cobaltstrike | cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c

Analysis

max time kernel
269s
max time network
320s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe
Size

120KB
MD5

0e446dc5045c9948e10864cd8b230e71
SHA1

f3738c9f9d20d304f821372b127b07ec05c1f1eb
SHA256

cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c
SHA512

9a39e6fed232d9ca095a5369ae7e969aeeb4a9ad32db7739f4aeb4c9e3d7296533028a129ad4b0cb31f466f14ad4dce948e973350b77602414670e599bf295d0
SSDEEP

1536:oX2tAh15hxrmf7VlBSBzD7TbNau3doRzEg0H86Lx8CAcf+SuqGMLefNe6WE5RXQ:+v5hm7VmBP7PtReQJUhMLgEE5RX

Score

10^/10

cobaltstrike backdoor persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StubPath = "\"C:\\ProgramData\\CacheMgr.exe\" -as"	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe

description	pid	process	target process
PID 2128 wrote to memory of 1400	2128	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	cmd.exe
PID 2128 wrote to memory of 1400	2128	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	cmd.exe
PID 2128 wrote to memory of 1400	2128	cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe
"C:\Users\Admin\AppData\Local\Temp\cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe" "C:\ProgramData\CacheMgr.exe"
2⤵
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-137-0x0000000000000000-mapping.dmp

Download
memory/2128-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2128-134-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/2128-135-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/2128-136-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/2128-138-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download