cobaltstrike | a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665

General

Target

a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe
Size

307KB
MD5

4057be9f1e25cfe2414406523452d90e
SHA1

5be2fb943eb8c7b191eed508485a700e4917aafc
SHA256

a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665
SHA512

4a9299449be938f5f8fbfb5f90888fd6ed8b05d268e86ad8c7dc3c05e86388470aaa4a05030eced68168a029ba2c2026432d1af915131ea70291d5eed0695c11
SSDEEP

6144:mTfzWT72Y0SgzinYKTY1SQshfRPVQe1MZkIYSccr7wbstOmPECYeixlYGicm:mTrS7SSjYsY1UMqMZJYSN7wbstOm8fvw

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

ritu.exe

pid process

1108 ritu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

952 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe

pid process

968 a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe

pid	process
952	cmd.exe

pid	process
968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ritu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	ritu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A87A45C8-3774-AD4D-8524-3978BFBA1A65} = "C:\\Users\\Admin\\AppData\\Roaming\\Wovy\\ritu.exe"	ritu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe

description pid process target process

PID 968 set thread context of 952 968 a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe cmd.exe

description	pid	process	target process
PID 968 set thread context of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

ritu.exe

pid	process
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe
1108	ritu.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exeritu.exe

description	pid	process	target process
PID 968 wrote to memory of 1108	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	ritu.exe
PID 968 wrote to memory of 1108	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	ritu.exe
PID 968 wrote to memory of 1108	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	ritu.exe
PID 968 wrote to memory of 1108	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	ritu.exe
PID 1108 wrote to memory of 1124	1108	ritu.exe	taskhost.exe
PID 1108 wrote to memory of 1124	1108	ritu.exe	taskhost.exe
PID 1108 wrote to memory of 1124	1108	ritu.exe	taskhost.exe
PID 1108 wrote to memory of 1124	1108	ritu.exe	taskhost.exe
PID 1108 wrote to memory of 1124	1108	ritu.exe	taskhost.exe
PID 1108 wrote to memory of 1172	1108	ritu.exe	Dwm.exe
PID 1108 wrote to memory of 1172	1108	ritu.exe	Dwm.exe
PID 1108 wrote to memory of 1172	1108	ritu.exe	Dwm.exe
PID 1108 wrote to memory of 1172	1108	ritu.exe	Dwm.exe
PID 1108 wrote to memory of 1172	1108	ritu.exe	Dwm.exe
PID 1108 wrote to memory of 1232	1108	ritu.exe	Explorer.EXE
PID 1108 wrote to memory of 1232	1108	ritu.exe	Explorer.EXE
PID 1108 wrote to memory of 1232	1108	ritu.exe	Explorer.EXE
PID 1108 wrote to memory of 1232	1108	ritu.exe	Explorer.EXE
PID 1108 wrote to memory of 1232	1108	ritu.exe	Explorer.EXE
PID 1108 wrote to memory of 968	1108	ritu.exe	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe
PID 1108 wrote to memory of 968	1108	ritu.exe	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe
PID 1108 wrote to memory of 968	1108	ritu.exe	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe
PID 1108 wrote to memory of 968	1108	ritu.exe	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe
PID 1108 wrote to memory of 968	1108	ritu.exe	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe
PID 968 wrote to memory of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe
PID 968 wrote to memory of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe
PID 968 wrote to memory of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe
PID 968 wrote to memory of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe
PID 968 wrote to memory of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe
PID 968 wrote to memory of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe
PID 968 wrote to memory of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe
PID 968 wrote to memory of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe
PID 968 wrote to memory of 952	968	a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe	cmd.exe
PID 1108 wrote to memory of 1676	1108	ritu.exe	DllHost.exe
PID 1108 wrote to memory of 1676	1108	ritu.exe	DllHost.exe
PID 1108 wrote to memory of 1676	1108	ritu.exe	DllHost.exe
PID 1108 wrote to memory of 1676	1108	ritu.exe	DllHost.exe
PID 1108 wrote to memory of 1676	1108	ritu.exe	DllHost.exe
PID 1108 wrote to memory of 1328	1108	ritu.exe	DllHost.exe
PID 1108 wrote to memory of 1328	1108	ritu.exe	DllHost.exe
PID 1108 wrote to memory of 1328	1108	ritu.exe	DllHost.exe
PID 1108 wrote to memory of 1328	1108	ritu.exe	DllHost.exe
PID 1108 wrote to memory of 1328	1108	ritu.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe
"C:\Users\Admin\AppData\Local\Temp\a7fd73624792d4993348fe43544628dc03569914c7a9933080789805bd550665.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Roaming\Wovy\ritu.exe
"C:\Users\Admin\AppData\Roaming\Wovy\ritu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1386f1ce.bat"
3⤵
- Deletes itself
PID:952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1676

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\enoj.veo
Filesize
837B

MD5
a2f53708cc13842d6ee1496f848c4893

SHA1
e8cf54c5b4688e03e34a75c119c1c0fc5cf1bd38

SHA256
d0a4ef6b7531f2b77cfa87ea8cba5907c47e436759ece097a32327006bf213d6

SHA512
c07d3ad56f93c908cf4fd4b631b2529b486727b08b10082deaaa0b8e7594ae09a16ce972d09105e2f3793d9337347de5b69a8bce89b64ee919221074bf98393b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1386f1ce.bat
Filesize
307B

MD5
19602c12ebb519ecf21ccd39fa18f3a9

SHA1
53a99d5185ea586983820cb81878b8dc3b3270a9

SHA256
abac56a1e814dda7fc7a690c47d4797ba8f2f0f3098788daca12c22ff02f95e8

SHA512
f3ee05ee18ddb6f92a88591e09aa30c5b57013d689c5925c6527e36268e82c64cf18a9157fd711047ef9a9e09ee9cff647592be787fde5c6f4e39ce6c024c54c

Download Submit
C:\Users\Admin\AppData\Roaming\Wovy\ritu.exe
Filesize
307KB

MD5
8d93b4cb1be49a4bc19903f38e2ccd62

SHA1
5862533671ba38513dcad3e7747a2f85e4aab4f9

SHA256
7819cb490f3fabe3f85b61bc17dfe5f1073cff2b3f3af87a5531cf7936168852

SHA512
e60e6fc7d6bcdd6e944ee0795e4973649c115c0895bb0570a121b4a47d7ecc6d2b801646d4c8ea3028b7ffe9cedbdbf15e354fd720a487e7d2c6d4aadc1ad6ba

Download Submit
C:\Users\Admin\AppData\Roaming\Wovy\ritu.exe
Filesize
307KB

MD5
8d93b4cb1be49a4bc19903f38e2ccd62

SHA1
5862533671ba38513dcad3e7747a2f85e4aab4f9

SHA256
7819cb490f3fabe3f85b61bc17dfe5f1073cff2b3f3af87a5531cf7936168852

SHA512
e60e6fc7d6bcdd6e944ee0795e4973649c115c0895bb0570a121b4a47d7ecc6d2b801646d4c8ea3028b7ffe9cedbdbf15e354fd720a487e7d2c6d4aadc1ad6ba

Download Submit
\Users\Admin\AppData\Roaming\Wovy\ritu.exe
Filesize
307KB

MD5
8d93b4cb1be49a4bc19903f38e2ccd62

SHA1
5862533671ba38513dcad3e7747a2f85e4aab4f9

SHA256
7819cb490f3fabe3f85b61bc17dfe5f1073cff2b3f3af87a5531cf7936168852

SHA512
e60e6fc7d6bcdd6e944ee0795e4973649c115c0895bb0570a121b4a47d7ecc6d2b801646d4c8ea3028b7ffe9cedbdbf15e354fd720a487e7d2c6d4aadc1ad6ba

Download Submit
memory/952-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/952-108-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/952-106-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/952-101-0x00000000000671E6-mapping.dmp

Download
memory/952-98-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/952-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/952-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/968-88-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/968-103-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/968-62-0x0000000000260000-0x00000000002B0000-memory.dmp

Filesize
320KB

Download
memory/968-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/968-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/968-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/968-91-0x0000000000260000-0x00000000002B0000-memory.dmp

Filesize
320KB

Download
memory/968-102-0x00000000008D0000-0x0000000000920000-memory.dmp

Filesize
320KB

Download
memory/968-90-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/968-89-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/968-61-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/968-54-0x00000000008D0000-0x0000000000920000-memory.dmp

Filesize
320KB

Download
memory/968-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/968-87-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/1108-100-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1108-63-0x0000000000010000-0x0000000000060000-memory.dmp

Filesize
320KB

Download
memory/1108-79-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1108-59-0x0000000000000000-mapping.dmp

Download
memory/1108-109-0x0000000000010000-0x0000000000060000-memory.dmp

Filesize
320KB

Download
memory/1124-66-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1124-68-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1124-71-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1124-70-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1124-69-0x0000000001EC0000-0x0000000001F04000-memory.dmp

Filesize
272KB

Download
memory/1172-75-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/1172-74-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/1172-77-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/1172-76-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/1232-81-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1232-82-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1232-83-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1232-84-0x0000000002B30000-0x0000000002B74000-memory.dmp

Filesize
272KB

Download
memory/1328-118-0x0000000003B50000-0x0000000003B94000-memory.dmp

Filesize
272KB

Download
memory/1328-119-0x0000000003B50000-0x0000000003B94000-memory.dmp

Filesize
272KB

Download
memory/1328-120-0x0000000003B50000-0x0000000003B94000-memory.dmp

Filesize
272KB

Download
memory/1328-121-0x0000000003B50000-0x0000000003B94000-memory.dmp

Filesize
272KB

Download
memory/1676-113-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/1676-115-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/1676-114-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/1676-112-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads