cobaltstrike | b68ded42b14484af617bc803500676f36f22c1cdebacb4f22ac3dbf20fc4a620

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

83a9c9d4323cc1c8fbbdd073f5751e11
SHA1

82a8c93bc1cf2e6acff2cfb8d0a7619eb0242359
SHA256

b68ded42b14484af617bc803500676f36f22c1cdebacb4f22ac3dbf20fc4a620
SHA512

e816fc6919482772321e2f31305070bd47deab4dde0a15dbce26700dc090f34d0a1db136fea853fb18ec6c21bca0853643cc1e208cc674dcfdb6c5a6aaefe750
SSDEEP

98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxEU/:53EnsxxDt73DdKrwapwbL/

Score

10^/10

cobaltstrike xmrig backdoor miner trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/836-871-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/836-881-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/836-2112-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/836-3110-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/836-3974-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/836-4141-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/836-4426-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/836-4431-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/836-1-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
C:\Program Files\7-Zip\7-zip32.dll.exe	UPX
behavioral1/memory/836-871-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/836-881-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/836-2112-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/836-3110-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/836-3974-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/836-4141-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/836-4426-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/836-4431-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/836-871-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/836-881-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/836-2112-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/836-3110-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/836-3974-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/836-4141-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/836-4426-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/836-4427-0x0000000000401000-0x00000000010B5000-memory.dmp	xmrig
behavioral1/memory/836-4431-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/836-4432-0x0000000000401000-0x00000000010B5000-memory.dmp	xmrig

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/836-1-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
C:\Program Files\7-Zip\7-zip32.dll.exe	upx
behavioral1/memory/836-871-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/836-881-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/836-2112-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/836-3110-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/836-3974-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/836-4141-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/836-4426-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/836-4431-0x0000000000400000-0x00000000010B6000-memory.dmp	upx

Drops desktop.ini file(s) 9 IoCs

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\desktop.ini	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

31 raw.githubusercontent.com
32 drive.google.com
33 drive.google.com
84 raw.githubusercontent.com
30 raw.githubusercontent.com

flow	ioc
31	raw.githubusercontent.com
32	drive.google.com
33	drive.google.com
84	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	F:\autorun.inf	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	F:\autorun.inf	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java_crw_demo.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\sbdrop.dll.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_ko.properties	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Adak	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Journal\Templates\Genko_2.jtp	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-down.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Journal\MSPVWCTL.DLL	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Journal\Templates\To_Do_List.jtp	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Media Player\en-US\wmlaunch.exe.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\cpu.css	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\vlc.mo	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\jvm.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Media Player\ja-JP\WMPDMC.exe.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nss3.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightDemiBold.ttf	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Wake	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\bin\awt.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hebron	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Pipeline.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Modifies Internet Explorer start page 1 TTPs 8 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.rdkxSKVbCR.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.BXgzpRyGCv.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.tZlMgyzVnn.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.lRjdTWyarC.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.rziQaRwYhj.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.CssryBSGsR.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.ZnZxjCGpTh.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.gztfAmgJZY.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	836	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	836	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll.exe
Filesize
5.5MB

MD5
e1774ccd88b0975c742698aee5847d1b

SHA1
5375252124fc2b25b5369b5c3ff106dbc7aa281c

SHA256
8f07bac94b73811be42426d851d25dcfc4dc656a61fc8029033f432e1f3ef399

SHA512
a828e8f6b233c36b8bf7d0ceb747e927eb20e8b40706506de0521b6417d3088cad39e80545a4458d5660845da4347de56497612d7c5d209c9a92f0b3428c7188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
602222ded966fe7dfbc9c4707fb0bb4b

SHA1
193228577905033115db74808e9eb16c98d10343

SHA256
a278d3c54bd743b073d8948d927382ab77cf2c7ddcf11f8546a7aa0c642c9f01

SHA512
de94d1a6e27e72d3e75000d5e317f51ecea16cd2e8c8974eaf7d512cf92ad51c9f7db7a6bd5e619135dfdf0ec0f004e2c9e66aeb42f2c318f890d9d14e755828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
817d68b029ead293e9a6df5c0cfbbd36

SHA1
bef12039c2d8138e3e9acdecec3b3e48a0e6bdd0

SHA256
96678c71581fe7b0366164164d131ed8a451d7aeadbd20b53c6dc54bec49a419

SHA512
3f01296b7a4a9cab7f0ce233085fa17f8ee55fddcb749f62c830b3cd8b908e4a9020cdaaa290f09909b3f06d0c5923a128f3badce7db1add08755a47ef1f01a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
40ed479c2352ef5c0d1ca1a50b1311e3

SHA1
22b71a75af9bc12178a66602e2e31fdc73e64e2e

SHA256
ab7859a0d5924c8db318a0e55bd9d077de01a705214690b3bfaf4a98c35787cc

SHA512
b5ed68328b9bf1c12f61ef52711bc8a389c623a1502da296960feee5cad5847aaa76df8b7f20fea9614cafc4e87108014a3a0952cdd4c16233fb4d948866b412

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7e9fc1e3944e769439a5240ccbedf664

SHA1
5444fbc2b4bfe9543c531032d339c65408257545

SHA256
01c74fa7994157761091d459c15887b90bb6d798d6e2d16dc5ea2d4ee349377c

SHA512
66091539e6bac3f6546fd1293ce2fd7326effc398a09a5519ce3b7fc325cac1129fc5a7daccdb8be13d0a7afb6cd96f2e13ac05725b828f45cf8989d0fe08a38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
85985f43d324dc2fd7e5aef7df433eb9

SHA1
35b18cef49e8dd1646af6010ef860da6a620c13b

SHA256
8516efda22f490c601e020f79163426f5e437dd43c809b70aea3b30c8461b1b5

SHA512
d6cbd6178490e292ed1ae20fee566c3581f467932899c485948b3f95d727dbbbad206f11ca2d4d9d15095c86c062518a92f7ddc8eb0e9542b9ace1d18696626b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
23c8e9be1e928587f1be4f685b1c5e9c

SHA1
0fa6a378691120607e0530d1cc662d27384b7b32

SHA256
cc359fff8cd30e641b7e72b9f162789fcd6f55a217f8ea50f614820515812c09

SHA512
450bcf3f46126e5299379d16c9379f73c9193b12a74f7bc518a368d2c4973b8f14a0d151ab96085af5fd90f50528ead3c7df029eb2ccfbc16626a7a69713f958

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ff7055f781d7659b4328a306cd19ed9f

SHA1
4e9abe6bb36468aeac863b1e2db69bcda88d8aa0

SHA256
03c3de888be88fcc8e2fa3e9fd8e9858f8e705a13de2d0025fc6e4207f5f3f91

SHA512
a9c642211fc0186b4373443e7cf9bfb92765173b48110efcd25d7bf5f8c0d2db013899098cff3402c4badfb4a9bf4ceb7e4737cb9e31925477adfcb9e748dd8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7d90f074ff6b33f2e5d496e9e4ef7433

SHA1
6311834d6ac164b1c3f50cf631f1c5d872c1aa50

SHA256
9a8cb56c741498f9c947b001b2121ca529aa5b352f54eb0cbac48d6adaa87827

SHA512
d2adeb091eaed95857009ef8580fb28be50ae32da7bb1d6a084e80d827ddd6d4890ef568f2c01ddd8f30c2fb97d6d0210aca7e9a2ad592b4080fc7dccb692ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab281C.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar281D.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/836-2112-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/836-4419-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/836-881-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/836-1-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/836-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/836-3110-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/836-3974-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/836-4141-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/836-4416-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/836-4417-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/836-4418-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/836-871-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/836-4420-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/836-4421-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/836-4422-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/836-4423-0x0000000000360000-0x0000000000382000-memory.dmp

Filesize
136KB

Download
memory/836-4424-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/836-4425-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/836-4426-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/836-4427-0x0000000000401000-0x00000000010B5000-memory.dmp

Filesize
12.7MB

Download
memory/836-4428-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/836-4431-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/836-4432-0x0000000000401000-0x00000000010B5000-memory.dmp

Filesize
12.7MB

Download