cobaltstrike | bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df

General

Target

bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe
Size

307KB
MD5

a1e70a0976f138b0921423530aedf190
SHA1

c92178348e4afcf021b4e845d060e3a89f9bfc29
SHA256

bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df
SHA512

ed89183d1f504a931f46d115d5d33aa119e436a9ede5b8b317b07307c27f6feb4929b57b18911949c59d674d3e8a79e17c35a413f003abae786f85e19f30d5b8
SSDEEP

6144:K0vzRT72Y0SszinYKTY1SQshfRPVQe1MZkIYSccr7wbstOOPECYeixlYGicB:K0bt7SSPYsY1UMqMZJYSN7wbstOO8fvf

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

azba.exe

pid process

1136 azba.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1116 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe

pid process

1248 bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe

pid	process
1116	cmd.exe

pid	process
1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

azba.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	azba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Yjtuus\\azba.exe"	azba.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe

description	pid	process	target process
PID 1248 set thread context of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

azba.exe

pid	process
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe
1136	azba.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exeazba.exe

description	pid	process	target process
PID 1248 wrote to memory of 1136	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	azba.exe
PID 1248 wrote to memory of 1136	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	azba.exe
PID 1248 wrote to memory of 1136	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	azba.exe
PID 1248 wrote to memory of 1136	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	azba.exe
PID 1136 wrote to memory of 1300	1136	azba.exe	taskhost.exe
PID 1136 wrote to memory of 1300	1136	azba.exe	taskhost.exe
PID 1136 wrote to memory of 1300	1136	azba.exe	taskhost.exe
PID 1136 wrote to memory of 1300	1136	azba.exe	taskhost.exe
PID 1136 wrote to memory of 1300	1136	azba.exe	taskhost.exe
PID 1136 wrote to memory of 1404	1136	azba.exe	Dwm.exe
PID 1136 wrote to memory of 1404	1136	azba.exe	Dwm.exe
PID 1136 wrote to memory of 1404	1136	azba.exe	Dwm.exe
PID 1136 wrote to memory of 1404	1136	azba.exe	Dwm.exe
PID 1136 wrote to memory of 1404	1136	azba.exe	Dwm.exe
PID 1136 wrote to memory of 1444	1136	azba.exe	Explorer.EXE
PID 1136 wrote to memory of 1444	1136	azba.exe	Explorer.EXE
PID 1136 wrote to memory of 1444	1136	azba.exe	Explorer.EXE
PID 1136 wrote to memory of 1444	1136	azba.exe	Explorer.EXE
PID 1136 wrote to memory of 1444	1136	azba.exe	Explorer.EXE
PID 1136 wrote to memory of 1248	1136	azba.exe	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe
PID 1136 wrote to memory of 1248	1136	azba.exe	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe
PID 1136 wrote to memory of 1248	1136	azba.exe	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe
PID 1136 wrote to memory of 1248	1136	azba.exe	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe
PID 1136 wrote to memory of 1248	1136	azba.exe	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe
PID 1248 wrote to memory of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe
PID 1248 wrote to memory of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe
PID 1248 wrote to memory of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe
PID 1248 wrote to memory of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe
PID 1248 wrote to memory of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe
PID 1248 wrote to memory of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe
PID 1248 wrote to memory of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe
PID 1248 wrote to memory of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe
PID 1248 wrote to memory of 1116	1248	bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe
"C:\Users\Admin\AppData\Local\Temp\bf271c7f79b2cf0421293dddd7203731a777993836a33049be022442113949df.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Roaming\Yjtuus\azba.exe
"C:\Users\Admin\AppData\Roaming\Yjtuus\azba.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc550bc3b.bat"
3⤵
- Deletes itself
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1404

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc550bc3b.bat
Filesize
307B

MD5
47de72b0c793c1055e497b33e48f500e

SHA1
9c9a62476f2ab9b658734a96fafb3250f957ea70

SHA256
561ed49cf5b65415de0960f872554a4e28f76a0fdd3f2da37421c60331a102a7

SHA512
e11d64afcfd307d91783518f38142c73f678e6e87695e090eb3d9e2630ab40e0627aab7fe65a0c9a6118bc08b4b5aac61b63213a76b145972887edd970c0333b

Download Submit
C:\Users\Admin\AppData\Roaming\Yjtuus\azba.exe
Filesize
307KB

MD5
f6fdf0f59a6e5eb7f3b9dcbfeeebc59e

SHA1
36f75d02fd88b732b392b8a9baed71b7a99109de

SHA256
19da945801e2f3c945bf46d4d2377961ad0c37ff756d26e8c1caa7c9e25e0bd5

SHA512
7ee8e512bfef5613faf17e83a4bf71e00c7d1febdee38f27166b3d4408b07a9941d87e5e29a190a48404d4340c3be8db25392e83b436d8ae2014e969a3a7c34c

Download Submit
C:\Users\Admin\AppData\Roaming\Yjtuus\azba.exe
Filesize
307KB

MD5
f6fdf0f59a6e5eb7f3b9dcbfeeebc59e

SHA1
36f75d02fd88b732b392b8a9baed71b7a99109de

SHA256
19da945801e2f3c945bf46d4d2377961ad0c37ff756d26e8c1caa7c9e25e0bd5

SHA512
7ee8e512bfef5613faf17e83a4bf71e00c7d1febdee38f27166b3d4408b07a9941d87e5e29a190a48404d4340c3be8db25392e83b436d8ae2014e969a3a7c34c

Download Submit
\Users\Admin\AppData\Roaming\Yjtuus\azba.exe
Filesize
307KB

MD5
f6fdf0f59a6e5eb7f3b9dcbfeeebc59e

SHA1
36f75d02fd88b732b392b8a9baed71b7a99109de

SHA256
19da945801e2f3c945bf46d4d2377961ad0c37ff756d26e8c1caa7c9e25e0bd5

SHA512
7ee8e512bfef5613faf17e83a4bf71e00c7d1febdee38f27166b3d4408b07a9941d87e5e29a190a48404d4340c3be8db25392e83b436d8ae2014e969a3a7c34c

Download Submit
memory/1116-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1116-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1116-105-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1116-99-0x00000000000671E6-mapping.dmp

Download
memory/1116-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1116-95-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1136-106-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1136-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1136-107-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/1136-59-0x0000000000000000-mapping.dmp

Download
memory/1136-63-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/1248-62-0x0000000000430000-0x0000000000480000-memory.dmp

Filesize
320KB

Download
memory/1248-98-0x0000000000430000-0x0000000000480000-memory.dmp

Filesize
320KB

Download
memory/1248-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-102-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/1248-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1248-100-0x0000000001080000-0x00000000010D0000-memory.dmp

Filesize
320KB

Download
memory/1248-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1248-86-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/1248-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1248-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1248-87-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/1248-88-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/1248-89-0x0000000000430000-0x0000000000474000-memory.dmp

Filesize
272KB

Download
memory/1248-54-0x0000000001080000-0x00000000010D0000-memory.dmp

Filesize
320KB

Download
memory/1300-68-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1300-71-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1300-70-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1300-66-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1300-69-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1404-74-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1404-77-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1404-76-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1404-75-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1444-81-0x0000000002530000-0x0000000002574000-memory.dmp

Filesize
272KB

Download
memory/1444-80-0x0000000002530000-0x0000000002574000-memory.dmp

Filesize
272KB

Download
memory/1444-83-0x0000000002530000-0x0000000002574000-memory.dmp

Filesize
272KB

Download
memory/1444-82-0x0000000002530000-0x0000000002574000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads