cobaltstrike | 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30

General

Target

7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe
Size

409KB
MD5

7c8ec206d0043df90b7eccf6bd266576
SHA1

b73615aedbafea3d4be7d436e6b88299e5c147f3
SHA256

7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30
SHA512

b7f9a68b71e438425a1673f9dc82403ac8be3ad343657673524817c851728e1595589f94df8fb66c6ae1b23e0c092ee835c8071ab15ec838a66a636a7de71a86
SSDEEP

6144:kIPnx3+QPLWV9MAud5fcq2nES078acb+IYEKskHS/hoEI:jx3+QSV9Ad5f8nES0YacY9DH4W

Score

10^/10

cobaltstrike kinsing backdoor loader trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

23 3972 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1132 svchost.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\svchost rundll32.exe

flow	pid	process
23	3972	rundll32.exe

pid	process
1132	svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\svchost	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe

description	pid	process	target process
PID 2152 set thread context of 4720	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe
PID 2152 set thread context of 3972	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

3972 rundll32.exe

pid	process
3972	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3972	rundll32.exe
Token: SeRestorePrivilege	3972	rundll32.exe
Token: SeBackupPrivilege	3972	rundll32.exe
Token: SeTakeOwnershipPrivilege	3972	rundll32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe

description	pid	process	target process
PID 2152 wrote to memory of 4720	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe
PID 2152 wrote to memory of 4720	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe
PID 2152 wrote to memory of 4720	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe
PID 2152 wrote to memory of 4720	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe
PID 2152 wrote to memory of 3972	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe
PID 2152 wrote to memory of 3972	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe
PID 2152 wrote to memory of 3972	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe
PID 2152 wrote to memory of 3972	2152	7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe
"C:\Users\Admin\AppData\Local\Temp\7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152

\??\c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
2⤵
PID:4720

\??\c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\svchost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\svchost.exe mNdo0E628Vi3A/aK+LZvSUTvcBDsgbUU3GdwwRmyoWk= fTF6MeWgWzszxbdUPqDjfg==
1⤵
- Executes dropped EXE
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\win.ini
Filesize
6.0MB

MD5
8946a237072c06f4b0a779444f075caf

SHA1
ca4ba5d29ef9274c76a3b6c7c1fbfc923c57d9c6

SHA256
aa59fb01d1c289c959e179c33e0aa3950de12c40213979a6191d4b1a984abf70

SHA512
3cacb9e3a0456a45a7c773c14c7ea807b58085c441821f1e3078805676cc2bac1950390ca2a63fb842097880a9c9decaf73ae9e7151098c0a0dea6c64e9c6106

Download Submit
memory/1132-41-0x000002057CFB0000-0x000002057CFFF000-memory.dmp

Filesize
316KB

Download
memory/1132-40-0x000002057E540000-0x000002057E940000-memory.dmp

Filesize
4.0MB

Download
memory/1132-36-0x000002057AB70000-0x000002057AB71000-memory.dmp

Filesize
4KB

Download
memory/1132-37-0x000002057AB80000-0x000002057AB81000-memory.dmp

Filesize
4KB

Download
memory/1132-35-0x000002057C5A0000-0x000002057C759000-memory.dmp

Filesize
1.7MB

Download
memory/1132-34-0x000002057C5A0000-0x000002057C759000-memory.dmp

Filesize
1.7MB

Download
memory/1132-33-0x000002057C5A0000-0x000002057C759000-memory.dmp

Filesize
1.7MB

Download
memory/1132-32-0x000002057AB60000-0x000002057AB61000-memory.dmp

Filesize
4KB

Download
memory/3972-9-0x00007FFC36DA0000-0x00007FFC37861000-memory.dmp

Filesize
10.8MB

Download
memory/3972-7-0x000002750A4E0000-0x000002750A512000-memory.dmp

Filesize
200KB

Download
memory/3972-11-0x000002750BEA0000-0x000002750BEB0000-memory.dmp

Filesize
64KB

Download
memory/3972-8-0x000002750A3F0000-0x000002750A40E000-memory.dmp

Filesize
120KB

Download
memory/3972-12-0x000002750BEA0000-0x000002750BEB0000-memory.dmp

Filesize
64KB

Download
memory/3972-29-0x00007FFC36DA0000-0x00007FFC37861000-memory.dmp

Filesize
10.8MB

Download
memory/3972-28-0x000002750A3F0000-0x000002750A40E000-memory.dmp

Filesize
120KB

Download
memory/3972-17-0x00007FFC36DA0000-0x00007FFC37861000-memory.dmp

Filesize
10.8MB

Download
memory/3972-18-0x000002750BEA0000-0x000002750BEB0000-memory.dmp

Filesize
64KB

Download
memory/3972-19-0x000002750BEA0000-0x000002750BEB0000-memory.dmp

Filesize
64KB

Download
memory/3972-20-0x000002750BEA0000-0x000002750BEB0000-memory.dmp

Filesize
64KB

Download
memory/3972-10-0x000002750BEA0000-0x000002750BEB0000-memory.dmp

Filesize
64KB

Download
memory/3972-26-0x00000275247E0000-0x0000027524836000-memory.dmp

Filesize
344KB

Download
memory/4720-16-0x0000022471A40000-0x0000022471A50000-memory.dmp

Filesize
64KB

Download
memory/4720-15-0x0000022471A40000-0x0000022471A50000-memory.dmp

Filesize
64KB

Download
memory/4720-0-0x000002246F440000-0x000002246F45A000-memory.dmp

Filesize
104KB

Download
memory/4720-14-0x0000022471A40000-0x0000022471A50000-memory.dmp

Filesize
64KB

Download
memory/4720-13-0x00007FFC36DA0000-0x00007FFC37861000-memory.dmp

Filesize
10.8MB

Download
memory/4720-5-0x0000022471A40000-0x0000022471A50000-memory.dmp

Filesize
64KB

Download
memory/4720-4-0x00007FFC36DA0000-0x00007FFC37861000-memory.dmp

Filesize
10.8MB

Download
memory/4720-1-0x000002246F5D0000-0x000002246F5EE000-memory.dmp

Filesize
120KB

Download
memory/4720-2-0x0000022471A40000-0x0000022471A50000-memory.dmp

Filesize
64KB

Download
memory/4720-3-0x000002246F7B0000-0x000002246F7B8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads