cobaltstrike | cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66

General

Target

cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe
Size

305KB
MD5

c70406bfb78cd8d79f8d413b56889865
SHA1

05f979194b6209dfcd82fe736ea0c1d1d3c28255
SHA256

cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66
SHA512

6b762d5109da4e3a26ee7a58f89a330a0711d9c859c3ca729646fba8a05c8161544bb56bcdcc168f0741ef09587efea151116bef36011b692c6eae778c177da3
SSDEEP

6144:5GSz+T72Y0STzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOrPECYeixlYGicM:5Gqq7SS6YsY1UMqMZJYSN7wbstOr8fvW

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

jycoix.exe

pid process

1756 jycoix.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1572 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe

pid process

1048 cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe

pid	process
1572	cmd.exe

pid	process
1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jycoix.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	jycoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Rykou\\jycoix.exe"	jycoix.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe

description	pid	process	target process
PID 1048 set thread context of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

jycoix.exe

pid	process
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe
1756	jycoix.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exejycoix.exe

description	pid	process	target process
PID 1048 wrote to memory of 1756	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	jycoix.exe
PID 1048 wrote to memory of 1756	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	jycoix.exe
PID 1048 wrote to memory of 1756	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	jycoix.exe
PID 1048 wrote to memory of 1756	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	jycoix.exe
PID 1756 wrote to memory of 1104	1756	jycoix.exe	taskhost.exe
PID 1756 wrote to memory of 1104	1756	jycoix.exe	taskhost.exe
PID 1756 wrote to memory of 1104	1756	jycoix.exe	taskhost.exe
PID 1756 wrote to memory of 1104	1756	jycoix.exe	taskhost.exe
PID 1756 wrote to memory of 1104	1756	jycoix.exe	taskhost.exe
PID 1756 wrote to memory of 1184	1756	jycoix.exe	Dwm.exe
PID 1756 wrote to memory of 1184	1756	jycoix.exe	Dwm.exe
PID 1756 wrote to memory of 1184	1756	jycoix.exe	Dwm.exe
PID 1756 wrote to memory of 1184	1756	jycoix.exe	Dwm.exe
PID 1756 wrote to memory of 1184	1756	jycoix.exe	Dwm.exe
PID 1756 wrote to memory of 1216	1756	jycoix.exe	Explorer.EXE
PID 1756 wrote to memory of 1216	1756	jycoix.exe	Explorer.EXE
PID 1756 wrote to memory of 1216	1756	jycoix.exe	Explorer.EXE
PID 1756 wrote to memory of 1216	1756	jycoix.exe	Explorer.EXE
PID 1756 wrote to memory of 1216	1756	jycoix.exe	Explorer.EXE
PID 1756 wrote to memory of 1048	1756	jycoix.exe	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe
PID 1756 wrote to memory of 1048	1756	jycoix.exe	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe
PID 1756 wrote to memory of 1048	1756	jycoix.exe	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe
PID 1756 wrote to memory of 1048	1756	jycoix.exe	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe
PID 1756 wrote to memory of 1048	1756	jycoix.exe	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe
PID 1048 wrote to memory of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe
PID 1048 wrote to memory of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe
PID 1048 wrote to memory of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe
PID 1048 wrote to memory of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe
PID 1048 wrote to memory of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe
PID 1048 wrote to memory of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe
PID 1048 wrote to memory of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe
PID 1048 wrote to memory of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe
PID 1048 wrote to memory of 1572	1048	cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe	cmd.exe
PID 1756 wrote to memory of 1260	1756	jycoix.exe	DllHost.exe
PID 1756 wrote to memory of 1260	1756	jycoix.exe	DllHost.exe
PID 1756 wrote to memory of 1260	1756	jycoix.exe	DllHost.exe
PID 1756 wrote to memory of 1260	1756	jycoix.exe	DllHost.exe
PID 1756 wrote to memory of 1260	1756	jycoix.exe	DllHost.exe
PID 1756 wrote to memory of 576	1756	jycoix.exe	DllHost.exe
PID 1756 wrote to memory of 576	1756	jycoix.exe	DllHost.exe
PID 1756 wrote to memory of 576	1756	jycoix.exe	DllHost.exe
PID 1756 wrote to memory of 576	1756	jycoix.exe	DllHost.exe
PID 1756 wrote to memory of 576	1756	jycoix.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe
"C:\Users\Admin\AppData\Local\Temp\cba4dc3944d8b66096c2793cd22c3ead4948491a5305ff854119e3a3f210df66.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Roaming\Rykou\jycoix.exe
"C:\Users\Admin\AppData\Roaming\Rykou\jycoix.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp62f19663.bat"
3⤵
- Deletes itself
PID:1572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\hagoz.ozf
Filesize
466B

MD5
e6782e099b368f87c6286c25b12c48cc

SHA1
3c902f16a225bc25c61d329c436c5c94e91dcb0e

SHA256
2924b898c3904fe8f3fe451812e2585f19d409d4843ff54d8965ba74e33ef28e

SHA512
7b91fe6f6dcda553513c83e055bc1f38483b8f4269f19b3e0a80af1d8c825472faa92c9bb0ea092af9aac54427ec29a7e280c849e4c453b478834b57e6edceb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp62f19663.bat
Filesize
307B

MD5
4383ce9949f1231986d90dcdfb4dfde3

SHA1
2f42664b276352c791ad864d706d1d500a29ffe5

SHA256
77d3017e36ec3c772be3aaa47f65eec249b417b7f8460863822f17c4fb49b100

SHA512
a29bc78c13b0d5eefec676430bd84e186226a7443c104ea789d761e832d3d721072c0436ebf61e1fd972e5bfa7d057df523a5a939ac0f7aceac3e195125b94a3

Download Submit
C:\Users\Admin\AppData\Roaming\Rykou\jycoix.exe
Filesize
305KB

MD5
1593883f5ddba7c66d24bfab76793e54

SHA1
f00cb4099e929679be057fde5b16dc23ea1792e9

SHA256
3e57ea9c131cc5277a62caf97fa0468bfa2f89267b2fd84913c39b2952dc8c42

SHA512
ffe2aefd1b442255aa9a3465c959ae584d793e7cd8e38ef2b01ad69b6f48e4e8031d94e1da1d0b6291114696c1d854662071cbaed7374912d70e9efdeb8bb3eb

Download Submit
C:\Users\Admin\AppData\Roaming\Rykou\jycoix.exe
Filesize
305KB

MD5
1593883f5ddba7c66d24bfab76793e54

SHA1
f00cb4099e929679be057fde5b16dc23ea1792e9

SHA256
3e57ea9c131cc5277a62caf97fa0468bfa2f89267b2fd84913c39b2952dc8c42

SHA512
ffe2aefd1b442255aa9a3465c959ae584d793e7cd8e38ef2b01ad69b6f48e4e8031d94e1da1d0b6291114696c1d854662071cbaed7374912d70e9efdeb8bb3eb

Download Submit
\Users\Admin\AppData\Roaming\Rykou\jycoix.exe
Filesize
305KB

MD5
1593883f5ddba7c66d24bfab76793e54

SHA1
f00cb4099e929679be057fde5b16dc23ea1792e9

SHA256
3e57ea9c131cc5277a62caf97fa0468bfa2f89267b2fd84913c39b2952dc8c42

SHA512
ffe2aefd1b442255aa9a3465c959ae584d793e7cd8e38ef2b01ad69b6f48e4e8031d94e1da1d0b6291114696c1d854662071cbaed7374912d70e9efdeb8bb3eb

Download Submit
memory/576-120-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/576-119-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/576-118-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/576-117-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/1048-104-0x0000000001F00000-0x0000000001F50000-memory.dmp

Filesize
320KB

Download
memory/1048-87-0x0000000001F00000-0x0000000001F44000-memory.dmp

Filesize
272KB

Download
memory/1048-101-0x0000000000820000-0x0000000000870000-memory.dmp

Filesize
320KB

Download
memory/1048-103-0x0000000001F00000-0x0000000001F44000-memory.dmp

Filesize
272KB

Download
memory/1048-54-0x0000000000820000-0x0000000000870000-memory.dmp

Filesize
320KB

Download
memory/1048-91-0x0000000001F00000-0x0000000001F50000-memory.dmp

Filesize
320KB

Download
memory/1048-62-0x0000000001F00000-0x0000000001F50000-memory.dmp

Filesize
320KB

Download
memory/1048-89-0x0000000001F00000-0x0000000001F44000-memory.dmp

Filesize
272KB

Download
memory/1048-88-0x0000000001F00000-0x0000000001F44000-memory.dmp

Filesize
272KB

Download
memory/1048-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1048-86-0x0000000001F00000-0x0000000001F44000-memory.dmp

Filesize
272KB

Download
memory/1048-55-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1048-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1048-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1048-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1104-71-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1104-70-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1104-69-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1104-68-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1104-66-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1184-74-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1184-77-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1184-76-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1184-75-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1216-80-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1216-83-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1216-81-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1216-82-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1260-111-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1260-112-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1260-114-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1260-113-0x0000000002460000-0x00000000024A4000-memory.dmp

Filesize
272KB

Download
memory/1572-108-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1572-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1572-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1572-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1572-100-0x00000000000671E6-mapping.dmp

Download
memory/1572-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1756-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1756-102-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1756-59-0x0000000000000000-mapping.dmp

Download
memory/1756-63-0x0000000000A60000-0x0000000000AB0000-memory.dmp

Filesize
320KB

Download
memory/1756-121-0x0000000000A60000-0x0000000000AB0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads