Overview

overview

10

Static

static

ac0b7d11ff...44.exe

windows7-x64

10

ac0b7d11ff...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe

  • Size

    380KB

  • MD5

    fcf381af24111ae189d57792465200ab

  • SHA1

    742a87c00364b3124bf62480369e0a2854cbb8dd

  • SHA256

    ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944

  • SHA512

    84a63bfdb43121f3427394cf969ad42a7efa891e60ecb4be4009e9c1eb0574b4712c7f64d34feff3ce380630d4e34bb4c99014dda8de745c31a706642daaa751

  • SSDEEP

    6144:iKhjynzprGoDKbkqNJtLAletm9Mht3vbdXV1qBQMMZx0HLHDDOSJgSQx62DAsLWO:icqNrDDKbkQbzKMht3vP1qBQzqnvjQxn

Score
10/10
cobaltstrikebackdoorbootkitpersistencetrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Deletes itself 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
    "C:\Users\Admin\AppData\Local\Temp\ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe"
    1⤵
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll",DllInitialize
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\system32\rundll32.exe
        C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll",DllInitialize
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
          • Adds Run key to start application
          PID:332
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C del "C:\Users\Admin\AppData\Local\Temp\ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe"
      2⤵
      • Deletes itself
      PID:1968
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1748
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:772 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1304
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:432

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{198CE601-6B41-11ED-BD9E-FAB5137186BE}.dat
    Filesize

    5KB

    MD5

    104a016984dfb5b807f86da97e0290aa

    SHA1

    54cd086cfb78af92ea24d8b7c15bb5967476d543

    SHA256

    817fd36acc662a3b9159d667059c3f4f21064bfc7d7468eeab88730d99964110

    SHA512

    f7d920e4094f9a973d1e3de5e38f50a6c5eb9979ba6e61ba60af43962b8d2da2fa81521eed6b2231832a248074bc9cf3bacf7313aa127b5b6d47b18b2f110760

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{198CE603-6B41-11ED-BD9E-FAB5137186BE}.dat
    Filesize

    4KB

    MD5

    f467fcf2e61a24fa79f07713bf49711f

    SHA1

    49b9aec62c6ae5899cc2b7603ef15eaf599b4bf4

    SHA256

    b8098048096db93c1f598f4d61e2ff95b02530a207588a261708855a39c5fcc3

    SHA512

    ed4053a5b259a49b8a3e8afb4e87bc0610f4019b64b4b1a21a7ddda201d473b054e28cde10fb3f9381b4c17e051c1354e18d110926c418ba96d1c48dcb139848

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\L1302713070
    Filesize

    578B

    MD5

    8cc258990fc49902cefb9618ac3a5245

    SHA1

    3c0638d66644c0f6618963bc6431f864582ca607

    SHA256

    086aaf83c71db6412f187a9afa49ea399ee337ad6a3bf4b6bee5dcacfa5c68c7

    SHA512

    67d4cc198669ce101bd1feb1109116c739390d5ae9db54a46d36851e106940fc9117c310877dcd7259a0c6cdd5a2c6ace49cefc7da6d3d720695c75670095e69

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\NTFS.sys
    Filesize

    12KB

    MD5

    ac95ea72a833d54be29791008f3ced14

    SHA1

    ac9f69c6c4fbe05a7a680883a8c761c60f3aacd0

    SHA256

    f7a21e5e75fe70c4bd6acf6641cc9be0261ea0931c36878258665940e25ee14a

    SHA512

    c097d856e8728b39059c49429d642dc00b2ce87453de71e0a3a4fc261e383f7c08ffbe4149925b148bdc2111abb6f50dc2d338e53fe137bc82fe7747251aa311

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp538D.tmp
    Filesize

    28B

    MD5

    b47998076d489c4be321d4393671d231

    SHA1

    ef3035573967dc5b7be316877d1a73930e013414

    SHA256

    abc947794d7f526017fec99b499f5f04d3fe0086a1d5fb94c46597e3ef8a3139

    SHA512

    1372a44aaaace4ac58c3b57e43aa60100e8936b1dbd6c5995fdd92fa42867adfe1b530a2ecb4d5f4c9df81b74aecbaa080f310f3bc42c8b92684e7a58926a0d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp6877.tmp
    Filesize

    498B

    MD5

    f33147e93bdcbc928c313af96ed70aa5

    SHA1

    5d0d30b93a39ddb851e2b92af6b6d9f8847fe97f

    SHA256

    f2d3b89f6833bf630be7db0708f8d36d8164b4ca457817db78e51c10199d9477

    SHA512

    a89fdbdc9a7275793e5e6977178efdb5bebdbf7862b61bad5f139027abbadbbaa7c28e567f1d077e8576aeaf2e301fe31dac806b0e74bada887f9dd1d7efc25c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBBA3.tmp
    Filesize

    2KB

    MD5

    e01e93a420cc89fba940dc11d1d57962

    SHA1

    f29d407574f927023064c47b9906879c727b3f57

    SHA256

    e6d4489bb3a8d763bee2a52ce0f0cfcb929d65ac9fc786b3e4721c8ffecbba44

    SHA512

    01846280efb23f472b5cfaa19a4ce3f3a9a6e4e5aca68affdc1dd618c5cc84b6dde5997f03b7da8d239f4b448292ab512cc7a8b120aea3f8e79a68c30f18bd89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBCCD.tmp
    Filesize

    435B

    MD5

    d52cd0b05f908dba3096ee89b8a9521e

    SHA1

    f16eaafca0d12e2ec90c93cc6340c03712ad98ec

    SHA256

    57fa320df74735e6550bec2bf22b638ae1734c00e241586222986c25c5f54c90

    SHA512

    db6f107596698cd02d87ad708762761bf09eeafcb2886e8784bc527540a2a9f330ae71449610043a9c72fe4e7217d8ac886ced95d025c5b30ad45e1b648286aa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll
    Filesize

    67KB

    MD5

    eabb332260bdeae3abcbff4f82647a8e

    SHA1

    8d880f4e80187bb04d18015ff7316653afac8626

    SHA256

    0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

    SHA512

    e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll
    Filesize

    67KB

    MD5

    eabb332260bdeae3abcbff4f82647a8e

    SHA1

    8d880f4e80187bb04d18015ff7316653afac8626

    SHA256

    0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

    SHA512

    e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll
    Filesize

    67KB

    MD5

    eabb332260bdeae3abcbff4f82647a8e

    SHA1

    8d880f4e80187bb04d18015ff7316653afac8626

    SHA256

    0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

    SHA512

    e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll
    Filesize

    67KB

    MD5

    eabb332260bdeae3abcbff4f82647a8e

    SHA1

    8d880f4e80187bb04d18015ff7316653afac8626

    SHA256

    0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

    SHA512

    e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll
    Filesize

    67KB

    MD5

    eabb332260bdeae3abcbff4f82647a8e

    SHA1

    8d880f4e80187bb04d18015ff7316653afac8626

    SHA256

    0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

    SHA512

    e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll
    Filesize

    67KB

    MD5

    eabb332260bdeae3abcbff4f82647a8e

    SHA1

    8d880f4e80187bb04d18015ff7316653afac8626

    SHA256

    0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

    SHA512

    e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll
    Filesize

    67KB

    MD5

    eabb332260bdeae3abcbff4f82647a8e

    SHA1

    8d880f4e80187bb04d18015ff7316653afac8626

    SHA256

    0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

    SHA512

    e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll
    Filesize

    67KB

    MD5

    eabb332260bdeae3abcbff4f82647a8e

    SHA1

    8d880f4e80187bb04d18015ff7316653afac8626

    SHA256

    0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

    SHA512

    e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1302713070.dll
    Filesize

    67KB

    MD5

    eabb332260bdeae3abcbff4f82647a8e

    SHA1

    8d880f4e80187bb04d18015ff7316653afac8626

    SHA256

    0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

    SHA512

    e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

    Download Submit

  • memory/332-77-0x0000000076000000-0x0000000076017000-memory.dmp

    Filesize

    92KB

    Download

  • memory/332-85-0x000000007600B410-mapping.dmp

    Download

  • memory/332-79-0x0000000076000000-0x0000000076017000-memory.dmp

    Filesize

    92KB

    Download

  • memory/564-72-0x0000000000000000-mapping.dmp

    Download

  • memory/1660-54-0x0000000076000000-0x000000007605F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/1660-62-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1660-59-0x0000000076000000-0x000000007605F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/1660-58-0x0000000076000000-0x000000007605F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/1660-57-0x0000000002271000-0x0000000002273000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1660-56-0x0000000076000000-0x000000007605F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/1660-55-0x0000000076000000-0x000000007605F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/1660-93-0x0000000076000000-0x000000007605F000-memory.dmp

    Filesize

    380KB

    Download

  • memory/1968-92-0x0000000000000000-mapping.dmp

    Download

  • memory/2016-66-0x0000000075F51000-0x0000000075F53000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2016-65-0x0000000000000000-mapping.dmp

    Download