Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-07-2021 10:06
Static task
static1
Behavioral task
behavioral1
Sample
051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe
Resource
win10v20210410
General
-
Target
051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe
-
Size
7.1MB
-
MD5
ab75f4edb052dbb0ec99f5f8308c8202
-
SHA1
7f885b74a03bafc5a8349837d140214f75023d78
-
SHA256
051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d
-
SHA512
6b0fb6c41e396f939d7aac04753b330eb6625f6098178c17ba96ed23d3a3c10b829c5cc4451d4c4acb5ca714672ca75beeeeca8d2af3e59d7ef8595091c2ddf5
Malware Config
Extracted
cobaltstrike
http://8.136.4.131:6666/NsLP
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BTRS125526)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 2 IoCs
Processes:
Direct_Load.exeOTC一键注入.exepid process 5020 Direct_Load.exe 3188 OTC一键注入.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
OTC一键注入.exedescription pid process Token: SeDebugPrivilege 3188 OTC一键注入.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OTC一键注入.exepid process 3188 OTC一键注入.exe 3188 OTC一键注入.exe 3188 OTC一键注入.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exedescription pid process target process PID 4448 wrote to memory of 5020 4448 051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe Direct_Load.exe PID 4448 wrote to memory of 5020 4448 051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe Direct_Load.exe PID 4448 wrote to memory of 3188 4448 051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe OTC一键注入.exe PID 4448 wrote to memory of 3188 4448 051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe OTC一键注入.exe PID 4448 wrote to memory of 3188 4448 051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe OTC一键注入.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe"C:\Users\Admin\AppData\Local\Temp\051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\Temp\Direct_Load.exe"C:\Windows\Temp\Direct_Load.exe"2⤵
- Executes dropped EXE
PID:5020 -
C:\Windows\Temp\OTC一键注入.exe"C:\Windows\Temp\OTC一键注入.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\Direct_Load.exeMD5
64131969fa7c039b317f9f260d43bf3d
SHA13b24e2aa82396358276893a737699d136c86518b
SHA256c45e91937f36e717646e49e62373b84c39dd19d7f71523022f4dc35be5a105de
SHA51280d61653621df996cd19b9e025d66d2405ca60f0adebe9e84d17d5bd62c256f0f15206560329365ad323229e9038cc28731009f06c9a7276a71d87547678ed5d
-
C:\Windows\Temp\Direct_Load.exeMD5
64131969fa7c039b317f9f260d43bf3d
SHA13b24e2aa82396358276893a737699d136c86518b
SHA256c45e91937f36e717646e49e62373b84c39dd19d7f71523022f4dc35be5a105de
SHA51280d61653621df996cd19b9e025d66d2405ca60f0adebe9e84d17d5bd62c256f0f15206560329365ad323229e9038cc28731009f06c9a7276a71d87547678ed5d
-
C:\Windows\Temp\OTC一键注入.exeMD5
e4f305848ef7b3d9e7d5d7c1cb392cd8
SHA188ce266d727b847dc3bb17b940da21330dd98aa1
SHA256aff5fde32f9e5da9c85be058dc1c8a28e86d7b6984235833034b5b0975454315
SHA512e682ec9ab263c64c197c2950d12842f4597d50db24b3839ba7bc348af96a3a0659fc6006add40cc34cdd295f67f36924673ba84b855ca1ea890669920d182e8e
-
C:\Windows\Temp\OTC一键注入.exeMD5
e4f305848ef7b3d9e7d5d7c1cb392cd8
SHA188ce266d727b847dc3bb17b940da21330dd98aa1
SHA256aff5fde32f9e5da9c85be058dc1c8a28e86d7b6984235833034b5b0975454315
SHA512e682ec9ab263c64c197c2950d12842f4597d50db24b3839ba7bc348af96a3a0659fc6006add40cc34cdd295f67f36924673ba84b855ca1ea890669920d182e8e
-
memory/3188-119-0x0000000000000000-mapping.dmp
-
memory/5020-116-0x0000000000000000-mapping.dmp
-
memory/5020-122-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB