\Admin\AppData\Roaming\Xoiko\otidaq.exe
Filesize
312KB

MD5
e169b13e0008f0af658db3d1b803a548

SHA1
7a8e0298efd3013003ff0f79d1c31650d94fcc22

SHA256
adc3b77219be969f66a3a402d3bd43db235a1af7c5c2b7cc6d049f26e9316dcd

SHA512
35619a89d4f00ea9fa7017fdd9a432b1a5e8e34a056816638d98c09756dee26df1fce579140da9b7020140ee4ba56d5e10c7acfa5fee487325d9665fd8059583

Download Submit
memory/268-60-0x0000000000000000-mapping.dmp

Download
memory/268-106-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/268-64-0x0000000000250000-0x00000000002A1000-memory.dmp

Filesize
324KB

Download
memory/268-119-0x0000000000250000-0x00000000002A1000-memory.dmp

Filesize
324KB

Download
memory/268-68-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1140-72-0x0000000001C10000-0x0000000001C54000-memory.dmp

Filesize
272KB

Download
memory/1140-70-0x0000000001C10000-0x0000000001C54000-memory.dmp

Filesize
272KB

Download
memory/1140-71-0x0000000001C10000-0x0000000001C54000-memory.dmp

Filesize
272KB

Download
memory/1140-66-0x0000000001C10000-0x0000000001C54000-memory.dmp

Filesize
272KB

Download
memory/1140-69-0x0000000001C10000-0x0000000001C54000-memory.dmp

Filesize
272KB

Download
memory/1220-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1220-55-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1220-58-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1220-100-0x0000000001310000-0x0000000001361000-memory.dmp

Filesize
324KB

Download
memory/1220-102-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1220-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1220-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1220-63-0x00000000002B0000-0x0000000000301000-memory.dmp

Filesize
324KB

Download
memory/1220-54-0x0000000001310000-0x0000000001361000-memory.dmp

Filesize
324KB

Download
memory/1220-91-0x00000000002B0000-0x0000000000301000-memory.dmp

Filesize
324KB

Download
memory/1220-90-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1220-87-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1220-88-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1220-89-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1240-78-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1240-77-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1240-76-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1240-75-0x00000000019C0000-0x0000000001A04000-memory.dmp

Filesize
272KB

Download
memory/1272-84-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1272-83-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1272-82-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1272-81-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1352-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1352-99-0x00000000000671E6-mapping.dmp

Download
memory/1352-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1352-105-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1352-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1352-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1448-116-0x0000000003C80000-0x0000000003CC4000-memory.dmp

Filesize
272KB

Download
memory/1448-115-0x0000000003C80000-0x0000000003CC4000-memory.dmp

Filesize
272KB

Download
memory/1448-117-0x0000000003C80000-0x0000000003CC4000-memory.dmp

Filesize
272KB

Download
memory/1448-118-0x0000000003C80000-0x0000000003CC4000-memory.dmp

Filesize
272KB

Download
memory/1736-111-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1736-112-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1736-110-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download
memory/1736-109-0x0000000000210000-0x0000000000254000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads