Overview
overview
10Static
static
8APT29miniduke.bin.dll
windows7_x64
1APT29miniduke.bin.dll
windows10_x64
3CozyBearIm...in.exe
windows7_x64
1CozyBearIm...in.exe
windows10_x64
1ImplantCozy.bin.exe
windows7_x64
1ImplantCozy.bin.exe
windows10_x64
1MinidukeAPT29.bin.dll
windows7_x64
1MinidukeAPT29.bin.dll
windows10_x64
3Nov2018New...es.dll
windows7_x64
10Nov2018New...es.dll
windows10_x64
10ds7002.lnk
windows7_x64
10ds7002.lnk
windows10_x64
10Nov2018New...in.lnk
windows7_x64
3Nov2018New...in.lnk
windows10_x64
3ds7002.pdf
windows7_x64
1ds7002.pdf
windows10_x64
1SeaDaddyIm...in.exe
windows7_x64
1SeaDaddyIm...in.exe
windows10_x64
1SeaDaddyIm...in.exe
windows7_x64
1SeaDaddyIm...in.exe
windows10_x64
1TrojanCozy...in.exe
windows7_x64
TrojanCozy...in.exe
windows10_x64
8atiagentCo...in.dll
windows7_x64
1atiagentCo...in.dll
windows10_x64
1Analysis
-
max time kernel
121s -
max time network
74s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-03-2021 19:40
Static task
static1
Behavioral task
behavioral1
Sample
APT29miniduke.bin.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
APT29miniduke.bin.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
CozyBearImplant.bin.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
CozyBearImplant.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
ImplantCozy.bin.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
ImplantCozy.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
MinidukeAPT29.bin.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
MinidukeAPT29.bin.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Nov2018New!/AudioSes.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
Nov2018New!/AudioSes.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
ds7002.lnk
Resource
win7v20201028
Behavioral task
behavioral12
Sample
ds7002.lnk
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Nov2018New!/ds7002.bin.lnk
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Nov2018New!/ds7002.bin.lnk
Resource
win10v20201028
Behavioral task
behavioral15
Sample
ds7002.pdf
Resource
win7v20201028
Behavioral task
behavioral16
Sample
ds7002.pdf
Resource
win10v20201028
Behavioral task
behavioral17
Sample
SeaDaddyImplant (2).bin.exe
Resource
win7v20201028
Behavioral task
behavioral18
Sample
SeaDaddyImplant (2).bin.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
SeaDaddyImplant.bin.exe
Resource
win7v20201028
Behavioral task
behavioral20
Sample
SeaDaddyImplant.bin.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
TrojanCozyBear.bin.exe
Resource
win7v20201028
Behavioral task
behavioral22
Sample
TrojanCozyBear.bin.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
atiagentCozyBear.bin.dll
Resource
win7v20201028
Behavioral task
behavioral24
Sample
atiagentCozyBear.bin.dll
Resource
win10v20201028
General
-
Target
TrojanCozyBear.bin.exe
-
Size
330KB
-
MD5
3d3363598f87c78826c859077606e514
-
SHA1
8b357ff017df3ed882b278d0dbbdf129235d123d
-
SHA256
01468b1d3e089985a4ed255b6594d24863cfd94a647329c631e4f4e52759f8a9
-
SHA512
11a9b8dc666877695a7ea0683c83d057b7539fae7e445250d71fd34fdc557df946b4938bf419ddbdc5f4439f3d828ddb4d83d3a9f7f18cb92454da6fdfd99b24
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
amdocl_as32.exepid process 732 amdocl_as32.exe -
Loads dropped DLL 1 IoCs
Processes:
amdocl_as32.exepid process 732 amdocl_as32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 800 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 800 taskkill.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
TrojanCozyBear.bin.exeamdocl_as32.execmd.exedescription pid process target process PID 1204 wrote to memory of 2076 1204 TrojanCozyBear.bin.exe cmd.exe PID 1204 wrote to memory of 2076 1204 TrojanCozyBear.bin.exe cmd.exe PID 1204 wrote to memory of 2076 1204 TrojanCozyBear.bin.exe cmd.exe PID 1204 wrote to memory of 2672 1204 TrojanCozyBear.bin.exe cmd.exe PID 1204 wrote to memory of 2672 1204 TrojanCozyBear.bin.exe cmd.exe PID 1204 wrote to memory of 2672 1204 TrojanCozyBear.bin.exe cmd.exe PID 1204 wrote to memory of 732 1204 TrojanCozyBear.bin.exe amdocl_as32.exe PID 1204 wrote to memory of 732 1204 TrojanCozyBear.bin.exe amdocl_as32.exe PID 1204 wrote to memory of 732 1204 TrojanCozyBear.bin.exe amdocl_as32.exe PID 732 wrote to memory of 684 732 amdocl_as32.exe cmd.exe PID 732 wrote to memory of 684 732 amdocl_as32.exe cmd.exe PID 732 wrote to memory of 684 732 amdocl_as32.exe cmd.exe PID 684 wrote to memory of 800 684 cmd.exe taskkill.exe PID 684 wrote to memory of 800 684 cmd.exe taskkill.exe PID 684 wrote to memory of 800 684 cmd.exe taskkill.exe PID 732 wrote to memory of 1708 732 amdocl_as32.exe cmd.exe PID 732 wrote to memory of 1708 732 amdocl_as32.exe cmd.exe PID 732 wrote to memory of 1708 732 amdocl_as32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrojanCozyBear.bin.exe"C:\Users\Admin\AppData\Local\Temp\TrojanCozyBear.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c time /T2⤵
-
C:\Windows\SysWOW64\cmd.exe/c time /T2⤵
-
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\amdocl_as32.exeC:\Users\Admin\AppData\Roaming\ATI_Subsystem\amdocl_as32.exe C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atiumdag.dll, ADL2_ApplicationProfiles_System_Reload 12042⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/Q /C TASKKILL /F /PID 1204 > NUL & DEL /F /Q C:\Users\Admin\AppData\Local\Temp\TrojanCozyBear.bin.exe > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /PID 12044⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c time /T3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\amdocl_as32.exeMD5
f57886ace1ab4972b0308f69b1a0029c
SHA1519b2a981cb522ed2b0901f9871f9aa9781a6cd5
SHA2562be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852
SHA512c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8
-
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\amdocl_as32.exeMD5
f57886ace1ab4972b0308f69b1a0029c
SHA1519b2a981cb522ed2b0901f9871f9aa9781a6cd5
SHA2562be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852
SHA512c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8
-
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\atiumdag.dllMD5
bc626c8f11ed753f33ad1c0fe848d898
SHA1883292f00e5836f99a1943a6e0164d8c6c124478
SHA2568853979fce0f767b495abd55b696203209e95f04aaefe16c52c1724d07972154
SHA51274db65b9035252157683e27004fffd2df23dd0e287bc4d08fe6cb54faff6c6a088253eecb4a325835227be3a36ae6c0ab1e55058682bcdd44df512b29c3657ab
-
C:\Users\Admin\AppData\Roaming\ATI_Subsystem\racss.datMD5
4152e79e3dbde55dcf3fc2014700a022
SHA1e2d0edf2e7d4a09fad732d4113d970a56e9a6667
SHA2565788c819fc0e84dd99b7331676b2230ede93ad19960dda26a36009473f3bc49e
SHA51255ee492cde845960b249b0c734a55f5acd4d675ed8580815e63e518405903bc67544300e4ff79bb6903a384674dd9c25b6ce3e234b2b733eb563662a902e7af9
-
\Users\Admin\AppData\Roaming\ATI_Subsystem\atiumdag.dllMD5
bc626c8f11ed753f33ad1c0fe848d898
SHA1883292f00e5836f99a1943a6e0164d8c6c124478
SHA2568853979fce0f767b495abd55b696203209e95f04aaefe16c52c1724d07972154
SHA51274db65b9035252157683e27004fffd2df23dd0e287bc4d08fe6cb54faff6c6a088253eecb4a325835227be3a36ae6c0ab1e55058682bcdd44df512b29c3657ab
-
memory/684-9-0x0000000000000000-mapping.dmp
-
memory/732-4-0x0000000000000000-mapping.dmp
-
memory/800-11-0x0000000000000000-mapping.dmp
-
memory/1708-12-0x0000000000000000-mapping.dmp
-
memory/2076-2-0x0000000000000000-mapping.dmp
-
memory/2672-3-0x0000000000000000-mapping.dmp