cobaltstrike | bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6

General

Target

bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe
Size

305KB
MD5

58a2143fe02f4c366f63b43fd5d37fc6
SHA1

86509cc545d83f329556fe2118ec1cc9ec3e7a58
SHA256

bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6
SHA512

1a4ed646ad6f5ed0d0b251820e6e281bb66277fd783a929762ff4f12ce95266b154a7109bfaf8c3cb1a724506abb7e4f332f3fd8716d5797ec03d6c53877a848
SSDEEP

6144:5GSzsT72Y0SWzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOQPECYeixlYGicA:5GqQ7SSxYsY1UMqMZJYSN7wbstOQ8fvK

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

ivnium.exe

pid process

1356 ivnium.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

624 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe

pid process

948 bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe

pid	process
624	cmd.exe

pid	process
948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ivnium.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	ivnium.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Ynwe\\ivnium.exe"	ivnium.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe

description pid process target process

PID 948 set thread context of 624 948 bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe cmd.exe

description	pid	process	target process
PID 948 set thread context of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

ivnium.exe

pid	process
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe
1356	ivnium.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exeivnium.exe

description	pid	process	target process
PID 948 wrote to memory of 1356	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	ivnium.exe
PID 948 wrote to memory of 1356	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	ivnium.exe
PID 948 wrote to memory of 1356	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	ivnium.exe
PID 948 wrote to memory of 1356	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	ivnium.exe
PID 1356 wrote to memory of 1104	1356	ivnium.exe	taskhost.exe
PID 1356 wrote to memory of 1104	1356	ivnium.exe	taskhost.exe
PID 1356 wrote to memory of 1104	1356	ivnium.exe	taskhost.exe
PID 1356 wrote to memory of 1104	1356	ivnium.exe	taskhost.exe
PID 1356 wrote to memory of 1104	1356	ivnium.exe	taskhost.exe
PID 1356 wrote to memory of 1184	1356	ivnium.exe	Dwm.exe
PID 1356 wrote to memory of 1184	1356	ivnium.exe	Dwm.exe
PID 1356 wrote to memory of 1184	1356	ivnium.exe	Dwm.exe
PID 1356 wrote to memory of 1184	1356	ivnium.exe	Dwm.exe
PID 1356 wrote to memory of 1184	1356	ivnium.exe	Dwm.exe
PID 1356 wrote to memory of 1216	1356	ivnium.exe	Explorer.EXE
PID 1356 wrote to memory of 1216	1356	ivnium.exe	Explorer.EXE
PID 1356 wrote to memory of 1216	1356	ivnium.exe	Explorer.EXE
PID 1356 wrote to memory of 1216	1356	ivnium.exe	Explorer.EXE
PID 1356 wrote to memory of 1216	1356	ivnium.exe	Explorer.EXE
PID 1356 wrote to memory of 948	1356	ivnium.exe	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe
PID 1356 wrote to memory of 948	1356	ivnium.exe	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe
PID 1356 wrote to memory of 948	1356	ivnium.exe	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe
PID 1356 wrote to memory of 948	1356	ivnium.exe	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe
PID 1356 wrote to memory of 948	1356	ivnium.exe	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe
PID 948 wrote to memory of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe
PID 948 wrote to memory of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe
PID 948 wrote to memory of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe
PID 948 wrote to memory of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe
PID 948 wrote to memory of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe
PID 948 wrote to memory of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe
PID 948 wrote to memory of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe
PID 948 wrote to memory of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe
PID 948 wrote to memory of 624	948	bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe	cmd.exe
PID 1356 wrote to memory of 956	1356	ivnium.exe	DllHost.exe
PID 1356 wrote to memory of 956	1356	ivnium.exe	DllHost.exe
PID 1356 wrote to memory of 956	1356	ivnium.exe	DllHost.exe
PID 1356 wrote to memory of 956	1356	ivnium.exe	DllHost.exe
PID 1356 wrote to memory of 956	1356	ivnium.exe	DllHost.exe
PID 1356 wrote to memory of 760	1356	ivnium.exe	DllHost.exe
PID 1356 wrote to memory of 760	1356	ivnium.exe	DllHost.exe
PID 1356 wrote to memory of 760	1356	ivnium.exe	DllHost.exe
PID 1356 wrote to memory of 760	1356	ivnium.exe	DllHost.exe
PID 1356 wrote to memory of 760	1356	ivnium.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe
"C:\Users\Admin\AppData\Local\Temp\bfb3c9fcad31b69e33f4167583c9caee3e23b5e21eba695ab417bc7f5cd71ac6.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Roaming\Ynwe\ivnium.exe
"C:\Users\Admin\AppData\Roaming\Ynwe\ivnium.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1701da41.bat"
3⤵
- Deletes itself
PID:624

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1701da41.bat
Filesize
307B

MD5
83c215e7377e7c476d615c9f0f64d43c

SHA1
aaa3a7b1563cab04ca36b471f19943e127a77809

SHA256
9695c5bf22ba55c386e2aaf90035cba30cdfb38590a0c5194cf834b3a6cce80e

SHA512
7a6f974df550ccd6d8a5f5e6a66df95477f359296e77b962e5c31dbeda8ba78308ab3136d74ab2d1303f3b0d08d711a72b23579a6901f5179aeb9cf7ac9a81a8

Download Submit
C:\Users\Admin\AppData\Roaming\Ynwe\ivnium.exe
Filesize
305KB

MD5
aba532ff5b52c356919b224ecac09100

SHA1
8ca1109b5d384db846a19a842a89a7f73d3cd2fd

SHA256
05a788793e53a37008dd63820a752fd3422b3db43d4d4c80fa91e9031eda4beb

SHA512
36aebfad4f0c44c5b7557d11e335e8f5e8020156f8a4e5198aabab57b44937536067940fdf48bceacf99c693197cfac8a3226da48010717e387389381231bf3c

Download Submit
C:\Users\Admin\AppData\Roaming\Ynwe\ivnium.exe
Filesize
305KB

MD5
aba532ff5b52c356919b224ecac09100

SHA1
8ca1109b5d384db846a19a842a89a7f73d3cd2fd

SHA256
05a788793e53a37008dd63820a752fd3422b3db43d4d4c80fa91e9031eda4beb

SHA512
36aebfad4f0c44c5b7557d11e335e8f5e8020156f8a4e5198aabab57b44937536067940fdf48bceacf99c693197cfac8a3226da48010717e387389381231bf3c

Download Submit
\Users\Admin\AppData\Roaming\Ynwe\ivnium.exe
Filesize
305KB

MD5
aba532ff5b52c356919b224ecac09100

SHA1
8ca1109b5d384db846a19a842a89a7f73d3cd2fd

SHA256
05a788793e53a37008dd63820a752fd3422b3db43d4d4c80fa91e9031eda4beb

SHA512
36aebfad4f0c44c5b7557d11e335e8f5e8020156f8a4e5198aabab57b44937536067940fdf48bceacf99c693197cfac8a3226da48010717e387389381231bf3c

Download Submit
memory/624-95-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/624-97-0x00000000000671E6-mapping.dmp

Download
memory/624-104-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/624-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/624-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/624-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/760-116-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/760-115-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/760-114-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/760-113-0x0000000003A50000-0x0000000003A94000-memory.dmp

Filesize
272KB

Download
memory/948-98-0x0000000000ED0000-0x0000000000F20000-memory.dmp

Filesize
320KB

Download
memory/948-59-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/948-55-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/948-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/948-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/948-54-0x0000000000ED0000-0x0000000000F20000-memory.dmp

Filesize
320KB

Download
memory/948-100-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/948-60-0x0000000000100000-0x0000000000150000-memory.dmp

Filesize
320KB

Download
memory/948-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/948-89-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/948-86-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/948-87-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/948-88-0x0000000000100000-0x0000000000144000-memory.dmp

Filesize
272KB

Download
memory/956-108-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/956-107-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/956-109-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/956-110-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/1104-68-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1104-71-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1104-66-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1104-69-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1104-70-0x0000000001E60000-0x0000000001EA4000-memory.dmp

Filesize
272KB

Download
memory/1184-74-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1184-77-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1184-76-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1184-75-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1216-83-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1216-80-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1216-81-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1216-82-0x0000000002B10000-0x0000000002B54000-memory.dmp

Filesize
272KB

Download
memory/1356-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1356-63-0x0000000000DA0000-0x0000000000DF0000-memory.dmp

Filesize
320KB

Download
memory/1356-61-0x0000000000000000-mapping.dmp

Download
memory/1356-117-0x0000000000DA0000-0x0000000000DF0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads