cobaltstrike | cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c

General

Target

cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe
Size

120KB
MD5

0e446dc5045c9948e10864cd8b230e71
SHA1

f3738c9f9d20d304f821372b127b07ec05c1f1eb
SHA256

cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c
SHA512

9a39e6fed232d9ca095a5369ae7e969aeeb4a9ad32db7739f4aeb4c9e3d7296533028a129ad4b0cb31f466f14ad4dce948e973350b77602414670e599bf295d0
SSDEEP

1536:oX2tAh15hxrmf7VlBSBzD7TbNau3doRzEg0H86Lx8CAcf+SuqGMLefNe6WE5RXQ:+v5hm7VmBP7PtReQJUhMLgEE5RX

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Executes dropped EXE 1 IoCs

Processes:

CacheMgr.exe

pid process

980 CacheMgr.exe
Loads dropped DLL 1 IoCs

Processes:

cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe

pid process

856 cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe

pid	process
980	CacheMgr.exe

pid	process
856	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\StubPath = "\"C:\\ProgramData\\CacheMgr.exe\" -as"	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe

description	pid	process	target process
PID 856 wrote to memory of 884	856	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	cmd.exe
PID 856 wrote to memory of 884	856	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	cmd.exe
PID 856 wrote to memory of 884	856	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	cmd.exe
PID 856 wrote to memory of 884	856	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	cmd.exe
PID 856 wrote to memory of 980	856	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	CacheMgr.exe
PID 856 wrote to memory of 980	856	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	CacheMgr.exe
PID 856 wrote to memory of 980	856	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	CacheMgr.exe
PID 856 wrote to memory of 980	856	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	CacheMgr.exe

C:\Users\Admin\AppData\Local\Temp\cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe
"C:\Users\Admin\AppData\Local\Temp\cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe" "C:\ProgramData\CacheMgr.exe"
2⤵
PID:884

C:\ProgramData\CacheMgr.exe
"C:\ProgramData\CacheMgr.exe" -as
2⤵
- Executes dropped EXE
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CacheMgr.exe
Filesize
120KB

MD5
0e446dc5045c9948e10864cd8b230e71

SHA1
f3738c9f9d20d304f821372b127b07ec05c1f1eb

SHA256
cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c

SHA512
9a39e6fed232d9ca095a5369ae7e969aeeb4a9ad32db7739f4aeb4c9e3d7296533028a129ad4b0cb31f466f14ad4dce948e973350b77602414670e599bf295d0

Download Submit
C:\ProgramData\CacheMgr.exe
Filesize
120KB

MD5
0e446dc5045c9948e10864cd8b230e71

SHA1
f3738c9f9d20d304f821372b127b07ec05c1f1eb

SHA256
cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c

SHA512
9a39e6fed232d9ca095a5369ae7e969aeeb4a9ad32db7739f4aeb4c9e3d7296533028a129ad4b0cb31f466f14ad4dce948e973350b77602414670e599bf295d0

Download Submit
\ProgramData\CacheMgr.exe
Filesize
120KB

MD5
0e446dc5045c9948e10864cd8b230e71

SHA1
f3738c9f9d20d304f821372b127b07ec05c1f1eb

SHA256
cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c

SHA512
9a39e6fed232d9ca095a5369ae7e969aeeb4a9ad32db7739f4aeb4c9e3d7296533028a129ad4b0cb31f466f14ad4dce948e973350b77602414670e599bf295d0

Download Submit
memory/856-58-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/856-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/856-57-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/856-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/856-66-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/856-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/884-59-0x0000000000000000-mapping.dmp

Download
memory/980-62-0x0000000000000000-mapping.dmp

Download
memory/980-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/980-69-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/980-70-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/980-71-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing