b226c3b4d8634f9ede3d526c5ee287287c20cf7173154c4db64ec5235800ddcd

Analysis

Target

22cobblerelfs3232.bin.exe
Size

5.2MB
MD5

4ee6e29fa26f2c3f08c0137daf31cc61
SHA1

3443d69f201ceefa69c72b9881c19dbd8fcbd5af
SHA256

b226c3b4d8634f9ede3d526c5ee287287c20cf7173154c4db64ec5235800ddcd
SHA512

08c7ced260360f66b3a8fb54d6ab64a47e6ecdea95f9fab3e8a38f8fd4b5b6010c3f961475399d12e1c9026bbf9ec23027781624a9bb3cda1666477e8153be6b

Score

1^/10

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

Systeminfo.exe

pid process

1060 Systeminfo.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 16 Go-http-client/1.1

pid	process
1060	Systeminfo.exe

description	flow	ioc
HTTP User-Agent header	16	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

22cobblerelfs3232.bin.exe

description	pid	process	target process
PID 3832 wrote to memory of 1060	3832	22cobblerelfs3232.bin.exe	Systeminfo.exe
PID 3832 wrote to memory of 1060	3832	22cobblerelfs3232.bin.exe	Systeminfo.exe
PID 3832 wrote to memory of 1060	3832	22cobblerelfs3232.bin.exe	Systeminfo.exe

C:\Users\Admin\AppData\Local\Temp\22cobblerelfs3232.bin.exe
"C:\Users\Admin\AppData\Local\Temp\22cobblerelfs3232.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\Systeminfo.exe
Systeminfo
2⤵
- Gathers system information
PID:1060

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1060-7-0x0000000000000000-mapping.dmp

Download
memory/3832-0-0x0000000000400000-0x0000000000957000-memory.dmp

Filesize
5.3MB

Download