Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 01:05
Static task
static1
Behavioral task
behavioral1
Sample
0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe
Resource
win10v2004-20220901-en
General
-
Target
0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe
-
Size
120KB
-
MD5
0b5ddcbe69a014c113ef8d1332dab271
-
SHA1
485b123cd579946ba232f843f9b47a5d09365e41
-
SHA256
0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d
-
SHA512
6992cc3238074853f12f7c7dddaa557ac494d99b9a54d8f048190beaf0adadf020f8e112382d0d74dc7fc27f30a1f49a00c6144ed6cabfa65895935f3056bdd7
-
SSDEEP
1536:FX2tAh15hxrmf7VlBSBzD7TbNau3doRzEg0H86Lx8CAcf+SuqGMLefNe6Wc5RXQ:lv5hm7VmBP7PtReQJUhMLgEc5RX
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
pid Process 5084 CacheMgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run 0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StubPath = "\"C:\\ProgramData\\CacheMgr.exe\" -as" 0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 640 wrote to memory of 4440 640 0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe 83 PID 640 wrote to memory of 4440 640 0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe 83 PID 640 wrote to memory of 4440 640 0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe 83 PID 640 wrote to memory of 5084 640 0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe 85 PID 640 wrote to memory of 5084 640 0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe 85 PID 640 wrote to memory of 5084 640 0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe"C:\Users\Admin\AppData\Local\Temp\0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\0305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d.exe" "C:\ProgramData\CacheMgr.exe"2⤵PID:4440
-
-
C:\ProgramData\CacheMgr.exe"C:\ProgramData\CacheMgr.exe" -as2⤵
- Executes dropped EXE
PID:5084
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD50b5ddcbe69a014c113ef8d1332dab271
SHA1485b123cd579946ba232f843f9b47a5d09365e41
SHA2560305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d
SHA5126992cc3238074853f12f7c7dddaa557ac494d99b9a54d8f048190beaf0adadf020f8e112382d0d74dc7fc27f30a1f49a00c6144ed6cabfa65895935f3056bdd7
-
Filesize
120KB
MD50b5ddcbe69a014c113ef8d1332dab271
SHA1485b123cd579946ba232f843f9b47a5d09365e41
SHA2560305a1778c3ee83229cc2791f46300b3af5faa15bb7f6507ef26f465bb90d69d
SHA5126992cc3238074853f12f7c7dddaa557ac494d99b9a54d8f048190beaf0adadf020f8e112382d0d74dc7fc27f30a1f49a00c6144ed6cabfa65895935f3056bdd7