cobaltstrike | b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465

General

Target

b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe
Size

311KB
MD5

7257b78c20538fb81e0c610a58cf54bb
SHA1

a1641167c827ca8f59fe22d169125726d283cfc4
SHA256

b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465
SHA512

10265701daace520e079e7083c1e6749702a24530f3d83ca0c62cb01124a55d8eb0e6f992b192982b741e399e6ff65358238aeed23e7680d2df5b225f2345d6e
SSDEEP

6144:nS/3wVyBPl40pPzMHLdL1hALe+2NirdrQdZxwUKD0j:nm3myb4wzMdoLT2NKc7w6

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

reipal.exe

pid process

1012 reipal.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1348 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe

pid process

2028 b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe

pid	process
1348	cmd.exe

pid	process
2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reipal.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Paojun\\reipal.exe"	reipal.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	reipal.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe

description	pid	process	target process
PID 2028 set thread context of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

reipal.exe

pid	process
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe
1012	reipal.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exereipal.exe

description	pid	process	target process
PID 2028 wrote to memory of 1012	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	reipal.exe
PID 2028 wrote to memory of 1012	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	reipal.exe
PID 2028 wrote to memory of 1012	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	reipal.exe
PID 2028 wrote to memory of 1012	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	reipal.exe
PID 1012 wrote to memory of 1140	1012	reipal.exe	taskhost.exe
PID 1012 wrote to memory of 1140	1012	reipal.exe	taskhost.exe
PID 1012 wrote to memory of 1140	1012	reipal.exe	taskhost.exe
PID 1012 wrote to memory of 1140	1012	reipal.exe	taskhost.exe
PID 1012 wrote to memory of 1140	1012	reipal.exe	taskhost.exe
PID 1012 wrote to memory of 1248	1012	reipal.exe	Dwm.exe
PID 1012 wrote to memory of 1248	1012	reipal.exe	Dwm.exe
PID 1012 wrote to memory of 1248	1012	reipal.exe	Dwm.exe
PID 1012 wrote to memory of 1248	1012	reipal.exe	Dwm.exe
PID 1012 wrote to memory of 1248	1012	reipal.exe	Dwm.exe
PID 1012 wrote to memory of 1284	1012	reipal.exe	Explorer.EXE
PID 1012 wrote to memory of 1284	1012	reipal.exe	Explorer.EXE
PID 1012 wrote to memory of 1284	1012	reipal.exe	Explorer.EXE
PID 1012 wrote to memory of 1284	1012	reipal.exe	Explorer.EXE
PID 1012 wrote to memory of 1284	1012	reipal.exe	Explorer.EXE
PID 1012 wrote to memory of 2028	1012	reipal.exe	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe
PID 1012 wrote to memory of 2028	1012	reipal.exe	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe
PID 1012 wrote to memory of 2028	1012	reipal.exe	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe
PID 1012 wrote to memory of 2028	1012	reipal.exe	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe
PID 1012 wrote to memory of 2028	1012	reipal.exe	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe
PID 2028 wrote to memory of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe
PID 2028 wrote to memory of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe
PID 2028 wrote to memory of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe
PID 2028 wrote to memory of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe
PID 2028 wrote to memory of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe
PID 2028 wrote to memory of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe
PID 2028 wrote to memory of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe
PID 2028 wrote to memory of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe
PID 2028 wrote to memory of 1348	2028	b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe
"C:\Users\Admin\AppData\Local\Temp\b850b1ba787fb7fb607b3840f4acfec560a736aaf00aa5c07a6a8b0536e6c465.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\Paojun\reipal.exe
"C:\Users\Admin\AppData\Roaming\Paojun\reipal.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp8f1af447.bat"
3⤵
- Deletes itself
PID:1348

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\ajgio.kae
Filesize
466B

MD5
38dcc51ac7f6d029d7773d4940914e89

SHA1
b55492b2ab669cadb97fd5399feead58362fbd0a

SHA256
1d1d4ea1a3bdfe4085e54d143434115ffb9b011bfa3126b31b001d6c3bc2baec

SHA512
e2391ef36523603e499cfa63a85619d1b984bad0996bb52209a083850bc035f99ff1a662c66983d352bb19a80efb353df52fe495f61e6f6dfeda44df76fd7bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8f1af447.bat
Filesize
307B

MD5
3a4f8811b7d2e9072948c0533de7cbba

SHA1
338081e8f91307d8646a8fa6000d98ee0728e512

SHA256
237e91adda91b3938afddaf670607cea3c6cb64c9b17625e6fa5882e2ed86840

SHA512
2fa02d11aee0829a16faead85e84889d73f9773954944e5c13d9836e123159a11781e9ca7ced9e1eca403825e293faaa393cf03434f7494c042b4ed76e3c185a

Download Submit
C:\Users\Admin\AppData\Roaming\Paojun\reipal.exe
Filesize
311KB

MD5
fb68e681e604c5ba55b8b2f74a19bb24

SHA1
56789f4cc6faa3b8ee6819bcc33117b062e8a649

SHA256
0fe56eb278f5e40e1968612c0e7c08f3f70f2019d8afc1cef647c97ec6f7a7e2

SHA512
aea56c4db3ae0045555db3bf1b80160da16316e388e2a24607009876adae3912ca61dbbdb57f1809d4fb2ad405c34c60b332032f04e5a31193fc356c87365fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Paojun\reipal.exe
Filesize
311KB

MD5
fb68e681e604c5ba55b8b2f74a19bb24

SHA1
56789f4cc6faa3b8ee6819bcc33117b062e8a649

SHA256
0fe56eb278f5e40e1968612c0e7c08f3f70f2019d8afc1cef647c97ec6f7a7e2

SHA512
aea56c4db3ae0045555db3bf1b80160da16316e388e2a24607009876adae3912ca61dbbdb57f1809d4fb2ad405c34c60b332032f04e5a31193fc356c87365fdf

Download Submit
\Users\Admin\AppData\Roaming\Paojun\reipal.exe
Filesize
311KB

MD5
fb68e681e604c5ba55b8b2f74a19bb24

SHA1
56789f4cc6faa3b8ee6819bcc33117b062e8a649

SHA256
0fe56eb278f5e40e1968612c0e7c08f3f70f2019d8afc1cef647c97ec6f7a7e2

SHA512
aea56c4db3ae0045555db3bf1b80160da16316e388e2a24607009876adae3912ca61dbbdb57f1809d4fb2ad405c34c60b332032f04e5a31193fc356c87365fdf

Download Submit
memory/1012-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1012-109-0x0000000000A50000-0x0000000000AA9000-memory.dmp

Filesize
356KB

Download
memory/1012-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1012-59-0x0000000000000000-mapping.dmp

Download
memory/1012-63-0x0000000000A50000-0x0000000000AA9000-memory.dmp

Filesize
356KB

Download
memory/1140-68-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1140-66-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1140-69-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1140-70-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1140-71-0x0000000001D50000-0x0000000001D94000-memory.dmp

Filesize
272KB

Download
memory/1248-76-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1248-74-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1248-75-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1248-77-0x0000000000120000-0x0000000000164000-memory.dmp

Filesize
272KB

Download
memory/1284-82-0x0000000002BA0000-0x0000000002BE4000-memory.dmp

Filesize
272KB

Download
memory/1284-81-0x0000000002BA0000-0x0000000002BE4000-memory.dmp

Filesize
272KB

Download
memory/1284-83-0x0000000002BA0000-0x0000000002BE4000-memory.dmp

Filesize
272KB

Download
memory/1284-80-0x0000000002BA0000-0x0000000002BE4000-memory.dmp

Filesize
272KB

Download
memory/1348-96-0x00000000000B0000-0x00000000000F4000-memory.dmp

Filesize
272KB

Download
memory/1348-108-0x00000000000B0000-0x00000000000F4000-memory.dmp

Filesize
272KB

Download
memory/1348-101-0x00000000000C71E6-mapping.dmp

Download
memory/1348-100-0x00000000000B0000-0x00000000000F4000-memory.dmp

Filesize
272KB

Download
memory/1348-98-0x00000000000B0000-0x00000000000F4000-memory.dmp

Filesize
272KB

Download
memory/1348-99-0x00000000000B0000-0x00000000000F4000-memory.dmp

Filesize
272KB

Download
memory/2028-88-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2028-86-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2028-93-0x00000000002C0000-0x0000000000319000-memory.dmp

Filesize
356KB

Download
memory/2028-91-0x00000000002C0000-0x0000000000319000-memory.dmp

Filesize
356KB

Download
memory/2028-62-0x00000000002C0000-0x0000000000319000-memory.dmp

Filesize
356KB

Download
memory/2028-89-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2028-87-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2028-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2028-103-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2028-102-0x00000000009E0000-0x0000000000A39000-memory.dmp

Filesize
356KB

Download
memory/2028-104-0x00000000002C0000-0x0000000000304000-memory.dmp

Filesize
272KB

Download
memory/2028-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2028-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2028-54-0x00000000009E0000-0x0000000000A39000-memory.dmp

Filesize
356KB

Download
memory/2028-55-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads