Overview

overview

10

Static

static

COSU 62705...48.exe

windows7_x64

3

COSU 62705...48.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    56s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COSU 6270575380 PCL2004868048.exe

  • Size

    606KB

  • MD5

    d1d433ad7fe5db077cb81ef0e4ec4e60

  • SHA1

    d94a577faa1557bef7fd9d2eecf7386ec3ea7e88

  • SHA256

    b4b4e82b4584a55722d213ea607a3b1131caaa039589a27e12ba4feeeaee7fb5

  • SHA512

    b1dbb723d3a342ef6666a9d11cca5182bc2228c146f2d6912eac3ea337bc1bb9b9ab55a11c1a95bf9a5bc834c41870d8b3fb2d5baafc99106289eb3c2a2b0c4c

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe
    "C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UGVpSjQyl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD338.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1528
    • C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe
      "C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"
      2⤵
        PID:1232
      • C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe
        "C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"
        2⤵
          PID:2024
        • C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe
          "C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"
          2⤵
            PID:2016
          • C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe
            "C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"
            2⤵
              PID:2044
            • C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe
              "C:\Users\Admin\AppData\Local\Temp\COSU 6270575380 PCL2004868048.exe"
              2⤵
                PID:1720

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpD338.tmp
              Filesize

              1KB

              MD5

              00f08ad6772a07c289e09870ea2aae39

              SHA1

              b7dbbad387be5c204ff09b0dea94ec55fea66a0e

              SHA256

              fc8138459966d731bae0ea62f7c1a965612a94366c4138ca1cf6295a0bc46f3a

              SHA512

              3b72321ea7aa12f1c7f7c3f145a8f84c239b0dd66fdbebf090481c379572dd1daf7587f99e28c05e2992690791745b671799f97b2f41a71c7248430ec87bf2b5

              Download Submit
            • memory/1528-59-0x0000000000000000-mapping.dmp
              Download
            • memory/1928-54-0x0000000000240000-0x00000000002DE000-memory.dmp
              Filesize

              632KB

              Download
            • memory/1928-55-0x0000000074E91000-0x0000000074E93000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1928-56-0x0000000000220000-0x0000000000228000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1928-57-0x00000000051B0000-0x0000000005238000-memory.dmp
              Filesize

              544KB

              Download
            • memory/1928-58-0x0000000004770000-0x00000000047CA000-memory.dmp
              Filesize

              360KB

              Download