cobaltstrike | cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860

General

Target

cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe
Size

307KB
MD5

fa80e4685a9e30b4af16cc7579a7f9f3
SHA1

15ed4276a11085f93bff1be573f4256b70583098
SHA256

cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860
SHA512

dfed166912107049fd3bc636f761be65d64405840daea8016dab4d27037b3e848de421eb382b011a6cb05423d483e8205efe27ab2b3fe5ab96f1114a9511f49e
SSDEEP

6144:2qzcT72Y0S5zinYKTY1SQshfRPVQe1MZkIYSccr7wbstOVPECYeixlYGiczyl:2Cg7SSAYsY1UMqMZJYSN7wbstOV8fveJ

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

fois.exe

pid process

1488 fois.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

976 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe

pid process

1416 cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe

pid	process
976	cmd.exe

pid	process
1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fois.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	fois.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Ygiwy\\fois.exe"	fois.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe

description pid process target process

PID 1416 set thread context of 976 1416 cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe cmd.exe

description	pid	process	target process
PID 1416 set thread context of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

fois.exe

pid	process
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe
1488	fois.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exefois.exe

description	pid	process	target process
PID 1416 wrote to memory of 1488	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	fois.exe
PID 1416 wrote to memory of 1488	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	fois.exe
PID 1416 wrote to memory of 1488	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	fois.exe
PID 1416 wrote to memory of 1488	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	fois.exe
PID 1488 wrote to memory of 1120	1488	fois.exe	taskhost.exe
PID 1488 wrote to memory of 1120	1488	fois.exe	taskhost.exe
PID 1488 wrote to memory of 1120	1488	fois.exe	taskhost.exe
PID 1488 wrote to memory of 1120	1488	fois.exe	taskhost.exe
PID 1488 wrote to memory of 1120	1488	fois.exe	taskhost.exe
PID 1488 wrote to memory of 1184	1488	fois.exe	Dwm.exe
PID 1488 wrote to memory of 1184	1488	fois.exe	Dwm.exe
PID 1488 wrote to memory of 1184	1488	fois.exe	Dwm.exe
PID 1488 wrote to memory of 1184	1488	fois.exe	Dwm.exe
PID 1488 wrote to memory of 1184	1488	fois.exe	Dwm.exe
PID 1488 wrote to memory of 1264	1488	fois.exe	Explorer.EXE
PID 1488 wrote to memory of 1264	1488	fois.exe	Explorer.EXE
PID 1488 wrote to memory of 1264	1488	fois.exe	Explorer.EXE
PID 1488 wrote to memory of 1264	1488	fois.exe	Explorer.EXE
PID 1488 wrote to memory of 1264	1488	fois.exe	Explorer.EXE
PID 1488 wrote to memory of 1416	1488	fois.exe	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe
PID 1488 wrote to memory of 1416	1488	fois.exe	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe
PID 1488 wrote to memory of 1416	1488	fois.exe	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe
PID 1488 wrote to memory of 1416	1488	fois.exe	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe
PID 1488 wrote to memory of 1416	1488	fois.exe	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe
PID 1416 wrote to memory of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe
PID 1416 wrote to memory of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe
PID 1416 wrote to memory of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe
PID 1416 wrote to memory of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe
PID 1416 wrote to memory of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe
PID 1416 wrote to memory of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe
PID 1416 wrote to memory of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe
PID 1416 wrote to memory of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe
PID 1416 wrote to memory of 976	1416	cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe
"C:\Users\Admin\AppData\Local\Temp\cc9d45cb35fcece1306a6f81c535e34bf85a2da032beb823b533da20eefcc860.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Roaming\Ygiwy\fois.exe
"C:\Users\Admin\AppData\Roaming\Ygiwy\fois.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc0caec15.bat"
3⤵
- Deletes itself
PID:976

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\icof.axd
Filesize
466B

MD5
d4b3ee3cd0334cf96d16e2627913e697

SHA1
392b0c3344f87de8fc44b1b6e50a7ecee0658a6a

SHA256
caa1c1ddb0e253ae2484cf5ed3d8c0c1cace772b96e27d7103aa3e8cd065c488

SHA512
98af4c3353e2e2dfe4b0590cd0c988f71764831a590a88256df07478fc0d02f689a23fd6326817fd7282a6f34a93a2b8d5e81d01b1a4601d51e6a22a3996df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpc0caec15.bat
Filesize
307B

MD5
f1df76dca5181baee0265ffa64f6b580

SHA1
f5078ebb6c105ea2a2db3a21e8d9a1c11b0c981c

SHA256
fd99da38b824a79de8483b910708a317e245d6df631c88cd485e8b061edbf992

SHA512
82ae7d60bdc9535a7dfd87d3d63d031297f891adb9fc64080cab366602a32a4ba739ffb8c9f636430bc98e6e9cecfb2e227eb61d378b3f1a99aa60f74f37737d

Download Submit
C:\Users\Admin\AppData\Roaming\Ygiwy\fois.exe
Filesize
307KB

MD5
0f0dd999105fbf44edc505feecef58d5

SHA1
c21701f4c9e761674ca72518a8aa649068598532

SHA256
6ae3c057d7c432564fca2b250c87dfdb793674ef13851f7f672ae65c0e3dc8d2

SHA512
a0c6b2617efe8f9cce73aa4adcfe27676ed216a75df147c8be37545b8ea9099e65c1de851232f069942b3e24e280876cea6bf4b7dd3ebe88c5edd2d065ed4199

Download Submit
C:\Users\Admin\AppData\Roaming\Ygiwy\fois.exe
Filesize
307KB

MD5
0f0dd999105fbf44edc505feecef58d5

SHA1
c21701f4c9e761674ca72518a8aa649068598532

SHA256
6ae3c057d7c432564fca2b250c87dfdb793674ef13851f7f672ae65c0e3dc8d2

SHA512
a0c6b2617efe8f9cce73aa4adcfe27676ed216a75df147c8be37545b8ea9099e65c1de851232f069942b3e24e280876cea6bf4b7dd3ebe88c5edd2d065ed4199

Download Submit
\Users\Admin\AppData\Roaming\Ygiwy\fois.exe
Filesize
307KB

MD5
0f0dd999105fbf44edc505feecef58d5

SHA1
c21701f4c9e761674ca72518a8aa649068598532

SHA256
6ae3c057d7c432564fca2b250c87dfdb793674ef13851f7f672ae65c0e3dc8d2

SHA512
a0c6b2617efe8f9cce73aa4adcfe27676ed216a75df147c8be37545b8ea9099e65c1de851232f069942b3e24e280876cea6bf4b7dd3ebe88c5edd2d065ed4199

Download Submit
memory/976-96-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/976-108-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/976-101-0x00000000001E71E6-mapping.dmp

Download
memory/976-100-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/976-99-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/976-98-0x00000000001D0000-0x0000000000214000-memory.dmp

Filesize
272KB

Download
memory/1120-66-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1120-68-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1120-69-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1120-70-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1120-71-0x0000000001B40000-0x0000000001B84000-memory.dmp

Filesize
272KB

Download
memory/1184-74-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1184-75-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1184-76-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1184-77-0x0000000000130000-0x0000000000174000-memory.dmp

Filesize
272KB

Download
memory/1264-80-0x0000000002A90000-0x0000000002AD4000-memory.dmp

Filesize
272KB

Download
memory/1264-81-0x0000000002A90000-0x0000000002AD4000-memory.dmp

Filesize
272KB

Download
memory/1264-82-0x0000000002A90000-0x0000000002AD4000-memory.dmp

Filesize
272KB

Download
memory/1264-83-0x0000000002A90000-0x0000000002AD4000-memory.dmp

Filesize
272KB

Download
memory/1416-58-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1416-102-0x00000000000C0000-0x0000000000110000-memory.dmp

Filesize
320KB

Download
memory/1416-88-0x0000000001CE0000-0x0000000001D24000-memory.dmp

Filesize
272KB

Download
memory/1416-89-0x0000000001CE0000-0x0000000001D24000-memory.dmp

Filesize
272KB

Download
memory/1416-55-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1416-91-0x0000000001CE0000-0x0000000001D30000-memory.dmp

Filesize
320KB

Download
memory/1416-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1416-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1416-54-0x00000000000C0000-0x0000000000110000-memory.dmp

Filesize
320KB

Download
memory/1416-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1416-62-0x0000000001CE0000-0x0000000001D30000-memory.dmp

Filesize
320KB

Download
memory/1416-104-0x0000000001CE0000-0x0000000001D24000-memory.dmp

Filesize
272KB

Download
memory/1416-86-0x0000000001CE0000-0x0000000001D24000-memory.dmp

Filesize
272KB

Download
memory/1416-87-0x0000000001CE0000-0x0000000001D24000-memory.dmp

Filesize
272KB

Download
memory/1416-103-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1488-60-0x0000000000000000-mapping.dmp

Download
memory/1488-63-0x0000000000390000-0x00000000003E0000-memory.dmp

Filesize
320KB

Download
memory/1488-93-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1488-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1488-109-0x0000000000390000-0x00000000003E0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads