cobaltstrike | b68ded42b14484af617bc803500676f36f22c1cdebacb4f22ac3dbf20fc4a620

General

Target

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

83a9c9d4323cc1c8fbbdd073f5751e11
SHA1

82a8c93bc1cf2e6acff2cfb8d0a7619eb0242359
SHA256

b68ded42b14484af617bc803500676f36f22c1cdebacb4f22ac3dbf20fc4a620
SHA512

e816fc6919482772321e2f31305070bd47deab4dde0a15dbce26700dc090f34d0a1db136fea853fb18ec6c21bca0853643cc1e208cc674dcfdb6c5a6aaefe750
SSDEEP

98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxEU/:53EnsxxDt73DdKrwapwbL/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 3 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll	cobalt_reflective_dll
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll	cobalt_reflective_dll
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 3 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3532-646-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3532-1642-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3532-2212-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3532-2739-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3532-3743-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3532-4534-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3532-4541-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3532-0-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
C:\Program Files\7-Zip\7-zip32.dll	UPX
behavioral2/memory/3532-646-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3532-1642-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3532-2212-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3532-2739-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3532-3743-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3532-4534-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3532-4541-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll	UPX
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL	UPX

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3532-646-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3532-1642-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3532-2212-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3532-2739-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3532-3743-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3532-4534-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3532-4541-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3532-4543-0x0000000000401000-0x00000000010B5000-memory.dmp	xmrig

Loads dropped DLL 24 IoCs

Processes:

pid process

3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432

pid	process
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432
3432

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3532-0-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
C:\Program Files\7-Zip\7-zip32.dll	upx
behavioral2/memory/3532-646-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3532-1642-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3532-2212-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3532-2739-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3532-3743-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3532-4534-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3532-4541-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll	upx
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL	upx

Drops desktop.ini file(s) 1 IoCs

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

45 raw.githubusercontent.com
46 raw.githubusercontent.com
55 bitbucket.org
56 bitbucket.org

flow	ioc
45	raw.githubusercontent.com
46	raw.githubusercontent.com
55	bitbucket.org
56	bitbucket.org

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	F:\autorun.inf	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	F:\autorun.inf	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125_contrast-white.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileMediumSquare.scale-200.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GKWord.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\sw.pak	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_dummy_plugin.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_de.properties	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\Icons_Icon_Wind_sm.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\wordEtw.man	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-125_contrast-black.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ppd.xrm-ms	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-24_altform-lightunplated.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-200.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated_contrast-black.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javafx_font.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\xmlrwbin.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-400_contrast-black.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteFilter.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ExcelServices.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\mfc140u.dll	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Modifies Internet Explorer start page 1 TTPs 4 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.hRUTnmMyKr.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.rnBlvbAYne.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.kJJENmEDzR.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.jAgpCgqPRZ.com"	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3532	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3532	2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_83a9c9d4323cc1c8fbbdd073f5751e11_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll
Filesize
5.5MB

MD5
7546f005fab490646a943fe57cd039b5

SHA1
3d53fa45b4546ebd9aed3652eb2701e4fbdce7c1

SHA256
9f16db5fb44a17fa76e50aa467c18151ac12a81275ab65fca0997a64347a03ac

SHA512
84597dd8abe82e2698beaaea7ad4d96b04a579ff935e636e6affa55e3fc390b73d5678a41882b1260f276d174983a52104d6916a552933e7d30c3e2146c037b9

Download Submit
C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL
Filesize
5.5MB

MD5
c566c3cc445070b5a80189a5f25c1a4b

SHA1
cba6a05978074b98b05aec1709bc30c00fe79ca5

SHA256
04fe1ef9609fcc38ce8d1107bb3428a080a79b7c4312742e74e2fb13ccee5e26

SHA512
eb4fcf948a2289dbdc9791c186bb48d07e120a4ed05a4be6b5630626cdf553e14f8c167a73569e3087939ac126875a60a75784c588068b57b7290792277be58e

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll
Filesize
5.4MB

MD5
d6dd9663f066622dcb44608c505b0dbb

SHA1
5abacf04310560b464a3c16f628385740c928f79

SHA256
25affb60ddfbef344f54f7316478e3c9ea8378671c414112bd058e949171ffbb

SHA512
6c43f3f92c3622e6b836974a1124118d37d6c17690a5bb0d2812fd17b2c64df24fd23aaecd1534b583db083c3f9c23d2366d34ba194a78ecb96cffe16452e321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize
330B

MD5
1d37423f09a1d6926a3e0ec7c1804988

SHA1
88ba4d79d9308dc587ce3853172c8ddb462c901f

SHA256
30a19a4c5c51c49c33a71b124805457f7747fffb0604a2d50ace3f66d9038cbe

SHA512
f4ba29070ff3fb561df3ebf8a6f531213c92d67e7e855fbc6dad2509944abc3a646af48f20d86ddd4cb553fabb5d361469505e32e5e7079a66397e5c78723a16

Download Submit
memory/3532-3743-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3532-1642-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3532-2212-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3532-2739-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3532-0-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3532-4534-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3532-4535-0x0000000000060000-0x0000000000062000-memory.dmp

Filesize
8KB

Download
memory/3532-4540-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/3532-4542-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/3532-4541-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3532-4543-0x0000000000401000-0x00000000010B5000-memory.dmp

Filesize
12.7MB

Download
memory/3532-646-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3532-1-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads