cobaltstrike | 64ecc2284bcab43839a648c3dd87738a466c8585bcb48a1db43bd27c0409d1b9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
Size

6.2MB
MD5

f4557af937f454b597e693045e8525cf
SHA1

b2971ee1202d3e13a6bc69bd749c5e0f2c3e858b
SHA256

64ecc2284bcab43839a648c3dd87738a466c8585bcb48a1db43bd27c0409d1b9
SHA512

9547367ee0009f8998a0d5f69df832ca88bcda62314d088a04a95228ba163d91bebd1ebcd5cc4d2f5601775f823886a0711e6b039608db951ada6109c4a0061b
SSDEEP

196608:ZdfuVh+MESeE3L+ZhMBevDdep0Y+s9gQ3SEhO5swtM4:rc+bE3LtUDg6s9gQiuh

Score

10^/10

cobaltstrike 305419896 backdoor persistence trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://139.155.91.159:21001/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2

Attributes

access_type
512
beacon_type
2048
host
139.155.91.159,/safebrowsing/rd/CltOb12nLW1IbHehcmUtd2hUdmFzEBAY7-0KIOkUDC7h2
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAAAhQUkVGPUlEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAIAAAAAgAAABJVPTc3OWI2NGUxYTdlZDczN2EAAAACAAAACFBSRUY9SUQ9AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
polling_time
10000
port_number
21001
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCC0aD/3GAGXABkhh4WDvMbkoKUca7rtzyTXMhBNZVxo/8zOJ7XId+DTCh8r7lvAbfHfjKuMNk0dPFM4phzgmzoA012/2Y/Vdn+raT3fDQapCICpDCYZWEucKwjLOfD43A556FEv3a5kVEiE4tc+vsSaPJw0cXnhtuMnmxERXpVRwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/safebrowsing/rd/CINnu27nLO8hbHdfgmUtc2ihdmFyEAcY4
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1520-74-0x00000263A9D60000-0x00000263A9DA0000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader

Loads dropped DLL 8 IoCs

Processes:

2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe

pid	process
1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe"	powershell.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

232 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3264 powershell.exe
3264 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exepowershell.exe

description pid process

Token: 35 1520 2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
Token: SeDebugPrivilege 3264 powershell.exe

pid	process
232	schtasks.exe

pid	process
3264	powershell.exe
3264	powershell.exe

description	pid	process
Token: 35	1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
Token: SeDebugPrivilege	3264	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2280 wrote to memory of 1520	2280	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
PID 2280 wrote to memory of 1520	2280	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
PID 1520 wrote to memory of 3756	1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe	cmd.exe
PID 1520 wrote to memory of 3756	1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe	cmd.exe
PID 3756 wrote to memory of 3264	3756	cmd.exe	powershell.exe
PID 3756 wrote to memory of 3264	3756	cmd.exe	powershell.exe
PID 1520 wrote to memory of 4512	1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe	cmd.exe
PID 1520 wrote to memory of 4512	1520	2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe	cmd.exe
PID 4512 wrote to memory of 100	4512	cmd.exe	cmd.exe
PID 4512 wrote to memory of 100	4512	cmd.exe	cmd.exe
PID 100 wrote to memory of 232	100	cmd.exe	schtasks.exe
PID 100 wrote to memory of 232	100	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -c New-ItemProperty -Force -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -name update -value C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c New-ItemProperty -Force -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -name update -value C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c schtasks /create /f /tn update /tr "C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe" /sc ONLOGON /ru SYSTEM
3⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\cmd.exe
cmd /c schtasks /create /f /tn update /tr "C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe" /sc ONLOGON /ru SYSTEM
4⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\system32\schtasks.exe
schtasks /create /f /tn update /tr "C:\Users\Admin\AppData\Local\Temp\2024-05-22_f4557af937f454b597e693045e8525cf_ryuk.exe" /sc ONLOGON /ru SYSTEM
5⤵
- Creates scheduled task(s)
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22802\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_ctypes.pyd
Filesize
129KB

MD5
c33c65f70d34aa900e903d7129de24a8

SHA1
d4e3f15593ce4e331a851678aad0971e26cfc523

SHA256
e4380415eecc99ed387c30fccbe36687c3b3aca1c2d2336cc51705c658229a2e

SHA512
272b1d915061d8da1ab3edd3703d23a5340a1673c46235b6501c978712e2673df632ddbe7e822988c92604106372d8680f074166230b97adf4cc78708efca38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22802\_socket.pyd
Filesize
74KB

MD5
0f476bd38eb1d6a79b16c73f48caec17

SHA1
52184c66c24f3bc477685c78b52a691d6e17b3e6

SHA256
09fc679658d08e680db0dc5f0cc733b3459249b8b3135abcc403305edbf6a10d

SHA512
e218bb21ab846cd869ba17f0a521d09a8359578dc3014d873edca6a2040120d12f755ef02ea4203e7f5cc9127f68d15c975770b5250363da06c3bd74fc675d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22802\base_library.zip
Filesize
766KB

MD5
238cc490fcb78fd9632b8fbc219fe586

SHA1
368dee60f31144ca273541b56c55112d9745bb90

SHA256
e75fa68e0bef8f1f48fa6e20910c7e07ca211217fb57d2208a369a8be2547747

SHA512
2c103b42cb59493061ff5bc15e9eecd240170aa74316123c111e5c639bb00bd3c2b58ea5f7ba8e886ff82fda80cd788d103750457624237a652256edb9494ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22802\python37.dll
Filesize
3.6MB

MD5
22546a966149e4f545e00d0c0c294a53

SHA1
3d51c13be6cd7f115934bfa9ef8a3ddd3f571949

SHA256
b01884bced504e81edb83da4c0e6c3098d87c1512d60bb85e88ecd1a937ed2a0

SHA512
1a62a837b42e6ecb149d034826929a9d818571ac7b830b380899bdcf3b72307025d2f47b7d6013cab2725ccbdc1af9ad4b733be75dfe030ecd674d7927b90eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22802\pywintypes37.dll
Filesize
136KB

MD5
77b6875977e77c4619bbb471d5eaf790

SHA1
f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade

SHA256
780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6

SHA512
783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22802\select.pyd
Filesize
26KB

MD5
590a8782bfaab2425672f366cc78a070

SHA1
b4535b05b91e72e10c28f59bd042dc174ea71759

SHA256
0e537f93a92150483966435e8a102014014cf38c7edb7f7703db3b253108951d

SHA512
c1d39dbbf35400423142fb656287b11a309f4fc3f3931a5daf0040c81658c1835103aea540bda75c88c57f739cbd9dc90221659958fde6ca81010a9f5e945ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22802\ucrtbase.dll
Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22802\win32api.pyd
Filesize
130KB

MD5
e14680d97acf0bb1be0910f5646f7aba

SHA1
f727a73469c03e68175d06245a8dd8aebda1f8ae

SHA256
b1ec6335b9bf77829d112b1ac1eb664e7c45fc359e7c8efe86a3a698af4aa715

SHA512
bc323a081169c520d1b4ce391448da74f1f4c0dee54d32f7a51a13c55bb7860629b09dc79fd4cf9b6452fbae131d81dc54cacaf9e598fa4fe0fdfc221636585f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0ckhmzo.rs5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1520-74-0x00000263A9D60000-0x00000263A9DA0000-memory.dmp

Filesize
256KB

Download
memory/3264-58-0x00007FFFB8EF3000-0x00007FFFB8EF5000-memory.dmp

Filesize
8KB

Download
memory/3264-59-0x00000240CA150000-0x00000240CA172000-memory.dmp

Filesize
136KB

Download
memory/3264-69-0x00007FFFB8EF0000-0x00007FFFB99B1000-memory.dmp

Filesize
10.8MB

Download
memory/3264-70-0x00007FFFB8EF0000-0x00007FFFB99B1000-memory.dmp

Filesize
10.8MB

Download
memory/3264-73-0x00007FFFB8EF0000-0x00007FFFB99B1000-memory.dmp

Filesize
10.8MB

Download