Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 01:17
Static task
static1
Behavioral task
behavioral1
Sample
5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
Resource
win10v2004-20220414-en
General
-
Target
5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe
-
Size
1.4MB
-
MD5
8ec45a62cf34fc74d4bef6292b0840a7
-
SHA1
6578ab3b13864909b972a8916adc85a117970661
-
SHA256
5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c
-
SHA512
2190f14e74b61af4e720ecb68bf61fba73dba24fb1650ca378d23d4d13692d5b81092752cb076683dc59ac011aa731d9be97d37c489337e1fe5af731c02122e5
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.batpid process 1344 svchost.bat -
Loads dropped DLL 5 IoCs
Processes:
5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exepid process 2016 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe 2016 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe 2016 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe 2016 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe 2016 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exesvchost.batdescription pid process target process PID 2016 wrote to memory of 1344 2016 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe svchost.bat PID 2016 wrote to memory of 1344 2016 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe svchost.bat PID 2016 wrote to memory of 1344 2016 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe svchost.bat PID 2016 wrote to memory of 1344 2016 5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe svchost.bat PID 1344 wrote to memory of 2036 1344 svchost.bat svchost.exe PID 1344 wrote to memory of 2036 1344 svchost.bat svchost.exe PID 1344 wrote to memory of 2036 1344 svchost.bat svchost.exe PID 1344 wrote to memory of 2036 1344 svchost.bat svchost.exe PID 1344 wrote to memory of 2036 1344 svchost.bat svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe"C:\Users\Admin\AppData\Local\Temp\5b220aee49202eb35af52535921691f5eda758b442d7d023343f15bbbb1ef69c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat"C:\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.bat"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.batFilesize
641KB
MD5041b36a7b4616b747525d6bb166d2487
SHA175bac4fef064e10deccaf9e03d498bd2f5ba9810
SHA256e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea
SHA5127eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b
-
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.batFilesize
641KB
MD5041b36a7b4616b747525d6bb166d2487
SHA175bac4fef064e10deccaf9e03d498bd2f5ba9810
SHA256e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea
SHA5127eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b
-
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.batFilesize
641KB
MD5041b36a7b4616b747525d6bb166d2487
SHA175bac4fef064e10deccaf9e03d498bd2f5ba9810
SHA256e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea
SHA5127eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b
-
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.batFilesize
641KB
MD5041b36a7b4616b747525d6bb166d2487
SHA175bac4fef064e10deccaf9e03d498bd2f5ba9810
SHA256e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea
SHA5127eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b
-
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.batFilesize
641KB
MD5041b36a7b4616b747525d6bb166d2487
SHA175bac4fef064e10deccaf9e03d498bd2f5ba9810
SHA256e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea
SHA5127eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b
-
\Users\Admin\AppData\Local\Temp\7zS0E79B11C\svchost.batFilesize
641KB
MD5041b36a7b4616b747525d6bb166d2487
SHA175bac4fef064e10deccaf9e03d498bd2f5ba9810
SHA256e59eb81d66ec38ae1e14fab35f370c52359a21d2d3af5b7b8bb2c614b2bd51ea
SHA5127eeb807fe1461369e3879202a0fafa360506d8c6df73c9e6c9f4f9d50e7b6df6b085b6227ceda77e3ecc971956cb86794a5a9207f0b90c0fccd8546bfbb5e74b
-
memory/1344-60-0x0000000000000000-mapping.dmp
-
memory/2016-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/2036-62-0x0000000000080000-0x000000000010E000-memory.dmpFilesize
568KB
-
memory/2036-64-0x0000000000000000-mapping.dmp
-
memory/2036-65-0x0000000000080000-0x000000000010E000-memory.dmpFilesize
568KB
-
memory/2036-68-0x00000000000AB000-0x000000000010E000-memory.dmpFilesize
396KB
-
memory/2036-69-0x00000000002F0000-0x0000000000359000-memory.dmpFilesize
420KB
-
memory/2036-67-0x0000000000240000-0x0000000000271000-memory.dmpFilesize
196KB