Analysis
-
max time kernel
27s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe
Resource
win10v2004-20220414-en
General
-
Target
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe
-
Size
731KB
-
MD5
067242b22f1d94603af1172447a7623a
-
SHA1
838f20f8e64bb28f384cfa0491297d0a524d3eb3
-
SHA256
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21
-
SHA512
68445291ad3a2d39467c505dfbb65d06a0d5cdf6da7ed440b9b5263f0173ad030797f187627d9cb50a15787746dd7190288e463e1e00cf41d8e91e4549e4892c
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1432 1664 WerFault.exe b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.execmd.exedescription pid process target process PID 1664 wrote to memory of 1944 1664 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe cmd.exe PID 1664 wrote to memory of 1944 1664 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe cmd.exe PID 1664 wrote to memory of 1944 1664 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe cmd.exe PID 1664 wrote to memory of 1944 1664 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe cmd.exe PID 1944 wrote to memory of 1392 1944 cmd.exe reg.exe PID 1944 wrote to memory of 1392 1944 cmd.exe reg.exe PID 1944 wrote to memory of 1392 1944 cmd.exe reg.exe PID 1944 wrote to memory of 1392 1944 cmd.exe reg.exe PID 1664 wrote to memory of 1432 1664 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe WerFault.exe PID 1664 wrote to memory of 1432 1664 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe WerFault.exe PID 1664 wrote to memory of 1432 1664 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe WerFault.exe PID 1664 wrote to memory of 1432 1664 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe"C:\Users\Admin\AppData\Local\Temp\b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo uNmYoWHHyAxswpC=2110 & reg add HKCU\SOFTWARE\AUzAefSwXJMOr /v HYYCFCRzHLpdjAm /t REG_DWORD /d 9932 & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\AUzAefSwXJMOr /v HYYCFCRzHLpdjAm /t REG_DWORD /d 99323⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 7882⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1392-55-0x0000000000000000-mapping.dmp
-
memory/1432-59-0x0000000000000000-mapping.dmp
-
memory/1664-56-0x0000000000320000-0x0000000000353000-memory.dmpFilesize
204KB
-
memory/1664-57-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1664-58-0x00000000003A0000-0x00000000003DD000-memory.dmpFilesize
244KB
-
memory/1944-54-0x0000000000000000-mapping.dmp