Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17-03-2022 14:45
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://daftar.site/bootstrap_bin/css__styles/tool.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
https://daftar.site/bootstrap_bin/css__styles/tool.exe
Resource
win10v2004-en-20220113
General
-
Target
https://daftar.site/bootstrap_bin/css__styles/tool.exe
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
CobaltStrike 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2996-137-0x0000000000680000-0x00000000006B3000-memory.dmp CobaltStrike behavioral2/memory/2996-138-0x00000000022A0000-0x00000000022DD000-memory.dmp CobaltStrike behavioral2/memory/3348-142-0x00000000024B0000-0x00000000024ED000-memory.dmp CobaltStrike behavioral2/memory/3020-146-0x00000000024E0000-0x000000000251D000-memory.dmp CobaltStrike -
Processes:
resource yara_rule C:\Users\Admin\Downloads\tool.exe.472r0h6.partial cryptone C:\Users\Admin\Downloads\tool.exe cryptone C:\Users\Admin\Downloads\tool.exe cryptone C:\Users\Admin\Downloads\tool.exe cryptone -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
tool.exetool.exetool.exepid process 2996 tool.exe 3348 tool.exe 3020 tool.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 2bab45dfb408d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2879003980" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{73F472A4-E02D-404B-9658-D1947D08153E}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000200000000000000ffffffffffffffffffffffffffffffff7800000048000000f802000028020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D72CFDC4-A600-11EC-B9A4-F24C39D5F1CE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "354293283" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30947853" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2879003980" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30947853" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2324 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 2324 taskmgr.exe Token: SeSystemProfilePrivilege 2324 taskmgr.exe Token: SeCreateGlobalPrivilege 2324 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
iexplore.exetaskmgr.exepid process 220 iexplore.exe 220 iexplore.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 220 iexplore.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe 2324 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 220 iexplore.exe 220 iexplore.exe 1944 IEXPLORE.EXE 1944 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
iexplore.exedescription pid process target process PID 220 wrote to memory of 1944 220 iexplore.exe IEXPLORE.EXE PID 220 wrote to memory of 1944 220 iexplore.exe IEXPLORE.EXE PID 220 wrote to memory of 1944 220 iexplore.exe IEXPLORE.EXE PID 220 wrote to memory of 2996 220 iexplore.exe tool.exe PID 220 wrote to memory of 2996 220 iexplore.exe tool.exe PID 220 wrote to memory of 2996 220 iexplore.exe tool.exe PID 220 wrote to memory of 3348 220 iexplore.exe tool.exe PID 220 wrote to memory of 3348 220 iexplore.exe tool.exe PID 220 wrote to memory of 3348 220 iexplore.exe tool.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://daftar.site/bootstrap_bin/css__styles/tool.exe1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\tool.exe"C:\Users\Admin\Downloads\tool.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\tool.exe"C:\Users\Admin\Downloads\tool.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\tool.exe"C:\Users\Admin\Downloads\tool.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Downloads\tool.exeMD5
518d125bb64a8f8dc8b94054daf5e6df
SHA1549735f585590452985451faf8ab1e6f22903abf
SHA256950008035d225dd5f4c3a229082f1206eb9bce8c4aa4822b130db065da54e224
SHA51259ba254d3f7a37a760d709807de28b1b99bb0f92304e2177e67c30ca24b7fc4428608d392513706e663a49449f065c3719e318ddc7752d414441fe2895b1cb89
-
C:\Users\Admin\Downloads\tool.exeMD5
518d125bb64a8f8dc8b94054daf5e6df
SHA1549735f585590452985451faf8ab1e6f22903abf
SHA256950008035d225dd5f4c3a229082f1206eb9bce8c4aa4822b130db065da54e224
SHA51259ba254d3f7a37a760d709807de28b1b99bb0f92304e2177e67c30ca24b7fc4428608d392513706e663a49449f065c3719e318ddc7752d414441fe2895b1cb89
-
C:\Users\Admin\Downloads\tool.exeMD5
518d125bb64a8f8dc8b94054daf5e6df
SHA1549735f585590452985451faf8ab1e6f22903abf
SHA256950008035d225dd5f4c3a229082f1206eb9bce8c4aa4822b130db065da54e224
SHA51259ba254d3f7a37a760d709807de28b1b99bb0f92304e2177e67c30ca24b7fc4428608d392513706e663a49449f065c3719e318ddc7752d414441fe2895b1cb89
-
C:\Users\Admin\Downloads\tool.exe.472r0h6.partialMD5
518d125bb64a8f8dc8b94054daf5e6df
SHA1549735f585590452985451faf8ab1e6f22903abf
SHA256950008035d225dd5f4c3a229082f1206eb9bce8c4aa4822b130db065da54e224
SHA51259ba254d3f7a37a760d709807de28b1b99bb0f92304e2177e67c30ca24b7fc4428608d392513706e663a49449f065c3719e318ddc7752d414441fe2895b1cb89
-
memory/2996-135-0x00000000005B0000-0x00000000005F7000-memory.dmpFilesize
284KB
-
memory/2996-136-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2996-137-0x0000000000680000-0x00000000006B3000-memory.dmpFilesize
204KB
-
memory/2996-138-0x00000000022A0000-0x00000000022DD000-memory.dmpFilesize
244KB
-
memory/3020-144-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/3020-146-0x00000000024E0000-0x000000000251D000-memory.dmpFilesize
244KB
-
memory/3348-140-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/3348-142-0x00000000024B0000-0x00000000024ED000-memory.dmpFilesize
244KB