cobaltstrike | c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45

Analysis

max time kernel
152s
max time network
170s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe
Size

307KB
MD5

c9c4c19db4bb017de7ce370354892ff4
SHA1

58aa9c297eb24425544014e1404d6b565fe7bad2
SHA256

c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45
SHA512

c34da5ee4af81fc4ab2b1ca7bc02f54c51b6efea109c0484721f32d9be0b6c636508f86e59c6dbe6c6bca0c408e3264d6f8aeca85ebde0060183a2bce6199e0b
SSDEEP

6144:HkSz5T72Y0SKzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOAPECYeixlYGic5:Hkql7SSlYsY1UMqMZJYSN7wbstOA8fvP

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
2036	ofiw.exe

Deletes itself 1 IoCs

pid	Process
544	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	ofiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Ofij\\ofiw.exe"	ofiw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe
2036	ofiw.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2036	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	28
PID 1224 wrote to memory of 2036	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	28
PID 1224 wrote to memory of 2036	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	28
PID 1224 wrote to memory of 2036	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	28
PID 2036 wrote to memory of 1128	2036	ofiw.exe	19
PID 2036 wrote to memory of 1128	2036	ofiw.exe	19
PID 2036 wrote to memory of 1128	2036	ofiw.exe	19
PID 2036 wrote to memory of 1128	2036	ofiw.exe	19
PID 2036 wrote to memory of 1128	2036	ofiw.exe	19
PID 2036 wrote to memory of 1192	2036	ofiw.exe	18
PID 2036 wrote to memory of 1192	2036	ofiw.exe	18
PID 2036 wrote to memory of 1192	2036	ofiw.exe	18
PID 2036 wrote to memory of 1192	2036	ofiw.exe	18
PID 2036 wrote to memory of 1192	2036	ofiw.exe	18
PID 2036 wrote to memory of 1244	2036	ofiw.exe	17
PID 2036 wrote to memory of 1244	2036	ofiw.exe	17
PID 2036 wrote to memory of 1244	2036	ofiw.exe	17
PID 2036 wrote to memory of 1244	2036	ofiw.exe	17
PID 2036 wrote to memory of 1244	2036	ofiw.exe	17
PID 2036 wrote to memory of 1224	2036	ofiw.exe	27
PID 2036 wrote to memory of 1224	2036	ofiw.exe	27
PID 2036 wrote to memory of 1224	2036	ofiw.exe	27
PID 2036 wrote to memory of 1224	2036	ofiw.exe	27
PID 2036 wrote to memory of 1224	2036	ofiw.exe	27
PID 1224 wrote to memory of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29
PID 1224 wrote to memory of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29
PID 1224 wrote to memory of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29
PID 1224 wrote to memory of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29
PID 1224 wrote to memory of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29
PID 1224 wrote to memory of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29
PID 1224 wrote to memory of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29
PID 1224 wrote to memory of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29
PID 1224 wrote to memory of 544	1224	c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe
  "C:\Users\Admin\AppData\Local\Temp\c5bb04b0b246c3a99df4521fd23a40af492c26c798184bbcebf43d7ff7795d45.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Roaming\Ofij\ofiw.exe
    "C:\Users\Admin\AppData\Roaming\Ofij\ofiw.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaaec6852.bat"
    3⤵
    - Deletes itself
    PID:544

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\cuegeq.pyu

Filesize
466B

MD5
07b2d45b79235bf620436f160620afcd

SHA1
ab2e802148c65a388c0f0a0f2f63655ca08b645e

SHA256
9dca910e3d3926ff1f7dff61e73d37520c87d4910c2f74cbc7437d33b285d831

SHA512
b004a6e8aa925c7480245b38a93393f6fc8161bbaee679399f146f7e54daaec7ebcbd3d2177d96fbf0cc2d8e4bcfcdaba07162348903b485fb07f0d2cbcea906

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaaec6852.bat

Filesize
307B

MD5
376550e285fa32f532bea99433b19690

SHA1
358fecf71de1a381be130aa4e88e4a15b68211b1

SHA256
5717ba641b23f23e772312c8cc36d6c20e846da65573209dec7f3b09f218abba

SHA512
5e4722aee4f578902305a4e92f9b516f8b37edd92f88518d481b9697a447246057f97255eca5a54b4a5476060750abf85b5dce629bacf2f5ba1dca8b9155ac3c

Download Submit
C:\Users\Admin\AppData\Roaming\Ofij\ofiw.exe

Filesize
307KB

MD5
900faaacab6efffb736e8ff196e236fc

SHA1
f0dd546cc3ad5254122b0ac4d61fda795dc88d17

SHA256
f50bd68d7e2902e33bb660097fd842f474629140b29821e32f83c4426ea27b9d

SHA512
49a2b9803fe5b1878cf58f37607269b7666cc1d2301852a7ac8f4146e56db6edcdbf858a8437577ede6b99212b1124643cdd317bd0cb2ea25b16c6d5105e8f19

Download Submit
C:\Users\Admin\AppData\Roaming\Ofij\ofiw.exe

Filesize
307KB

MD5
900faaacab6efffb736e8ff196e236fc

SHA1
f0dd546cc3ad5254122b0ac4d61fda795dc88d17

SHA256
f50bd68d7e2902e33bb660097fd842f474629140b29821e32f83c4426ea27b9d

SHA512
49a2b9803fe5b1878cf58f37607269b7666cc1d2301852a7ac8f4146e56db6edcdbf858a8437577ede6b99212b1124643cdd317bd0cb2ea25b16c6d5105e8f19

Download Submit
\Users\Admin\AppData\Roaming\Ofij\ofiw.exe

Filesize
307KB

MD5
900faaacab6efffb736e8ff196e236fc

SHA1
f0dd546cc3ad5254122b0ac4d61fda795dc88d17

SHA256
f50bd68d7e2902e33bb660097fd842f474629140b29821e32f83c4426ea27b9d

SHA512
49a2b9803fe5b1878cf58f37607269b7666cc1d2301852a7ac8f4146e56db6edcdbf858a8437577ede6b99212b1124643cdd317bd0cb2ea25b16c6d5105e8f19

Download Submit
memory/544-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/544-108-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/544-99-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/544-101-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/544-100-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1128-66-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1128-68-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1128-69-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1128-70-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1128-71-0x0000000001E70000-0x0000000001EB4000-memory.dmp

Filesize
272KB

Download
memory/1192-74-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1192-75-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1192-76-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1192-77-0x0000000001C50000-0x0000000001C94000-memory.dmp

Filesize
272KB

Download
memory/1224-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1224-55-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1224-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1224-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1224-86-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1224-87-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1224-88-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1224-89-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1224-104-0x0000000000140000-0x0000000000184000-memory.dmp

Filesize
272KB

Download
memory/1224-91-0x0000000000140000-0x0000000000191000-memory.dmp

Filesize
324KB

Download
memory/1224-92-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1224-103-0x0000000000EC0000-0x0000000000F11000-memory.dmp

Filesize
324KB

Download
memory/1224-94-0x0000000000140000-0x0000000000191000-memory.dmp

Filesize
324KB

Download
memory/1224-54-0x0000000000EC0000-0x0000000000F11000-memory.dmp

Filesize
324KB

Download
memory/1224-62-0x0000000000140000-0x0000000000191000-memory.dmp

Filesize
324KB

Download
memory/1244-81-0x0000000002610000-0x0000000002654000-memory.dmp

Filesize
272KB

Download
memory/1244-83-0x0000000002610000-0x0000000002654000-memory.dmp

Filesize
272KB

Download
memory/1244-82-0x0000000002610000-0x0000000002654000-memory.dmp

Filesize
272KB

Download
memory/1244-80-0x0000000002610000-0x0000000002654000-memory.dmp

Filesize
272KB

Download
memory/2036-63-0x0000000000EB0000-0x0000000000F01000-memory.dmp

Filesize
324KB

Download
memory/2036-93-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2036-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/2036-109-0x0000000000EB0000-0x0000000000F01000-memory.dmp

Filesize
324KB

Download