cobaltstrike | 4c56041d2a620dc90bb7c83947fa2172403b3df3a90d342e89834b45a690903d

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Size

4.9MB
MD5

759c07bf0343cf12179dae98e47a0903
SHA1

656416bb2f0a93c8b3d00125f28566cc53f08d21
SHA256

4c56041d2a620dc90bb7c83947fa2172403b3df3a90d342e89834b45a690903d
SHA512

15712324d9ea0c66d7372c021d922c31f679cc88363ffc38d2bfaf149dff5c27bf0e2cb664983c7f1ceca98ecb275ca6bf61a70a1ea95609d2b8d9c29cc6ce62
SSDEEP

98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxOUL:53EnsxxDt73DdKrwapwbRL

Score

10^/10

cobaltstrike xmrig backdoor miner trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-946-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2168-955-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2168-2068-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2168-3033-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2168-4235-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2168-4576-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2168-4644-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2168-4645-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2168-4649-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-0-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
C:\Program Files\7-Zip\7-zip32.dll.exe	UPX
behavioral1/memory/2168-946-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2168-955-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2168-2068-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2168-3033-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2168-4235-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2168-4576-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2168-4644-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2168-4645-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral1/memory/2168-4649-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2168-946-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2168-955-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2168-2068-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2168-3033-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2168-4235-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2168-4576-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2168-4644-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2168-4645-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/2168-4649-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2168-0-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
C:\Program Files\7-Zip\7-zip32.dll.exe	upx
behavioral1/memory/2168-946-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2168-955-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2168-2068-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2168-3033-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2168-4235-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2168-4576-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2168-4644-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2168-4645-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/2168-4649-0x0000000000400000-0x00000000010B6000-memory.dmp	upx

Drops desktop.ini file(s) 9 IoCs

Processes:

2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\desktop.ini	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

87 raw.githubusercontent.com
29 drive.google.com
30 drive.google.com
86 raw.githubusercontent.com

flow	ioc
87	raw.githubusercontent.com
29	drive.google.com
30	drive.google.com
86	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	F:\autorun.inf	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	F:\autorun.inf	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_smem_plugin.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\settings.js	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Rio_Branco	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yellowknife	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgRes.dll.mui	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Defender\MpClient.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Engine.resources.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\clock.css	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\106.0.5249.119.manifest	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Internet Explorer\ieproxy.dll	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jce.jar	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.IiPTJFTRRr.com"	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.PtWpEmUKVW.com"	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2168	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2168	2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_759c07bf0343cf12179dae98e47a0903_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll.exe
Filesize
5.2MB

MD5
dc07c3f3fae97b85236a87b2014edec4

SHA1
3e5ba846f027e29cf1919111ae93d07fb916740e

SHA256
8d6ff14a748a2df5bc57e8b349f8831750b95e0417a57c86b7c71c89fffc6429

SHA512
057a63911b3b1400c3fabd5f7d6475f8e716b9236e43e23578848532d0ed7d06986f6024d1d4b72098d9d45a2183144e27afe369b199813a55e751c19c891f50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
049f210281c2d07de4cef47c1052df7c

SHA1
9125b5d44bf681019e8584c57b9a102b854fbede

SHA256
22c2886cdf94f4bf99736bdf70f6eb8747f3b1ddbc0290f4d71cf9b3486bb107

SHA512
c5216fc3e2860b29c4a59d6c0321a12dcbca11851cce019b895bf311b74ce25feb61da4d3418a7469d48036652dbfe1df0c44cd1b1747b032f7e4e8e93bb6a8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3028771193fffc64b6520eaa984bb41b

SHA1
bdcaea3e374647a685d5ad286ab63d9d41eb321c

SHA256
5c644931a652da6b5aa0e4c2e04e1658ac85a4c594e7689db9685e36bb3a3aac

SHA512
d026af64c8ab220504c7a720971aefb9dd370cb7821f50e95ac81f6e29346224e4434457cacc9f8b5b11713825e0f6e239a640dd0deab1cc2c56c9dc2d79dbe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b8242ca9299328b63c6d77105dabac7c

SHA1
25311c5094ac9569c029f9a6401e59329152c9de

SHA256
72686b49e4e6cb6f1fc687c23956905364ce6e6de52e994b0f64296500d9919d

SHA512
f377bff51aff919e952d766fc9a99c7e4107136185e321f3593ae4df40fde8e71eca62eaf0cf6c40fbea3cdb4b906279c07338fee2e3dad6df3d25c9182b85fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ef1329ebb03c1349aac714f7db8254d

SHA1
9952c0ed9eed42adbd32483c2e62f919ff28fd25

SHA256
6b231afac888f1d4f6c2a057f91a027f1de99b6baa0f84e1c02b5ebd768a9d0f

SHA512
5f3f24e0a006db11aaf7ccfe56f68ac565391f18e303068f2488111b19ac3ccb56fc6d2359fe51861d1f0cad4c050477069b109f6ecbd888cc1a7f19ff2d4770

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
87c5fe632f04036273cff7e0741df3e1

SHA1
58334cfe80c7baa40c8041795b973707829e5936

SHA256
6f2f4b6350b48065639175addc47e4350ac52b9390f8430c66a070daf6ee8b7f

SHA512
7a0d39087219bed243c2b4a590aeefca12a36720ccd355695a26b86d44bfc86305afc8062f9a5836ed8c6ece251c0ac3e50fd504b88d8e56e20a327b3a2670bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c4386ab5f15168f2bab565ae8f5ac0e3

SHA1
a3b4621ed82505645dd82febe3c1f2b627594780

SHA256
67e2599b55e21113c1b46d1eaf0d7d8760b95f19ef10de90e078a969877fed4a

SHA512
f7d937c816078f7341a8c20d9eeb12a9a39d8dedfcfe4a13ab3432483e78a876826e66da0bb49a276ab41a396be2c3abc80bdfa07fdc6870d4eacfec2a593dd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
327dd895a0db138b48ed155ddfd889c2

SHA1
09c905ce6b8609b7a208a0725393d76e3baecb7e

SHA256
1f2e3004bff5a7ed6b9bc17feac7ff12235f2a611efbc09fe2f14a77ef45b69d

SHA512
b929705e57eaed8887417146f2207dcfe8decc3673014548ead024a87fc2802c82849ad3322d62ca9bf0ad84f94932e07048acbb3a208cfbb8c4895cd972367a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6c0f21ec9116d7af02de96345921b2f8

SHA1
30adeb155dd98ce77a36d5cceb5512c696878fbd

SHA256
231e29c6391299387632bfce9d4628434e82b766b604382582e79aeb7a57b6f2

SHA512
e0e7cccc023fcf05686c43f284b8db0e6e7b8e8affd2f96629176a813f5b16258cfe8d6dbf99bbbc69e88fec1651a95d6b37e4ae29b80dac60a16b560130bf7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
30947921f3f48fdaa2fa24cf9d476397

SHA1
e0e50758f149599141e026852f9f9ec0d9f6d7cb

SHA256
dbbfc93198b271c26f32af6f66a4aed7a6d477cb66eb11263f24be69cc877580

SHA512
53ddfd804d4ab7923d98e0fa6a0db8835ac0afc1f1576b6b0e93a546209b38e4dbd3b1707856c2689090853ec8e83fd4c651cb4848c1c1d9f2b1dc423f2ea3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2648.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2689.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar27C7.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2168-955-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2168-4641-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2168-946-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2168-1-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2168-2068-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2168-3033-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2168-4235-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2168-4576-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2168-4639-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2168-0-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2168-4640-0x00000000002C0000-0x00000000003C0000-memory.dmp

Filesize
1024KB

Download
memory/2168-4642-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2168-4643-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2168-4644-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2168-4645-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/2168-4646-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/2168-4649-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download