cobaltstrike | 89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db

General

Target

89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe
Size

312KB
MD5

c05cb0dd31005612e83654b475b82b6a
SHA1

3ef53ec1547cd65dfda193a930a48ceab980a28c
SHA256

89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db
SHA512

673f121b6a80b7d61b160abfb68ab55d6457f37f19d022626ca184bb87c78b98f7fa85f98d016c516dbb1b3d21e61c9116d3f45af43c0b692020db2fe36f34f0
SSDEEP

6144:xWI+jNXUeSFTCCRTy7wzFzRODpyUOr2//W2TnLo0DUb:EIQU1CCvxzKy1rc/Wsc

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

huuso.exe

pid process

1756 huuso.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

556 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe

pid process

1976 89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe

pid	process
556	cmd.exe

pid	process
1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

huuso.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	huuso.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Huen\\huuso.exe"	huuso.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe

description pid process target process

PID 1976 set thread context of 556 1976 89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe cmd.exe

description	pid	process	target process
PID 1976 set thread context of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

huuso.exe

pid	process
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe
1756	huuso.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exehuuso.exe

description	pid	process	target process
PID 1976 wrote to memory of 1756	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	huuso.exe
PID 1976 wrote to memory of 1756	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	huuso.exe
PID 1976 wrote to memory of 1756	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	huuso.exe
PID 1976 wrote to memory of 1756	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	huuso.exe
PID 1756 wrote to memory of 1124	1756	huuso.exe	taskhost.exe
PID 1756 wrote to memory of 1124	1756	huuso.exe	taskhost.exe
PID 1756 wrote to memory of 1124	1756	huuso.exe	taskhost.exe
PID 1756 wrote to memory of 1124	1756	huuso.exe	taskhost.exe
PID 1756 wrote to memory of 1124	1756	huuso.exe	taskhost.exe
PID 1756 wrote to memory of 1232	1756	huuso.exe	Dwm.exe
PID 1756 wrote to memory of 1232	1756	huuso.exe	Dwm.exe
PID 1756 wrote to memory of 1232	1756	huuso.exe	Dwm.exe
PID 1756 wrote to memory of 1232	1756	huuso.exe	Dwm.exe
PID 1756 wrote to memory of 1232	1756	huuso.exe	Dwm.exe
PID 1756 wrote to memory of 1288	1756	huuso.exe	Explorer.EXE
PID 1756 wrote to memory of 1288	1756	huuso.exe	Explorer.EXE
PID 1756 wrote to memory of 1288	1756	huuso.exe	Explorer.EXE
PID 1756 wrote to memory of 1288	1756	huuso.exe	Explorer.EXE
PID 1756 wrote to memory of 1288	1756	huuso.exe	Explorer.EXE
PID 1756 wrote to memory of 1976	1756	huuso.exe	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe
PID 1756 wrote to memory of 1976	1756	huuso.exe	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe
PID 1756 wrote to memory of 1976	1756	huuso.exe	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe
PID 1756 wrote to memory of 1976	1756	huuso.exe	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe
PID 1756 wrote to memory of 1976	1756	huuso.exe	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe
PID 1976 wrote to memory of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe
PID 1976 wrote to memory of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe
PID 1976 wrote to memory of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe
PID 1976 wrote to memory of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe
PID 1976 wrote to memory of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe
PID 1976 wrote to memory of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe
PID 1976 wrote to memory of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe
PID 1976 wrote to memory of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe
PID 1976 wrote to memory of 556	1976	89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe	cmd.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe
"C:\Users\Admin\AppData\Local\Temp\89f7a6380da128ef25af7a3cd5d9b0240b96c2afefddee9d7c183de8146ca7db.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Roaming\Huen\huuso.exe
"C:\Users\Admin\AppData\Roaming\Huen\huuso.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpef963d9e.bat"
3⤵
- Deletes itself
PID:556

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\ofsoin.ihu
Filesize
466B

MD5
b719b35e5bd106cabe941668f84b1564

SHA1
56940bc5e4afb77588741c7e2bb6561fdb39493b

SHA256
9156b246ea74475911a42647d5e7b50250aff8524ebc25ad15347d078f6e8f7b

SHA512
e13e74dcbdedd2100d9d2183895805118594c5500fa95a7c341a4a731d63993548a9af11f3a8294c7afa6a010bdbaedda0cd9b488b4fa4e276a2e38cb53dcd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpef963d9e.bat
Filesize
307B

MD5
52fe7d910fc68ca328c641649dbb80b1

SHA1
22d21ff3405f2ca9e658e873c7f8b58551697bd0

SHA256
3f73fee8783f80c32909c2245fec458b8d92b935b1f1f1d30c52d276c9158824

SHA512
3133a1f3da580fa050262a3dfeafb7ee9e69f7deb574171a737f2a4b375b5354751646a4e073961359dca0564f23d7579c4a5d8b5268424777712ff2b65e8af0

Download Submit
C:\Users\Admin\AppData\Roaming\Huen\huuso.exe
Filesize
312KB

MD5
f0a7827756730c2f99923eb1bb2608e1

SHA1
8daf59584eb87ccb27235f893e67429b7b8e711c

SHA256
dbfc73cecb65134f97869d2ac52b1a03639901743bc173e4dc756a3dfa3cf006

SHA512
37d3a51e2a8d479c8f609dc75417031007c1d4ca078a4c08c5d7e05ead95f8cacde08bbc802ddf52e2261e53c4f0cc020df0b3fdc6ad8bca62c6881b25981e9d

Download Submit
C:\Users\Admin\AppData\Roaming\Huen\huuso.exe
Filesize
312KB

MD5
f0a7827756730c2f99923eb1bb2608e1

SHA1
8daf59584eb87ccb27235f893e67429b7b8e711c

SHA256
dbfc73cecb65134f97869d2ac52b1a03639901743bc173e4dc756a3dfa3cf006

SHA512
37d3a51e2a8d479c8f609dc75417031007c1d4ca078a4c08c5d7e05ead95f8cacde08bbc802ddf52e2261e53c4f0cc020df0b3fdc6ad8bca62c6881b25981e9d

Download Submit
\Users\Admin\AppData\Roaming\Huen\huuso.exe
Filesize
312KB

MD5
f0a7827756730c2f99923eb1bb2608e1

SHA1
8daf59584eb87ccb27235f893e67429b7b8e711c

SHA256
dbfc73cecb65134f97869d2ac52b1a03639901743bc173e4dc756a3dfa3cf006

SHA512
37d3a51e2a8d479c8f609dc75417031007c1d4ca078a4c08c5d7e05ead95f8cacde08bbc802ddf52e2261e53c4f0cc020df0b3fdc6ad8bca62c6881b25981e9d

Download Submit
memory/556-101-0x00000000000671E6-mapping.dmp

Download
memory/556-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/556-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/556-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/556-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/556-107-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1124-68-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1124-66-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1124-69-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1124-70-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1124-71-0x0000000000370000-0x00000000003B4000-memory.dmp

Filesize
272KB

Download
memory/1232-74-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1232-75-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1232-76-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1232-77-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1288-80-0x00000000025D0000-0x0000000002614000-memory.dmp

Filesize
272KB

Download
memory/1288-84-0x00000000025D0000-0x0000000002614000-memory.dmp

Filesize
272KB

Download
memory/1288-83-0x00000000025D0000-0x0000000002614000-memory.dmp

Filesize
272KB

Download
memory/1288-81-0x00000000025D0000-0x0000000002614000-memory.dmp

Filesize
272KB

Download
memory/1756-59-0x0000000000000000-mapping.dmp

Download
memory/1756-93-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1756-108-0x0000000000050000-0x00000000000A1000-memory.dmp

Filesize
324KB

Download
memory/1756-82-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1756-64-0x0000000000050000-0x00000000000A1000-memory.dmp

Filesize
324KB

Download
memory/1976-91-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/1976-89-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1976-87-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1976-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1976-90-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1976-63-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/1976-62-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1976-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1976-102-0x0000000001280000-0x00000000012D1000-memory.dmp

Filesize
324KB

Download
memory/1976-103-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1976-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1976-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1976-55-0x0000000001280000-0x00000000012D1000-memory.dmp

Filesize
324KB

Download
memory/1976-88-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads