080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.7z

General
Target

080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe

Filesize

3MB

Completed

19-01-2022 18:25

Score
10/10
MD5

b35f113ac3f89dc786064a81431ca438

SHA1

bd876ac81afbceaf4d4fc17e99c4f7012a92d4a4

SHA256

080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a

Malware Config

Extracted

Family cobaltstrike
C2

http://106.12.99.85:80/qu6A

Attributes
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Signatures 5

Filter: none

Defense Evasion
Discovery
  • Cobaltstrike

    Description

    Detected malicious payload which is part of Cobaltstrike.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Checks BIOS information in registry
    080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe
  • Checks whether UAC is enabled
    080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe

    Reported IOCs

    pidprocess
    1116080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe
    "C:\Users\Admin\AppData\Local\Temp\080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a.exe"
    Checks BIOS information in registry
    Checks whether UAC is enabled
    Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1116
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/1116-55-0x0000000000401000-0x0000000000404000-memory.dmp

                      • memory/1116-56-0x00000000003E0000-0x00000000003E1000-memory.dmp

                      • memory/1116-57-0x000007FEFC151000-0x000007FEFC153000-memory.dmp