cobaltstrike | c0c38cccb23c23f613fc87c4e5bbf1a887dc5ce4c1e0569bb13b355ffafd4aba

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Size

5.5MB
MD5

04ea36428f34a1b14107432694d4898a
SHA1

da85edba1d091d9901dd685784e57dfa1da561cf
SHA256

c0c38cccb23c23f613fc87c4e5bbf1a887dc5ce4c1e0569bb13b355ffafd4aba
SHA512

e3481e95c362ee8f4749c9b489911699b01404745dd45dcde23c9d3ed5aaa276f27e569400523fb5fbf0419ab2d00780d8f41d5a8b8435ead65853ce513917cc
SSDEEP

98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxoUR:53EnsxxDt73DdKrwapwbnR

Score

10^/10

cobaltstrike xmrig backdoor miner trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2940-900-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2940-913-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2940-2573-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2940-3593-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2940-4364-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2940-4519-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2940-4529-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2940-4530-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2940-4534-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2940-1-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
C:\Program Files\7-Zip\7-zip32.dll.exe	UPX
behavioral1/memory/2940-900-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2940-913-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2940-2573-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2940-3593-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2940-4364-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2940-4519-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2940-4529-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2940-4530-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2940-4534-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2940-900-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2940-913-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2940-2573-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2940-3593-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2940-4364-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2940-4519-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2940-4529-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2940-4530-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2940-4534-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2940-1-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
C:\Program Files\7-Zip\7-zip32.dll.exe	upx
behavioral1/memory/2940-900-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2940-913-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2940-2573-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2940-3593-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2940-4364-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2940-4519-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2940-4529-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2940-4530-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2940-4534-0x0000000000400000-0x00000000010B6000-memory.dmp	upx

Drops desktop.ini file(s) 9 IoCs

Processes:

2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\desktop.ini	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	F:\autorun.inf	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	F:\autorun.inf	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\System\ado\adovbs.inc	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\bin\msvcr100.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationCore.resources.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\gadget.xml	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Journal\en-US\MSPVWCTL.DLL.mui	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\sound.properties	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Almaty	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_over.png	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseout.png	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxmedia.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Defender\MpCommu.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Journal\NBDoc.DLL	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingEngine.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Media Player\it-IT\WMPMediaSharing.dll.mui	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Winnipeg	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Galapagos	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

Modifies Internet Explorer start page 1 TTPs 7 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.qJJFeVWkGg.com"	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.FlNMbSdFVj.com"	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ZsrXRlRTyT.com"	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.JEmvzvlMhX.com"	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.UZlUBShIsC.com"	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.JcUtQbxFmL.com"	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.puoDMEjWdC.com"	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2940	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2940	2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_04ea36428f34a1b14107432694d4898a_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll.exe
Filesize
5.8MB

MD5
e4ae188b10747b0d0b07e5fe20dbdfc6

SHA1
51598c9fff6875cbeec686fb633ae7bd17db78ce

SHA256
5c57601a8780f50c23b1b153396d2fde634f308c28f5733c5a4b1b83b27964ca

SHA512
5ac5314281fbe5d6160ad39a8ebc63a24445495c126affb08205b66b4b91ab4d950df2ad56f81cb4d49e5ce5d693f1dbe9ba3bf855462541c5e3d8c543174bf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
6e8b87ef555e0210b86115ac041c79a4

SHA1
056fc59d52397659bfde8cb581562ee5daa76f83

SHA256
ea98f6dcb85bd4f63b25c54f460a301c0a89c3c492f5af7e56bd0355512848d6

SHA512
1e3ec46e4fd13db69d01ea80018fc8c8e9e3eb77f92820c033d7e414124b94396920ae439eb8e28127099e62e0bb4dd98b2410f31940a17ee2e0a4de521612b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c5b6d796d8ac7249bc5d19fdd15c7958

SHA1
e75865d93e23a6781ed35f5e2ecf604d06dd3103

SHA256
ee1208ed19a9b4e846ccfeebe5e747dcf05236c7920ed7d689e07ad7743f6089

SHA512
f44538a0622f403ea1e8e05ca5f77669ad3dd0aa2747eddb50a038d318038fb0203a6cb842b63a709dc97dd36fb8454babc6278d84aba32883d72ea9fa3276e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2698081654209f99981f9dbd4ba45a12

SHA1
114eccda92bb44320220871f2066cd8468b87c6c

SHA256
345734d433b6c5bfea6bb876ab8c9bbd3dad53380ec06836a6639d24f7de76dd

SHA512
ad6bdd6ff6d5d13f103f695e23e898de123247436bb373d0df5b64414fed7e9728f178d223bc8c9d118d000bcee244bf430a95654e46e38757ae06e93a9a9424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bc19f5a961cda72907e400f1ec677de2

SHA1
1a7df0c5e8a5b389f3965f84af433d8437d00bda

SHA256
14e4bf8e37ac485c06e0dd3678a5be523533ca0de44f405fe408870ce2186151

SHA512
b9de53dab8462f797a97478ff64bbe0748de2337087c15bb285d6df8eea7dc804e091d7f9c51b3398d41b8f9c63e862209858810e418ab4716a4d1745eb474db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d49171a3f25041d6b5979b0417f5cb42

SHA1
4a7f6cd82f4d21a02c61a32140bb0851308c2f56

SHA256
841f97aa3a33b1bcaa9c574f5bb0414eb429f08b2ab3badc8653cfbac0ba781b

SHA512
5f280b4b879196edaf532e06b9aedcfdc3652b444c80dffae84641886e650926d3c62c43e17d6461ad83301259557389571c1b8c2df5f9abbdecc5d1d707c3f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
89550a753b769fd84ea0f45110b7eb94

SHA1
2fe6333685b058a3a4996ceca0e71efce28bc312

SHA256
f31d669e3b58fb9a8e8e81ab926e3eeedd4cdc9c9a229b50082916507b5b9ff8

SHA512
6e310b4cdfcb3433816d4b1f15bc7884930df0a39245468af7efcff47a8110f4862df562676d7b48eeaf98f667f7cb3923b3ba415f3739753e73da61a52ed75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab119E.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12BC.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11D1.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12F0.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2940-900-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2940-4525-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2940-1-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2940-913-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2940-2573-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2940-3593-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2940-4364-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2940-4519-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2940-4524-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2940-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2940-4526-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2940-4527-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2940-4528-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2940-4529-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2940-4530-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2940-4531-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/2940-4534-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download