cobaltstrike | 622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d

General

Target

622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe
Size

312KB
MD5

7afd88642246a4d531d1f83e3569607f
SHA1

4bde933740cbec44c94b4d03edc27431f9e3473d
SHA256

622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d
SHA512

a55ef5b68ef3980160c3f99963ae600ac091d40bd48e804ca566476d5782f14e0a4b683f66db3f7c7f50f554e2a4790f137cc205835bdfe3c8e878109d488526
SSDEEP

6144:xWI+jNXUeLFTbCRTy7wzFzRODpyUOr2//l2TnLo0D5G:EIQUSbCvxzKy1rc/lsi

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

xaylyc.exe

pid process

1520 xaylyc.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1768 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe

pid process

1672 622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe

pid	process
1768	cmd.exe

pid	process
1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xaylyc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	xaylyc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Ymjy\\xaylyc.exe"	xaylyc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe

description	pid	process	target process
PID 1672 set thread context of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

xaylyc.exe

pid	process
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe
1520	xaylyc.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exexaylyc.exe

description	pid	process	target process
PID 1672 wrote to memory of 1520	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	xaylyc.exe
PID 1672 wrote to memory of 1520	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	xaylyc.exe
PID 1672 wrote to memory of 1520	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	xaylyc.exe
PID 1672 wrote to memory of 1520	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	xaylyc.exe
PID 1520 wrote to memory of 1132	1520	xaylyc.exe	taskhost.exe
PID 1520 wrote to memory of 1132	1520	xaylyc.exe	taskhost.exe
PID 1520 wrote to memory of 1132	1520	xaylyc.exe	taskhost.exe
PID 1520 wrote to memory of 1132	1520	xaylyc.exe	taskhost.exe
PID 1520 wrote to memory of 1132	1520	xaylyc.exe	taskhost.exe
PID 1520 wrote to memory of 1224	1520	xaylyc.exe	Dwm.exe
PID 1520 wrote to memory of 1224	1520	xaylyc.exe	Dwm.exe
PID 1520 wrote to memory of 1224	1520	xaylyc.exe	Dwm.exe
PID 1520 wrote to memory of 1224	1520	xaylyc.exe	Dwm.exe
PID 1520 wrote to memory of 1224	1520	xaylyc.exe	Dwm.exe
PID 1520 wrote to memory of 1260	1520	xaylyc.exe	Explorer.EXE
PID 1520 wrote to memory of 1260	1520	xaylyc.exe	Explorer.EXE
PID 1520 wrote to memory of 1260	1520	xaylyc.exe	Explorer.EXE
PID 1520 wrote to memory of 1260	1520	xaylyc.exe	Explorer.EXE
PID 1520 wrote to memory of 1260	1520	xaylyc.exe	Explorer.EXE
PID 1520 wrote to memory of 1672	1520	xaylyc.exe	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe
PID 1520 wrote to memory of 1672	1520	xaylyc.exe	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe
PID 1520 wrote to memory of 1672	1520	xaylyc.exe	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe
PID 1520 wrote to memory of 1672	1520	xaylyc.exe	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe
PID 1520 wrote to memory of 1672	1520	xaylyc.exe	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe
PID 1672 wrote to memory of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe
PID 1672 wrote to memory of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe
PID 1672 wrote to memory of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe
PID 1672 wrote to memory of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe
PID 1672 wrote to memory of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe
PID 1672 wrote to memory of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe
PID 1672 wrote to memory of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe
PID 1672 wrote to memory of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe
PID 1672 wrote to memory of 1768	1672	622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe	cmd.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe
"C:\Users\Admin\AppData\Local\Temp\622c97a71938df9c3f0d01abd18a31a64957359374ddd14a6ee9e586a061510d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Roaming\Ymjy\xaylyc.exe
"C:\Users\Admin\AppData\Roaming\Ymjy\xaylyc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9fb905dd.bat"
3⤵
- Deletes itself
PID:1768

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9fb905dd.bat
Filesize
307B

MD5
7ba043acc77c1db1ed71f8588bad5515

SHA1
6f2e1617ae8d15bbc01ed66856bc7dd62ff1c687

SHA256
964a567c9cc0b8dfee3569f8bd01bc9b11c0db899b2a373bbbe93882f8d35c28

SHA512
0d767d3c207dfa6bd656dd67ca9c4b87eb931ad38df2c269d728868660299aeaceddde7408e74f6800eefe8f05cc4523ce8896f527a2395885dc67e017bbb8b1

Download Submit
C:\Users\Admin\AppData\Roaming\Ymjy\xaylyc.exe
Filesize
312KB

MD5
eb011f3d82838c0b01dc85a8ba047c4a

SHA1
c2885aa69f7026436f6eaf0f58f3f7452df82a89

SHA256
50b709e6744ace03d5e04b7fcd6261e34e26a96b79fc9a5989df838f48ca6180

SHA512
542f2dbe6e0f70b8358834a14bd5ac4327c1c4c0dbb2fc4f15fb84b8f519a5e669e7d2a6ddb7f57e7919381c0de32ce5b172d08d08ea9f2d041f68a76a70a210

Download Submit
C:\Users\Admin\AppData\Roaming\Ymjy\xaylyc.exe
Filesize
312KB

MD5
eb011f3d82838c0b01dc85a8ba047c4a

SHA1
c2885aa69f7026436f6eaf0f58f3f7452df82a89

SHA256
50b709e6744ace03d5e04b7fcd6261e34e26a96b79fc9a5989df838f48ca6180

SHA512
542f2dbe6e0f70b8358834a14bd5ac4327c1c4c0dbb2fc4f15fb84b8f519a5e669e7d2a6ddb7f57e7919381c0de32ce5b172d08d08ea9f2d041f68a76a70a210

Download Submit
\Users\Admin\AppData\Roaming\Ymjy\xaylyc.exe
Filesize
312KB

MD5
eb011f3d82838c0b01dc85a8ba047c4a

SHA1
c2885aa69f7026436f6eaf0f58f3f7452df82a89

SHA256
50b709e6744ace03d5e04b7fcd6261e34e26a96b79fc9a5989df838f48ca6180

SHA512
542f2dbe6e0f70b8358834a14bd5ac4327c1c4c0dbb2fc4f15fb84b8f519a5e669e7d2a6ddb7f57e7919381c0de32ce5b172d08d08ea9f2d041f68a76a70a210

Download Submit
memory/1132-69-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1132-71-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1132-70-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1132-66-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1132-68-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1224-75-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1224-76-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1224-74-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1224-77-0x0000000001C80000-0x0000000001CC4000-memory.dmp

Filesize
272KB

Download
memory/1260-80-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1260-83-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1260-82-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1260-81-0x00000000029E0000-0x0000000002A24000-memory.dmp

Filesize
272KB

Download
memory/1520-106-0x0000000000AB0000-0x0000000000B01000-memory.dmp

Filesize
324KB

Download
memory/1520-105-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1520-59-0x0000000000000000-mapping.dmp

Download
memory/1520-90-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1520-64-0x0000000000AB0000-0x0000000000B01000-memory.dmp

Filesize
324KB

Download
memory/1672-88-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1672-100-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1672-86-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1672-87-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1672-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1672-89-0x0000000000170000-0x00000000001B4000-memory.dmp

Filesize
272KB

Download
memory/1672-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1672-63-0x00000000003B0000-0x0000000000401000-memory.dmp

Filesize
324KB

Download
memory/1672-62-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1672-55-0x00000000012E0000-0x0000000001331000-memory.dmp

Filesize
324KB

Download
memory/1672-99-0x00000000012E0000-0x0000000001331000-memory.dmp

Filesize
324KB

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-101-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1768-98-0x00000000000671E6-mapping.dmp

Download
memory/1768-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1768-104-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1768-95-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1768-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1768-97-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads