cobaltstrike | b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047

General

Target

b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe
Size

305KB
MD5

3a91900872047bf75c3dc4a1a126e0c2
SHA1

8166fe5e7b44e191f6e69eb4d1441a22eedc8174
SHA256

b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047
SHA512

990fefb26137b562660e306fd36f1271e4ef26c042c553c86a5b421dcd0a5b1903b7e3b5742f007e8ab9ace2fd4117c46e8d1d3f0738e304d3cb42fdd35a1bf4
SSDEEP

6144:5GSzytT72Y0SWzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOkPECYeixlYGicg:5Gqyh7SSxYsY1UMqMZJYSN7wbstOk8fa

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

ewnau.exe

pid process

316 ewnau.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

968 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe

pid process

936 b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe

pid	process
968	cmd.exe

pid	process
936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ewnau.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	ewnau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Orud\\ewnau.exe"	ewnau.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe

description pid process target process

PID 936 set thread context of 968 936 b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe cmd.exe

description	pid	process	target process
PID 936 set thread context of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ewnau.exe

pid	process
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe
316	ewnau.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exeewnau.exe

description	pid	process	target process
PID 936 wrote to memory of 316	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	ewnau.exe
PID 936 wrote to memory of 316	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	ewnau.exe
PID 936 wrote to memory of 316	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	ewnau.exe
PID 936 wrote to memory of 316	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	ewnau.exe
PID 316 wrote to memory of 1132	316	ewnau.exe	taskhost.exe
PID 316 wrote to memory of 1132	316	ewnau.exe	taskhost.exe
PID 316 wrote to memory of 1132	316	ewnau.exe	taskhost.exe
PID 316 wrote to memory of 1132	316	ewnau.exe	taskhost.exe
PID 316 wrote to memory of 1132	316	ewnau.exe	taskhost.exe
PID 316 wrote to memory of 1216	316	ewnau.exe	Dwm.exe
PID 316 wrote to memory of 1216	316	ewnau.exe	Dwm.exe
PID 316 wrote to memory of 1216	316	ewnau.exe	Dwm.exe
PID 316 wrote to memory of 1216	316	ewnau.exe	Dwm.exe
PID 316 wrote to memory of 1216	316	ewnau.exe	Dwm.exe
PID 316 wrote to memory of 1264	316	ewnau.exe	Explorer.EXE
PID 316 wrote to memory of 1264	316	ewnau.exe	Explorer.EXE
PID 316 wrote to memory of 1264	316	ewnau.exe	Explorer.EXE
PID 316 wrote to memory of 1264	316	ewnau.exe	Explorer.EXE
PID 316 wrote to memory of 1264	316	ewnau.exe	Explorer.EXE
PID 316 wrote to memory of 936	316	ewnau.exe	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe
PID 316 wrote to memory of 936	316	ewnau.exe	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe
PID 316 wrote to memory of 936	316	ewnau.exe	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe
PID 316 wrote to memory of 936	316	ewnau.exe	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe
PID 316 wrote to memory of 936	316	ewnau.exe	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe
PID 936 wrote to memory of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe
PID 936 wrote to memory of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe
PID 936 wrote to memory of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe
PID 936 wrote to memory of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe
PID 936 wrote to memory of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe
PID 936 wrote to memory of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe
PID 936 wrote to memory of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe
PID 936 wrote to memory of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe
PID 936 wrote to memory of 968	936	b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe	cmd.exe
PID 316 wrote to memory of 1640	316	ewnau.exe	conhost.exe
PID 316 wrote to memory of 1640	316	ewnau.exe	conhost.exe
PID 316 wrote to memory of 1640	316	ewnau.exe	conhost.exe
PID 316 wrote to memory of 1640	316	ewnau.exe	conhost.exe
PID 316 wrote to memory of 1640	316	ewnau.exe	conhost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe
"C:\Users\Admin\AppData\Local\Temp\b6e994d66f575d161506593466427d6bf18a506be5e3764dcc2a33df058a8047.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Roaming\Orud\ewnau.exe
"C:\Users\Admin\AppData\Roaming\Orud\ewnau.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbb395afd.bat"
3⤵
- Deletes itself
PID:968

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-537842487-1844887415-172486131944867769-1084133278-228183289-807957984-130730387"
1⤵
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\egwi.yju
Filesize
466B

MD5
ae2942cb0c4f433028c7907b2400529d

SHA1
d39c4f19f66287b679e8b6112ad091535ef86fb5

SHA256
dc06615af07fbbaeef7a49f81893e1339b1e58d0afc1c233297ed139e7454a81

SHA512
0e850f5bf6e4dcde1df6caede77f22bd0041c6ed672af614702261cfae642fa111e62fd4137b9672e226cefd78a78a46ede92eae1f46c04cc4aef0388c8c6f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpbb395afd.bat
Filesize
307B

MD5
d98479dd32d3ffe306a26e81d66278d5

SHA1
7d2e13e74ac1f7af5bf258e3cfcab4d3f9e785ed

SHA256
a6a194a2e7f40185e46a4e647371406bf4fe9d32e37b84bcf82994e6b759ca74

SHA512
be1112d5d2c3c2f146ec7c7f146ba2cc0d387eb82743edbd55460fdbfb0c1ee47dd1a1f6bc479c191a93e9bf8af578ffe190c94208ad1b1c81ec1bdb67d95c31

Download Submit
C:\Users\Admin\AppData\Roaming\Orud\ewnau.exe
Filesize
305KB

MD5
f9dd6b2606f44bbab041e6ea7185e8ab

SHA1
af31156992668e5f04abb0b0525e2318939ca13b

SHA256
99957d3326006122c8ba6c71b6c7053264ec03059b097bd4e690f5b63dda6a5c

SHA512
af273f09be65ef4104b743dce5cde425b7dd75c375d3a03f2d8c34e9c245c7b54655f0ef3dd2953c972929d82cc1961921579e6158416231cba89839d244c689

Download Submit
C:\Users\Admin\AppData\Roaming\Orud\ewnau.exe
Filesize
305KB

MD5
f9dd6b2606f44bbab041e6ea7185e8ab

SHA1
af31156992668e5f04abb0b0525e2318939ca13b

SHA256
99957d3326006122c8ba6c71b6c7053264ec03059b097bd4e690f5b63dda6a5c

SHA512
af273f09be65ef4104b743dce5cde425b7dd75c375d3a03f2d8c34e9c245c7b54655f0ef3dd2953c972929d82cc1961921579e6158416231cba89839d244c689

Download Submit
\Users\Admin\AppData\Roaming\Orud\ewnau.exe
Filesize
305KB

MD5
f9dd6b2606f44bbab041e6ea7185e8ab

SHA1
af31156992668e5f04abb0b0525e2318939ca13b

SHA256
99957d3326006122c8ba6c71b6c7053264ec03059b097bd4e690f5b63dda6a5c

SHA512
af273f09be65ef4104b743dce5cde425b7dd75c375d3a03f2d8c34e9c245c7b54655f0ef3dd2953c972929d82cc1961921579e6158416231cba89839d244c689

Download Submit
memory/316-116-0x0000000000100000-0x0000000000150000-memory.dmp

Filesize
320KB

Download
memory/316-100-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/316-60-0x0000000000000000-mapping.dmp

Download
memory/316-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/316-63-0x0000000000100000-0x0000000000150000-memory.dmp

Filesize
320KB

Download
memory/936-101-0x00000000001C0000-0x0000000000210000-memory.dmp

Filesize
320KB

Download
memory/936-105-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/936-55-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/936-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/936-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/936-104-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/936-103-0x0000000000EE0000-0x0000000000F30000-memory.dmp

Filesize
320KB

Download
memory/936-54-0x0000000000EE0000-0x0000000000F30000-memory.dmp

Filesize
320KB

Download
memory/936-58-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/936-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/936-91-0x00000000001C0000-0x0000000000210000-memory.dmp

Filesize
320KB

Download
memory/936-62-0x00000000001C0000-0x0000000000210000-memory.dmp

Filesize
320KB

Download
memory/936-89-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/936-88-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/936-86-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/936-87-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/968-97-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/968-108-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/968-102-0x00000000001A71E6-mapping.dmp

Download
memory/968-99-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/968-98-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/968-95-0x0000000000190000-0x00000000001D4000-memory.dmp

Filesize
272KB

Download
memory/1132-70-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1132-68-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1132-66-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1132-71-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1132-69-0x0000000001B90000-0x0000000001BD4000-memory.dmp

Filesize
272KB

Download
memory/1216-77-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1216-76-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1216-75-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1216-74-0x0000000001E00000-0x0000000001E44000-memory.dmp

Filesize
272KB

Download
memory/1264-83-0x0000000002710000-0x0000000002754000-memory.dmp

Filesize
272KB

Download
memory/1264-82-0x0000000002710000-0x0000000002754000-memory.dmp

Filesize
272KB

Download
memory/1264-81-0x0000000002710000-0x0000000002754000-memory.dmp

Filesize
272KB

Download
memory/1264-80-0x0000000002710000-0x0000000002754000-memory.dmp

Filesize
272KB

Download
memory/1640-111-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1640-112-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1640-113-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download
memory/1640-114-0x0000000001BD0000-0x0000000001C14000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads