300c090861a547a4c211b15b9f45d6dcb976128c21b78b6c38d1cf4c5d998e12

Analysis

max time kernel
121s
max time network
74s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrojanCozyBear.bin.exe
Size

330KB
MD5

3d3363598f87c78826c859077606e514
SHA1

8b357ff017df3ed882b278d0dbbdf129235d123d
SHA256

01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9
SHA512

11a9b8dc666877695a7ea0683c83d057b7539fae7e445250d71fd34fdc557df946b4938bf419ddbdc5f4439f3d828ddb4d83d3a9f7f18cb92454da6fdfd99b24

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

amdocl_as32.exe

pid process

732 amdocl_as32.exe
Loads dropped DLL 1 IoCs

Processes:

amdocl_as32.exe

pid process

732 amdocl_as32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

800 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 800 taskkill.exe

pid	process
732	amdocl_as32.exe

pid	process
732	amdocl_as32.exe

pid	process
800	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	800	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

TrojanCozyBear.bin.exeamdocl_as32.execmd.exe

description	pid	process	target process
PID 1204 wrote to memory of 2076	1204	TrojanCozyBear.bin.exe	cmd.exe
PID 1204 wrote to memory of 2076	1204	TrojanCozyBear.bin.exe	cmd.exe
PID 1204 wrote to memory of 2076	1204	TrojanCozyBear.bin.exe	cmd.exe
PID 1204 wrote to memory of 2672	1204	TrojanCozyBear.bin.exe	cmd.exe
PID 1204 wrote to memory of 2672	1204	TrojanCozyBear.bin.exe	cmd.exe
PID 1204 wrote to memory of 2672	1204	TrojanCozyBear.bin.exe	cmd.exe
PID 1204 wrote to memory of 732	1204	TrojanCozyBear.bin.exe	amdocl_as32.exe
PID 1204 wrote to memory of 732	1204	TrojanCozyBear.bin.exe	amdocl_as32.exe
PID 1204 wrote to memory of 732	1204	TrojanCozyBear.bin.exe	amdocl_as32.exe
PID 732 wrote to memory of 684	732	amdocl_as32.exe	cmd.exe
PID 732 wrote to memory of 684	732	amdocl_as32.exe	cmd.exe
PID 732 wrote to memory of 684	732	amdocl_as32.exe	cmd.exe
PID 684 wrote to memory of 800	684	cmd.exe	taskkill.exe
PID 684 wrote to memory of 800	684	cmd.exe	taskkill.exe
PID 684 wrote to memory of 800	684	cmd.exe	taskkill.exe
PID 732 wrote to memory of 1708	732	amdocl_as32.exe	cmd.exe
PID 732 wrote to memory of 1708	732	amdocl_as32.exe	cmd.exe
PID 732 wrote to memory of 1708	732	amdocl_as32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\TrojanCozyBear.bin.exe
"C:\Users\Admin\AppData\Local\Temp\TrojanCozyBear.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
/c time /T
2⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
/c time /T
2⤵
PID:2672

C:\Users\Admin\AppData\Roaming\ATI_Subsystem\amdocl_as32.exe
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\amdocl_as32.exe C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atiumdag.dll, ADL2_ApplicationProfiles_System_Reload 1204
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\cmd.exe
/Q /C TASKKILL /F /PID 1204 > NUL & DEL /F /Q C:\Users\Admin\AppData\Local\Temp\TrojanCozyBear.bin.exe > NUL
3⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\taskkill.exe
TASKKILL /F /PID 1204
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\SysWOW64\cmd.exe
/c time /T
3⤵
PID:1708

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ATI_Subsystem\amdocl_as32.exe
MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\amdocl_as32.exe
MD5
f57886ace1ab4972b0308f69b1a0029c

SHA1
519b2a981cb522ed2b0901f9871f9aa9781a6cd5

SHA256
2be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852

SHA512
c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8

Download Submit
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atiumdag.dll
MD5
bc626c8f11ed753f33ad1c0fe848d898

SHA1
883292f00e5836f99a1943a6e0164d8c6c124478

SHA256
8853979fce0f767b495abd55b696203209e95f04aaefe16c52c1724d07972154

SHA512
74db65b9035252157683e27004fffd2df23dd0e287bc4d08fe6cb54faff6c6a088253eecb4a325835227be3a36ae6c0ab1e55058682bcdd44df512b29c3657ab

Download Submit
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\racss.dat
MD5
4152e79e3dbde55dcf3fc2014700a022

SHA1
e2d0edf2e7d4a09fad732d4113d970a56e9a6667

SHA256
5788c819fc0e84dd99b7331676b2230ede93ad19960dda26a36009473f3bc49e

SHA512
55ee492cde845960b249b0c734a55f5acd4d675ed8580815e63e518405903bc67544300e4ff79bb6903a384674dd9c25b6ce3e234b2b733eb563662a902e7af9

Download Submit
\Users\Admin\AppData\Roaming\ATI_Subsystem\atiumdag.dll
MD5
bc626c8f11ed753f33ad1c0fe848d898

SHA1
883292f00e5836f99a1943a6e0164d8c6c124478

SHA256
8853979fce0f767b495abd55b696203209e95f04aaefe16c52c1724d07972154

SHA512
74db65b9035252157683e27004fffd2df23dd0e287bc4d08fe6cb54faff6c6a088253eecb4a325835227be3a36ae6c0ab1e55058682bcdd44df512b29c3657ab

Download Submit
memory/684-9-0x0000000000000000-mapping.dmp

Download
memory/732-4-0x0000000000000000-mapping.dmp

Download
memory/800-11-0x0000000000000000-mapping.dmp

Download
memory/1708-12-0x0000000000000000-mapping.dmp

Download
memory/2076-2-0x0000000000000000-mapping.dmp

Download
memory/2672-3-0x0000000000000000-mapping.dmp

Download