cobaltstrike | c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7

General

Target

c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe
Size

313KB
MD5

6a0f00c9e8eb7e2e0fbd485cbcc1c5cd
SHA1

0b29457146c889531209dbf6e1ae941757110455
SHA256

c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7
SHA512

431a47e7284440a4e027d11e9d71325313025fbbf65c37e10103d2ab1c8b520c4523c2f54d53fd0f44e7a2c3cb8edefeeadfebf59aded862af2c5057acc5f930
SSDEEP

6144:SoKnaembZy9AGfeYc0gkF5Xf6QY/6cAuAQLh3++i2Wgwd:9KQA9b7XMD/naH

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

ynry.exe

pid process

1472 ynry.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1704 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe

pid process

964 c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe

pid	process
1704	cmd.exe

pid	process
964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ynry.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	ynry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Oqgyku\\ynry.exe"	ynry.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe

description pid process target process

PID 964 set thread context of 1704 964 c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe cmd.exe

description	pid	process	target process
PID 964 set thread context of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

ynry.exe

pid	process
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe
1472	ynry.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exeynry.exe

description	pid	process	target process
PID 964 wrote to memory of 1472	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	ynry.exe
PID 964 wrote to memory of 1472	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	ynry.exe
PID 964 wrote to memory of 1472	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	ynry.exe
PID 964 wrote to memory of 1472	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	ynry.exe
PID 1472 wrote to memory of 1120	1472	ynry.exe	taskhost.exe
PID 1472 wrote to memory of 1120	1472	ynry.exe	taskhost.exe
PID 1472 wrote to memory of 1120	1472	ynry.exe	taskhost.exe
PID 1472 wrote to memory of 1120	1472	ynry.exe	taskhost.exe
PID 1472 wrote to memory of 1120	1472	ynry.exe	taskhost.exe
PID 1472 wrote to memory of 1176	1472	ynry.exe	Dwm.exe
PID 1472 wrote to memory of 1176	1472	ynry.exe	Dwm.exe
PID 1472 wrote to memory of 1176	1472	ynry.exe	Dwm.exe
PID 1472 wrote to memory of 1176	1472	ynry.exe	Dwm.exe
PID 1472 wrote to memory of 1176	1472	ynry.exe	Dwm.exe
PID 1472 wrote to memory of 1204	1472	ynry.exe	Explorer.EXE
PID 1472 wrote to memory of 1204	1472	ynry.exe	Explorer.EXE
PID 1472 wrote to memory of 1204	1472	ynry.exe	Explorer.EXE
PID 1472 wrote to memory of 1204	1472	ynry.exe	Explorer.EXE
PID 1472 wrote to memory of 1204	1472	ynry.exe	Explorer.EXE
PID 1472 wrote to memory of 964	1472	ynry.exe	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe
PID 1472 wrote to memory of 964	1472	ynry.exe	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe
PID 1472 wrote to memory of 964	1472	ynry.exe	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe
PID 1472 wrote to memory of 964	1472	ynry.exe	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe
PID 1472 wrote to memory of 964	1472	ynry.exe	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe
PID 964 wrote to memory of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe
PID 964 wrote to memory of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe
PID 964 wrote to memory of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe
PID 964 wrote to memory of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe
PID 964 wrote to memory of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe
PID 964 wrote to memory of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe
PID 964 wrote to memory of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe
PID 964 wrote to memory of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe
PID 964 wrote to memory of 1704	964	c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe
"C:\Users\Admin\AppData\Local\Temp\c428ad6841f8f7887791a130ca090b6c42df8f2e6fbc3b5ec35ee1f497fd20b7.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Roaming\Oqgyku\ynry.exe
"C:\Users\Admin\AppData\Roaming\Oqgyku\ynry.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp591a0cde.bat"
3⤵
- Deletes itself
PID:1704

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp591a0cde.bat
Filesize
307B

MD5
64abe02b43c414791cb2abda2783620c

SHA1
2d550e518c6541a07500bbcb222813fdd1f3aeb9

SHA256
459d8011f35ff588c1b29fe0dba9af5bcebf3a90d4bd6a6613de70609e47fa67

SHA512
0f1f20ef2ddf3e3b05efdd3aa218a8c325756099b9924304a93046e334816d41278d8a335bcaec582f1f337ba701e4745f0494bffef816e4ad8af052f50996eb

Download Submit
C:\Users\Admin\AppData\Roaming\Oqgyku\ynry.exe
Filesize
313KB

MD5
1ef2636bf43f2e308d5c5dd32e0296a3

SHA1
bcefa3e2dcaa40482723e6a815ff0857dd0a7cbf

SHA256
750c619a91107b63c076108ba6cc9895b07a2d94c32bcc58a91226bc29285f1c

SHA512
aafd90b6ef94e6d2feb29bcbeacd14311846cf069afd37a8dcda676e173908e2ac111d47907ee9fd3e1674e8afac10d8ea443ca72f6e496361acd8a45bc03164

Download Submit
C:\Users\Admin\AppData\Roaming\Oqgyku\ynry.exe
Filesize
313KB

MD5
1ef2636bf43f2e308d5c5dd32e0296a3

SHA1
bcefa3e2dcaa40482723e6a815ff0857dd0a7cbf

SHA256
750c619a91107b63c076108ba6cc9895b07a2d94c32bcc58a91226bc29285f1c

SHA512
aafd90b6ef94e6d2feb29bcbeacd14311846cf069afd37a8dcda676e173908e2ac111d47907ee9fd3e1674e8afac10d8ea443ca72f6e496361acd8a45bc03164

Download Submit
\Users\Admin\AppData\Roaming\Oqgyku\ynry.exe
Filesize
313KB

MD5
1ef2636bf43f2e308d5c5dd32e0296a3

SHA1
bcefa3e2dcaa40482723e6a815ff0857dd0a7cbf

SHA256
750c619a91107b63c076108ba6cc9895b07a2d94c32bcc58a91226bc29285f1c

SHA512
aafd90b6ef94e6d2feb29bcbeacd14311846cf069afd37a8dcda676e173908e2ac111d47907ee9fd3e1674e8afac10d8ea443ca72f6e496361acd8a45bc03164

Download Submit
memory/964-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/964-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/964-60-0x0000000001D00000-0x0000000001D5A000-memory.dmp

Filesize
360KB

Download
memory/964-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/964-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/964-102-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/964-59-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/964-88-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/964-86-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/964-87-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/964-89-0x0000000001D00000-0x0000000001D44000-memory.dmp

Filesize
272KB

Download
memory/964-91-0x0000000001D00000-0x0000000001D5A000-memory.dmp

Filesize
360KB

Download
memory/964-100-0x00000000008A0000-0x00000000008FA000-memory.dmp

Filesize
360KB

Download
memory/964-54-0x00000000008A0000-0x00000000008FA000-memory.dmp

Filesize
360KB

Download
memory/1120-68-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1120-71-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1120-70-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1120-69-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1120-66-0x0000000001DC0000-0x0000000001E04000-memory.dmp

Filesize
272KB

Download
memory/1176-76-0x0000000001B00000-0x0000000001B44000-memory.dmp

Filesize
272KB

Download
memory/1176-75-0x0000000001B00000-0x0000000001B44000-memory.dmp

Filesize
272KB

Download
memory/1176-74-0x0000000001B00000-0x0000000001B44000-memory.dmp

Filesize
272KB

Download
memory/1176-77-0x0000000001B00000-0x0000000001B44000-memory.dmp

Filesize
272KB

Download
memory/1204-81-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1204-80-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1204-83-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1204-82-0x00000000025B0000-0x00000000025F4000-memory.dmp

Filesize
272KB

Download
memory/1472-107-0x0000000000C00000-0x0000000000C5A000-memory.dmp

Filesize
360KB

Download
memory/1472-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1472-106-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1472-61-0x0000000000000000-mapping.dmp

Download
memory/1472-63-0x0000000000C00000-0x0000000000C5A000-memory.dmp

Filesize
360KB

Download
memory/1704-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1704-99-0x00000000000671E6-mapping.dmp

Download
memory/1704-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1704-105-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1704-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1704-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads