Analysis
-
max time kernel
153s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe
Resource
win10v2004-20220414-en
General
-
Target
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe
-
Size
731KB
-
MD5
067242b22f1d94603af1172447a7623a
-
SHA1
838f20f8e64bb28f384cfa0491297d0a524d3eb3
-
SHA256
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21
-
SHA512
68445291ad3a2d39467c505dfbb65d06a0d5cdf6da7ed440b9b5263f0173ad030797f187627d9cb50a15787746dd7190288e463e1e00cf41d8e91e4549e4892c
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.execmd.exedescription pid process target process PID 1824 wrote to memory of 884 1824 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe cmd.exe PID 1824 wrote to memory of 884 1824 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe cmd.exe PID 1824 wrote to memory of 884 1824 b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe cmd.exe PID 884 wrote to memory of 3308 884 cmd.exe reg.exe PID 884 wrote to memory of 3308 884 cmd.exe reg.exe PID 884 wrote to memory of 3308 884 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe"C:\Users\Admin\AppData\Local\Temp\b931edb967de6bef9fbd8095f8d14f07fcf61aa8234992fbd1162f5238eece21.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c echo uNmYoWHHyAxswpC=2110 & reg add HKCU\SOFTWARE\AUzAefSwXJMOr /v HYYCFCRzHLpdjAm /t REG_DWORD /d 9932 & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\AUzAefSwXJMOr /v HYYCFCRzHLpdjAm /t REG_DWORD /d 99323⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/884-130-0x0000000000000000-mapping.dmp
-
memory/1824-132-0x0000000000710000-0x0000000000743000-memory.dmpFilesize
204KB
-
memory/1824-133-0x0000000000FB0000-0x0000000000FED000-memory.dmpFilesize
244KB
-
memory/1824-134-0x0000000000FB0000-0x0000000000FED000-memory.dmpFilesize
244KB
-
memory/3308-131-0x0000000000000000-mapping.dmp