cobaltstrike | b2682a2b6fc2c23a7ee8d5be63e8ff378f8953168aa9a776411979b20605a3f4

General

Target

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Size

4.9MB
MD5

2cbbcf36f9bedbffb10f821eb280c001
SHA1

1726ea09c6af1714a1dd8b9a47782f33ac99d742
SHA256

b2682a2b6fc2c23a7ee8d5be63e8ff378f8953168aa9a776411979b20605a3f4
SHA512

877270c949890c4af87ddc425628df80274e73e938a20224b1a0b30d91d4c248aca92929ba6e6fa01d185f76df962a639d5efef0b34da1cdb86e3628081a2096
SSDEEP

98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxOUk:53EnsxxDt73DdKrwapwbRk

Score

10^/10

cobaltstrike xmrig backdoor miner trojan upx

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7-zip32.dll	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3840-740-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3840-1939-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3840-2563-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3840-3132-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3840-4487-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3840-4825-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3840-4833-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3840-4835-0x0000000000400000-0x00000000010B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3840-0-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
C:\Program Files\7-Zip\7-zip32.dll	UPX
behavioral2/memory/3840-740-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3840-1939-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3840-2563-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3840-3132-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3840-4487-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3840-4825-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3840-4833-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX
behavioral2/memory/3840-4835-0x0000000000400000-0x00000000010B6000-memory.dmp	UPX

XMRig Miner payload 10 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3840-740-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3840-1939-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3840-2563-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3840-3132-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3840-4487-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3840-4825-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3840-4833-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3840-4834-0x0000000000401000-0x00000000010B5000-memory.dmp	xmrig
behavioral2/memory/3840-4835-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/3840-4836-0x0000000000401000-0x00000000010B5000-memory.dmp	xmrig

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3840-0-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
C:\Program Files\7-Zip\7-zip32.dll	upx
behavioral2/memory/3840-740-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3840-1939-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3840-2563-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3840-3132-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3840-4487-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3840-4825-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3840-4833-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral2/memory/3840-4835-0x0000000000400000-0x00000000010B6000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

141 drive.google.com
142 drive.google.com
71 raw.githubusercontent.com
72 raw.githubusercontent.com
110 bitbucket.org
111 bitbucket.org

flow	ioc
141	drive.google.com
142	drive.google.com
71	raw.githubusercontent.com
72	raw.githubusercontent.com
110	bitbucket.org
111	bitbucket.org

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	F:\autorun.inf	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	F:\autorun.inf	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-125.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Windows Media Player\es-ES\wmplayer.exe.mui	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\1.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\LibrarySquare150x150Logo.scale-100.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-white.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PAPYRUS.INF	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.Client.resources.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\3DViewerProductDescription-universal.xml	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ImagePlaceholderBlack.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-400.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libafile_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Selectors.Resources.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-125.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-oob.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-200.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYHBD.TTC	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Mira.Core.Engine.winmd	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-125.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-white\AboutBoxLogo.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-125.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-time-l1-1-0.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\MilitaryRight.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageMedTile.scale-200.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\FeedbackThumbnail.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-125.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MediumTile.scale-100_contrast-white.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\moe_default_icon.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ppd.xrm-ms	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\tilebg.png	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Modifies Internet Explorer start page 1 TTPs 3 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.qPNyQgSImJ.com"	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.uyDYHLisGy.com"	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "https://www.KZpUCZWNoQ.com"	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3840	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3840	2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_2cbbcf36f9bedbffb10f821eb280c001_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll

Filesize
5.1MB

MD5
4902113a17622300ebf2fa68291c1b27

SHA1
a17a661bc59ac44ac29b01da190cbc576a60ca56

SHA256
0bb19f33b2e16f1ba36f96258b4f357aa5627e736b18ecf686e629618732b68e

SHA512
fab2e184ceb7a85a351cacef850c7341083403294880d4fc9da67bf87a7aad54738a89eb545824fa9449baa08fe76f9c975c165df76a0fb86f0eb5a4679dd67f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
3a1c7f1d1f90d4a2df1be751ec262a4b

SHA1
fdb0b13e0c4d9739234ff590d0cdba26d738d2c2

SHA256
0d6c394edf0a5cfe73de937916000e0d4698bf9542c9f28957288f14def5c9ac

SHA512
ec8f7c65d8a2a2132aeba15d08adcaf24e05e60f39c7f2a42aa3035c7d6e2f8a6cbc15ff6c54e0970ca0872efbc79239b9798d9ec104d4f743dc671e9dd6317d

Download Submit
memory/3840-4487-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3840-4825-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3840-740-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3840-1939-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3840-2563-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3840-3132-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3840-0-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3840-1-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/3840-4826-0x0000000000060000-0x0000000000062000-memory.dmp

Filesize
8KB

Download
memory/3840-4832-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/3840-4833-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3840-4834-0x0000000000401000-0x00000000010B5000-memory.dmp

Filesize
12.7MB

Download
memory/3840-4835-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/3840-4836-0x0000000000401000-0x00000000010B5000-memory.dmp

Filesize
12.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads