Analysis
-
max time kernel
44s -
max time network
19s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-11-2020 07:01
Static task
static1
Behavioral task
behavioral1
Sample
268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe
Resource
win10v20201028
General
-
Target
268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe
-
Size
5.2MB
-
MD5
66f4be2e4d29f54298d092332194a472
-
SHA1
0c7b1e834d5032bbdd8dda4bea5b40740c9d3c13
-
SHA256
268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2
-
SHA512
d5faaa165eb178d1e4ba54908fe55329a3c447afc3fdedc9c3e63c73a5b98725c2bb3ce4210c7c47af61d611dae618fb5e649a078ec18799d1cd92e628dafbcb
Malware Config
Signatures
-
Cobalt Strike reflective loader 3 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule \Windows\system\yrwnBOm.exe cobalt_reflective_dll C:\Windows\system\yrwnBOm.exe cobalt_reflective_dll \Windows\system\XNBEoQj.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
yrwnBOm.exepid process 2040 yrwnBOm.exe -
Processes:
resource yara_rule \Windows\system\yrwnBOm.exe upx C:\Windows\system\yrwnBOm.exe upx \Windows\system\XNBEoQj.exe upx -
Loads dropped DLL 2 IoCs
Processes:
268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exepid process 1304 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe 1304 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe -
JavaScript code in executable 3 IoCs
Processes:
resource yara_rule \Windows\system\yrwnBOm.exe js C:\Windows\system\yrwnBOm.exe js \Windows\system\XNBEoQj.exe js -
Drops file in Windows directory 2 IoCs
Processes:
268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exedescription ioc process File created C:\Windows\System\yrwnBOm.exe 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe File created C:\Windows\System\XNBEoQj.exe 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exedescription pid process target process PID 1304 wrote to memory of 2040 1304 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe yrwnBOm.exe PID 1304 wrote to memory of 2040 1304 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe yrwnBOm.exe PID 1304 wrote to memory of 2040 1304 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe yrwnBOm.exe PID 1304 wrote to memory of 1944 1304 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe XNBEoQj.exe PID 1304 wrote to memory of 1944 1304 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe XNBEoQj.exe PID 1304 wrote to memory of 1944 1304 268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe XNBEoQj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe"C:\Users\Admin\AppData\Local\Temp\268e3671bc2671f3619f3436f4e15c5697da6181fdf33bc2b2d2a8efaa0d18c2.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System\yrwnBOm.exeC:\Windows\System\yrwnBOm.exe2⤵
- Executes dropped EXE
-
C:\Windows\System\XNBEoQj.exeC:\Windows\System\XNBEoQj.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\system\yrwnBOm.exeMD5
bc0bd8486c4db1242ade6b59fd1a4a56
SHA14091105a6fa0f5eb8e15ce7997a7c1ec514fd8f9
SHA25685846a4d5992af9b6eba1eee90b134db213c396aca6f6202e2bf61cdfe0fc1a2
SHA5127be41ec3fa388eecb8f2e5e9fcfbb510f6fcf6f1dc22f47071fa4e30cae4527be0ea7223c9224d0b6ccbe0354658b3326abba2e5af6e24e1602a442c5c28f5ff
-
\Windows\system\XNBEoQj.exeMD5
696003700b2de8dd07791b6be667db64
SHA165bcf5727b4d9903ca6fc2c8299037219a52d80b
SHA256a17e49a2c742c678e55b2f76eb18c11f1fec4852ac99a56c947a2c73a3398741
SHA512a69f3cbcdc749b390ed497b2172df93df27c49a04e23cdd9e196e9ffa06ac903bfed6331801df33dcc00c93acc77f9423d42e7da8508c2e3a0ec878858752078
-
\Windows\system\yrwnBOm.exeMD5
bc0bd8486c4db1242ade6b59fd1a4a56
SHA14091105a6fa0f5eb8e15ce7997a7c1ec514fd8f9
SHA25685846a4d5992af9b6eba1eee90b134db213c396aca6f6202e2bf61cdfe0fc1a2
SHA5127be41ec3fa388eecb8f2e5e9fcfbb510f6fcf6f1dc22f47071fa4e30cae4527be0ea7223c9224d0b6ccbe0354658b3326abba2e5af6e24e1602a442c5c28f5ff
-
memory/1944-4-0x0000000000000000-mapping.dmp
-
memory/2040-1-0x0000000000000000-mapping.dmp