cobaltstrike | 0cb1414aa217149ab312795430ed3056117823afe084b861b4bae1708114d58c

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Size

5.3MB
MD5

47c1196fe65906870295faef8613560d
SHA1

805ec30c834967b67873cb1a4f43905ff7c3ac13
SHA256

0cb1414aa217149ab312795430ed3056117823afe084b861b4bae1708114d58c
SHA512

3cf19cb0083fdb54709e67faff23f4a54cd75fb46addf3ffc2aecfe3bfd7e9c217f168e53841c26745bd3278ae47a61cd4dcdcbdabcc2581397beb7d26d7135e
SSDEEP

98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxRUu:53EnsxxDt73DdKrwapwbuu

Score

10^/10

cobaltstrike xmrig backdoor miner trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1616-1005-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1616-1125-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1616-1974-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1616-2901-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1616-3769-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1616-4289-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1616-4432-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1616-1-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
C:\Program Files\7-Zip\7-zip32.dll.exe	UPX
behavioral1/memory/1616-1005-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/1616-1125-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/1616-1974-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/1616-2901-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/1616-3769-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/1616-4289-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/1616-4432-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1616-1005-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1616-1125-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1616-1974-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1616-2901-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1616-3769-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1616-4289-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1616-4432-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1616-4435-0x0000000000401000-0x00000000010B5000-memory.dmp	xmrig

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1616-1-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
C:\Program Files\7-Zip\7-zip32.dll.exe	upx
behavioral1/memory/1616-1005-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1616-1125-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1616-1974-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1616-2901-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1616-3769-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1616-4289-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1616-4432-0x0000000000400000-0x00000000010B6000-memory.dmp	upx

Drops desktop.ini file(s) 9 IoCs

Processes:

2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\desktop.ini	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

46 drive.google.com
47 drive.google.com

flow	ioc
46	drive.google.com
47	drive.google.com

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	F:\autorun.inf	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	F:\autorun.inf	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	D:\autorun.inf	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Maputo	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Moncton	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\System\msadc\msadcfr.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guatemala	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baghdad	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

Modifies Internet Explorer start page 1 TTPs 3 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.WjufwdMzAA.com"	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.sFhUmEyZFE.com"	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.oJonchGbNk.com"	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1616	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1616	2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_47c1196fe65906870295faef8613560d_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll.exe
Filesize
5.6MB

MD5
73323ea208f3aac23a5a573746c4b521

SHA1
27a7b3512c2860e36ebca4ea9e0f0c3cf84f843e

SHA256
b892bc6a711235b6d5777ce6a713e0e4d6906d128124f30d99a3439d73312b9c

SHA512
408db1fff8a37885c56a4b486295ca3c241b6b9ba4f109c77c6fddb1f86f373dad4c31bacd262a5e331d1780ff7788b80d5d969ef4d036b416d73686d4d5655c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
c186ff296e403b91a5014ac897ee6b2c

SHA1
ce4a15d41ab4e4d18cda0712bd2ebbb514524bdd

SHA256
4564e0483c584845c46377ee1c1f0827bb3120722a0e3ed4fadc49be8def83ce

SHA512
3d2dab74fea769cbbcd23eacfac25d8f182c37aca8704fd647ba9b0c0cbdd4114106c924651a9c4bae93afcecf3aa891dfe54a1e2e9ea7938b33c5679be635f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5bed8a291e2a80f9dd4f80ccbec4e28f

SHA1
02b2b7177468bc49aab033dd0bfe14936f4550f2

SHA256
bf1fe36a2777d83c33c82471e673508d9d942d4c2c85a5b492f2ae208f22d772

SHA512
567b1911597d883d0cd4d686ea9a0629c6ebe9b70e588f6555ef0c2467e3a58b9f7699c8d48db4f9720fa2c83ff0acb87abd1e4716c6f46f557079bb5533e707

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6f79893760573391cc9425a9b92949e2

SHA1
e525bb8d1d316fe4d9b207e757641048f320601d

SHA256
f080f07b9e3547368886c5f43943e7f6a49df4b392dfcc0c6a5608e1631bf37b

SHA512
ba1db11ed385898fc68909bac4775effb8ef5af4eeed8d0fc41a561d69483c95ba0af7a365e098ae1514597d6b44058b842c43f70cf171113e9126e4c1ec4084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dc6036d8c2ac4c19eed1f3b178e63f4c

SHA1
2b79820516722d0e45bd616c3b23b8bb0027d018

SHA256
4af4c3971fc39404b205e5fd7f6df38dbbc750c3afc02b45d0601a89264efa33

SHA512
7c5acff1825995254f47e5099becb2455995ad9484da853c39f3743fba03e2061db775f2273849c1b93cc1c45a0c0816432b994209d5c70feb05901872253271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d276d24c80b766962db822b0031b920b

SHA1
4c1a9045096ca9d5f0fb922cef64a783cb6345a6

SHA256
88b12485bf608721ebab35e0c1e521731a93bae81ddfe5ee809afdb7d5fafa6c

SHA512
462697dc6f78af341e7f3bc426e0e55f96d0311635c78d8626295718aa713feb86111b6cff26ac860106ce5e6c9dddbea56f5ac318410ef4dc751075c1ec0fb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
13a40ef41e7b809921b43a0f31c91a0d

SHA1
a92239caa66d55a726fd0e8d0748bde53143709c

SHA256
44699f9b86df43c34a29ab479246368c36fd45a568b1b2a6cdb3579d48ce6fb4

SHA512
b81b995c8a38ac3f2d1592267258b179351db2574d00cf4e2222a24f3732dd052d90a8f9a6e58f03bf503c98df43d0108eea6e3839bb92b02909f6d8184c99a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aa54424563a758ad616848598c496091

SHA1
25b64fb4d4fe3abad0a07ced15263c343f05f335

SHA256
4535eacc5faaf984c83a0ffde0f45d181770807d698ecc8ad1435d8b06971f67

SHA512
e903a230e4d2c97576ca0485f74baaa0270f3ae6d445bb073bf1884865e59adc52a94360d4e7cb2d4476b4c9c5f52315b91732a4705ebc46287d9365e60aaecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
880d07325395bf254918e47c03cd523b

SHA1
479000dadbd24e4ef98cd5970712377301b59529

SHA256
a61347e4d0f8cee028c803b26aff0c59f21fe5629d13644b9c2f4d81c2dfed32

SHA512
2fd10f62d33fc7730e4e00bc44a6cdd7f4e6729157134fd84c094cab3b4226d78d91cf9c469c7c9e8bb86eaa74c01c51ad7567e62df43c24f02df4eee9a7f5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCEE.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF1.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/1616-1125-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1616-4289-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1616-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1616-1974-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1616-2901-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1616-3769-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1616-1-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1616-1005-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1616-4427-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1616-4429-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1616-4428-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/1616-4430-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1616-4431-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1616-4433-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/1616-4432-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1616-4435-0x0000000000401000-0x00000000010B5000-memory.dmp

Filesize
12.7MB

Download