Analysis
-
max time kernel
82s -
max time network
86s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe
Resource
win10v2004-20220812-en
General
-
Target
fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe
-
Size
156KB
-
MD5
467941e3cb0b3e1c379eb8ee10f57947
-
SHA1
9a9a7a9bde0ca1f9f3cab121369d2473e817a03e
-
SHA256
fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543
-
SHA512
437cac30faf4dbbc98d72d804c11ef6289fb3145aefd91f393aa7a41579e1f5be2c87b3b43d142c140561d9af8ce1983ffa6979f84e56fae56d2a376c37efb24
-
SSDEEP
3072:0s3yXdU7kClJgOEA6YbnVfyE1UirnmcOlq98VGScKtA1Jmtw3ff:0jeVEA6YhfRUq9SGScKsJV3
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
pid Process 428 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 1064 cvtres.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\svchost.exe" cvtres.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1536 set thread context of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1064 cvtres.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1536 wrote to memory of 1064 1536 fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe 27 PID 1064 wrote to memory of 428 1064 cvtres.exe 30 PID 1064 wrote to memory of 428 1064 cvtres.exe 30 PID 1064 wrote to memory of 428 1064 cvtres.exe 30 PID 1064 wrote to memory of 428 1064 cvtres.exe 30 PID 1064 wrote to memory of 1220 1064 cvtres.exe 31 PID 1064 wrote to memory of 1220 1064 cvtres.exe 31 PID 1064 wrote to memory of 1220 1064 cvtres.exe 31 PID 1064 wrote to memory of 1220 1064 cvtres.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe"C:\Users\Admin\AppData\Local\Temp\fbbff9ab15b2fb7b5e2e5cfaf35810edd492df9448ca0d55a74b830724201543.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe"C:\Users\Admin\AppData\Roaming\WinHost\svchost.exe"3⤵
- Executes dropped EXE
PID:428
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:1220
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2