cobaltstrike | 126de5fbab3e23ba914ee715b60df1acd7f8d7116a4ed17db09669b41b40ad81

General

Target

oci.dll
Size

529KB
MD5

977f2033e088034cdb05d6704969a84d
SHA1

68e6bf7eccca4482133368035b21d729b72b2beb
SHA256

ab50b3e2c03bddc7bb81cf7d9cd11b9abdbe1bc551a7b64e64f4e94807fc75c5
SHA512

bc7f7286bf04159c14211ff7b551a8f513437dd390b5cd57e78bcdb295936bc2c02eaab4b8d6b2b1ed2facb0bc0c5d81253a4a4d265bbd913bd1136455783b8b
SSDEEP

12288:OtX0V5RIbQvA8A0ag0r81Qmeh6YnocpXAFgzY:OERnC6YocpXAFgzY

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Drops file in System32 directory 2 IoCs

Processes:

mmc.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\services.msc	mmc.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Windows directory 1 IoCs

Processes:

msdtc.exe

description ioc process

File opened for modification C:\Windows\DtcInstall.log msdtc.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

msdtc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msdtc.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	msdtc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4452 powershell.exe
4452 powershell.exe
4452 powershell.exe

pid	process
4452	powershell.exe
4452	powershell.exe
4452	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

mmc.exepowershell.exe

description	pid	process
Token: 33	3572	mmc.exe
Token: SeIncBasePriorityPrivilege	3572	mmc.exe
Token: 33	3572	mmc.exe
Token: SeIncBasePriorityPrivilege	3572	mmc.exe
Token: SeDebugPrivilege	4452	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mmc.exe

pid process

3572 mmc.exe
3572 mmc.exe
3572 mmc.exe
3572 mmc.exe

pid	process
3572	mmc.exe
3572	mmc.exe
3572	mmc.exe
3572	mmc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\oci.dll,#1
1⤵
PID:4964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1016

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3444

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\82d030a797d347d68d028bd1c643f5e6 /t 4608 /p 3572
1⤵
PID:4404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpy4ryp1.5sy.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/3444-109-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/3444-150-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/3444-80-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/3444-145-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/3444-133-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/3444-126-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/3444-120-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/3444-98-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/3444-86-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/3444-115-0x00007FFD50F70000-0x00007FFD515B8000-memory.dmp

Filesize
6.3MB

Download
memory/4452-48-0x000002CEEB680000-0x000002CEEB6BC000-memory.dmp

Filesize
240KB

Download
memory/4452-105-0x00007FFD5A5D0000-0x00007FFD5AFBC000-memory.dmp

Filesize
9.9MB

Download
memory/4452-17-0x00007FFD5A5D0000-0x00007FFD5AFBC000-memory.dmp

Filesize
9.9MB

Download
memory/4452-72-0x000002CED2FB0000-0x000002CED2FC0000-memory.dmp

Filesize
64KB

Download
memory/4452-71-0x00007FFD5A5D0000-0x00007FFD5AFBC000-memory.dmp

Filesize
9.9MB

Download
memory/4452-59-0x000002CEEB9D0000-0x000002CEEBA46000-memory.dmp

Filesize
472KB

Download
memory/4452-87-0x000002CED2FB0000-0x000002CED2FC0000-memory.dmp

Filesize
64KB

Download
memory/4452-88-0x000002CED2FB0000-0x000002CED2FC0000-memory.dmp

Filesize
64KB

Download
memory/4452-84-0x000002CED2FB0000-0x000002CED2FC0000-memory.dmp

Filesize
64KB

Download
memory/4452-73-0x000002CED2FB0000-0x000002CED2FC0000-memory.dmp

Filesize
64KB

Download
memory/4452-18-0x000002CED2FB0000-0x000002CED2FC0000-memory.dmp

Filesize
64KB

Download
memory/4452-85-0x000002CED2FB0000-0x000002CED2FC0000-memory.dmp

Filesize
64KB

Download
memory/4452-20-0x000002CED2FB0000-0x000002CED2FC0000-memory.dmp

Filesize
64KB

Download
memory/4452-21-0x000002CEEB310000-0x000002CEEB332000-memory.dmp

Filesize
136KB

Download
memory/4964-1-0x00007FFD5DDF0000-0x00007FFD5E438000-memory.dmp

Filesize
6.3MB

Download
memory/4964-0-0x00000184DC0E0000-0x00000184DC120000-memory.dmp

Filesize
256KB

Download
memory/4964-2-0x00007FFD5DDF0000-0x00007FFD5E438000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads