cobaltstrike | ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944

Analysis

max time kernel
154s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
Size

380KB
MD5

fcf381af24111ae189d57792465200ab
SHA1

742a87c00364b3124bf62480369e0a2854cbb8dd
SHA256

ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944
SHA512

84a63bfdb43121f3427394cf969ad42a7efa891e60ecb4be4009e9c1eb0574b4712c7f64d34feff3ce380630d4e34bb4c99014dda8de745c31a706642daaa751
SSDEEP

6144:iKhjynzprGoDKbkqNJtLAletm9Mht3vbdXV1qBQMMZx0HLHDDOSJgSQx62DAsLWO:icqNrDDKbkQbzKMht3vP1qBQzqnvjQxn

Score

10^/10

cobaltstrike backdoor bootkit persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

976 rundll32.exe
1944 rundll32.exe

pid	process
976	rundll32.exe
1944	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSA1988157073 = "C:\\Windows\\system32\\rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RSA1988157073.dll\",DllInitialize"	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSA1988157073 = "C:\\Windows\\system32\\rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RSA1988157073.dll\",DllInitialize"	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1944 set thread context of 2628 1944 rundll32.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe

description	pid	process	target process
PID 1944 set thread context of 2628	1944	rundll32.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998350"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403cd50d4effd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009df837df90767a4d9447527c325b84cb00000000020000000000106600000001000020000000ed9510dd0ab69f35c258d2e28a488578e42512b4e8ba189cb738475143d9c082000000000e80000000020000200000005bb24e5556d82e82ec13d11371c5d456132105b2c6c0cc6a7aa9929ceaf5cd1f20000000e4fad4702104ed4eb742dd417cb163d6894638a835e3033c7ae779dff07cbf3740000000a2db7f485608af0597ff1238c7c13b6abc79f9855b68e25279911aba8491f97b39c434f70829367f5ba0134049179e6dbcfaa406d59261f29a47e3b192f77482	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{34FCF1AD-6B41-11ED-89AC-D2A4FF929712} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{17E4BB5C-6B41-11ED-89AC-D2A4FF929712} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998350"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "157398453"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009df837df90767a4d9447527c325b84cb0000000002000000000010660000000100002000000079ab41ba7bb48076fbbb8e3b18b66bf98f262414404950398eef183ecf6c3937000000000e80000000020000200000002e888ed36684a955b35e353b0834cdadca58f64f4bfdc4cff151769e18d8bc9020000000f565fea1e7dfd676bcddd8bcab943b878a375d48d05eed50fd09eeba112438f940000000dc261f466bcb9eb8087dad5b501ce8709ffee84984eb645b77455c033e67a3eca73399ebe75628d66e0081a77aa0039cafb4338f9f1e6dce0f1553b271a3eb34	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{276B2D20-6B41-11ED-89AC-D2A4FF929712} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "157398453"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0eb610e4effd801	iexplore.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe

pid	process
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe

description	pid	process
Token: SeDebugPrivilege	4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
Token: SeLoadDriverPrivilege	4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
Token: SeShutdownPrivilege	4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

548 iexplore.exe
2736 iexplore.exe
4776 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
548	iexplore.exe
548	iexplore.exe
840	IEXPLORE.EXE
840	IEXPLORE.EXE
2736	iexplore.exe
2736	iexplore.exe
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
4776	iexplore.exe
4776	iexplore.exe
3640	IEXPLORE.EXE
3640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exerundll32.exerundll32.exe

description	pid	process	target process
PID 548 wrote to memory of 840	548	iexplore.exe	IEXPLORE.EXE
PID 548 wrote to memory of 840	548	iexplore.exe	IEXPLORE.EXE
PID 548 wrote to memory of 840	548	iexplore.exe	IEXPLORE.EXE
PID 2736 wrote to memory of 1100	2736	iexplore.exe	IEXPLORE.EXE
PID 2736 wrote to memory of 1100	2736	iexplore.exe	IEXPLORE.EXE
PID 2736 wrote to memory of 1100	2736	iexplore.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 3640	4776	iexplore.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 3640	4776	iexplore.exe	IEXPLORE.EXE
PID 4776 wrote to memory of 3640	4776	iexplore.exe	IEXPLORE.EXE
PID 4116 wrote to memory of 976	4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe	rundll32.exe
PID 4116 wrote to memory of 976	4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe	rundll32.exe
PID 4116 wrote to memory of 976	4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe	rundll32.exe
PID 976 wrote to memory of 1944	976	rundll32.exe	rundll32.exe
PID 976 wrote to memory of 1944	976	rundll32.exe	rundll32.exe
PID 1944 wrote to memory of 2628	1944	rundll32.exe	svchost.exe
PID 1944 wrote to memory of 2628	1944	rundll32.exe	svchost.exe
PID 1944 wrote to memory of 2628	1944	rundll32.exe	svchost.exe
PID 1944 wrote to memory of 2628	1944	rundll32.exe	svchost.exe
PID 4116 wrote to memory of 744	4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe	cmd.exe
PID 4116 wrote to memory of 744	4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe	cmd.exe
PID 4116 wrote to memory of 744	4116	ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe
"C:\Users\Admin\AppData\Local\Temp\ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1988157073.dll",DllInitialize
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1988157073.dll",DllInitialize
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Adds Run key to start application
      PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C del "C:\Users\Admin\AppData\Local\Temp\ac0b7d11ff768a08a08ce4254fe9bbd9c18df4ec354da9c6d6a22fe5cacec944.exe"
  2⤵
  PID:744

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:548 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4776 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{17E4BB5C-6B41-11ED-89AC-D2A4FF929712}.dat

Filesize
5KB

MD5
4ddc1ebf8554e78b53531244188c32b2

SHA1
0099c31c5ffc4ae6adcf6b5f07c943b7ea585805

SHA256
5280bdba262d5b71b1fdd88b55973d44fd53b28605beda59739d9fc2138044bb

SHA512
82f4403614c35266b524b104d7053b2dc04833a8b0813c56fe0807c149e8fbcebf4f3311f4436da6ed682cdafa3ee7504f32f1d839276ba2032406df0d85621e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{276B2D20-6B41-11ED-89AC-D2A4FF929712}.dat

Filesize
5KB

MD5
cfe0298991604da0749b0d4c5f98cae5

SHA1
0e34a8327dbf9f2083db50e4a2b24205640dd235

SHA256
7b1443eaadef6758c490fb7695766b63f5f5dad1744a290e17d8208acac032ac

SHA512
ecd0f4040686726a621345cd29e8ff1963f7d93de25d53c103b63cfaa346e0fab81936842b49cae4ecc058dba4157e930ef4f3b09f7423654ac29a5e7eb8b3be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{17E4BB5E-6B41-11ED-89AC-D2A4FF929712}.dat

Filesize
3KB

MD5
4ee48b66c911d3558a1527f0983a61a8

SHA1
aa35d363564240f644f27bb47de75720f83c5001

SHA256
146f7f8da6bef8a5f8b12764ef8b6a18f6cb71a0990c910a0efef68dc4db7d70

SHA512
7543df06b5f54a9c4e825434c04a3dd09757aaafd4d95ddf60a256afa408292d23197aded3fa7aae65611ba51cc1db256fa83d0b808e1da163fb32e36a43f889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{276B2D22-6B41-11ED-89AC-D2A4FF929712}.dat

Filesize
3KB

MD5
dd51a723bfac4477643d8a10ed724b93

SHA1
9ee540523b4c184e648e0d25327dc12af702f062

SHA256
303ba7a31f4427a6972ff8b775dcb3cbde97233cd2366e97edc0a6b843b7d482

SHA512
4bb9031bb05b03b41e427b94db155f2b5bfa41c1c1727c1f3853d7cbadf00456363894602275fdb21abf68a9adab7205baa51301f566c5c6b3b8cecb5ef35e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\L1988157073

Filesize
555B

MD5
80579f5258b97632f1953640a386506d

SHA1
b8fc952deb5e5fe6fa588f1f3ad775d4f74a0358

SHA256
03eaffcb4e20d901173bb53ef0140e2d8644a05b8d2b219dee9a6a76352fd31b

SHA512
9bcc2174b31fd2322c92f875a612a5e7e2a7d28b56a8e37f5d91d4ff0b79e3ff20e29da976ae65d65a6f22ef8f90acf2f20c59d9e81119d3cb75649aad24dc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTFS.sys

Filesize
12KB

MD5
ac95ea72a833d54be29791008f3ced14

SHA1
ac9f69c6c4fbe05a7a680883a8c761c60f3aacd0

SHA256
f7a21e5e75fe70c4bd6acf6641cc9be0261ea0931c36878258665940e25ee14a

SHA512
c097d856e8728b39059c49429d642dc00b2ce87453de71e0a3a4fc261e383f7c08ffbe4149925b148bdc2111abb6f50dc2d338e53fe137bc82fe7747251aa311

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A02.tmp

Filesize
28B

MD5
ed209b900caf35a8f53250e6823e0155

SHA1
821ad4764ffb03543df65ee1b6566998d33ef8c3

SHA256
c075ee83e86309906b1d05a7db3a9a25ae9a642ff7ecedbbdceffa9ac322b4ed

SHA512
86155d51b9c1a1dd868d6d6f6d812478f018a82fbd83cc0082f712ef4cba48ddebc0290b0bf029d8b1d4fcad055cd63ee2f52c41875f6803dc6a2e3402aa5a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC09.tmp

Filesize
8KB

MD5
68ab0c13ee08a940104f25b9205c5caf

SHA1
845c9c32e2baf2b11c450e8e1d6f397cb1f1506a

SHA256
3f5f2713c132044193b4981c635514a6cd866e3199ad426338d65ab4cbdafb3a

SHA512
d4d03c8b1668ac9017663f138fda1f41ad29f400cff72fa3989e3b52fa6f9428a672d3011a6edd143dfca8a45f09df3495f99517f908da14ed8fa4b4b6930768

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFDB0.tmp

Filesize
413B

MD5
36a3476fcd54ff2f8875d2ed14cba6ea

SHA1
f8794df6e78279473d722df35b6e540db97d391f

SHA256
280d29c2cf800666fc2455997e4a339126d0401ef44eba1f34879fa309fad801

SHA512
3398e3d54566760b86e2018e60a53ce99087d9b09941dd3d2cf6d351888cee9a42ba8ee3d81644591c696bfe556d29b9f11b13c60b9845237d0d5b2b74588b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF7DBCD1D4EC73A8C5.TMP

Filesize
16KB

MD5
ec5be8feb3cbf4672e6609258282bed1

SHA1
a0e4d60a9aa76a44fa798b93b61d81c6f97b94a9

SHA256
7ea26d653b6003fd606c1edf88e2161b91619f15ea05a6fdb3a51ec6bfc44b9f

SHA512
7d56cabb593538da374d4f79ce6b8869b25ceca264d39efaeaa3d30f2a13dae2341e4cbc4bdf35656685c4ccdeac0781a3a679fe2bc5b05892f726469c8aeb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF81AAC57FBD7ADC98.TMP

Filesize
16KB

MD5
45b0a4b658326d3fe1a37fa344ba0aa2

SHA1
cb2809cefc73bf898f401de0f8864b97b8568d33

SHA256
21099f0bd36024d3ae468d5056c20b1089a419b6f5e58999743483ba2633483c

SHA512
4083055f0a561314d3cfa2eb1e4bcabef037cd76c44c970869d9343bdf7e9f1ff343f0cd22ca496fb2a36f2777433362e35867dc85292a381bdd1e4d678be98a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1988157073.dll

Filesize
67KB

MD5
eabb332260bdeae3abcbff4f82647a8e

SHA1
8d880f4e80187bb04d18015ff7316653afac8626

SHA256
0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

SHA512
e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1988157073.dll

Filesize
67KB

MD5
eabb332260bdeae3abcbff4f82647a8e

SHA1
8d880f4e80187bb04d18015ff7316653afac8626

SHA256
0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

SHA512
e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA1988157073.dll

Filesize
67KB

MD5
eabb332260bdeae3abcbff4f82647a8e

SHA1
8d880f4e80187bb04d18015ff7316653afac8626

SHA256
0fe8df91a677a85862d57d0bb4311900cf2038977d31a66ef835ace0ceb1d5e1

SHA512
e1ee6afb80dbcd1af1d71df04c7ee78c711d2dad31fd8c679cd027cda745b576f915cc4bfebca35843c0c4f79bbec6abd6562877ec26ae752b4abe2c0e2ba6d7

Download Submit
memory/744-163-0x0000000000000000-mapping.dmp

Download
memory/976-144-0x0000000000000000-mapping.dmp

Download
memory/1944-147-0x0000000000000000-mapping.dmp

Download
memory/2628-149-0x0000000076000000-0x0000000076017000-memory.dmp

Filesize
92KB

Download
memory/2628-155-0x000000007600B410-mapping.dmp

Download
memory/4116-132-0x0000000076000000-0x000000007605F000-memory.dmp

Filesize
380KB

Download
memory/4116-136-0x0000000076000000-0x000000007605F000-memory.dmp

Filesize
380KB

Download
memory/4116-135-0x0000000076000000-0x000000007605F000-memory.dmp

Filesize
380KB

Download
memory/4116-134-0x0000000076000000-0x000000007605F000-memory.dmp

Filesize
380KB

Download
memory/4116-133-0x0000000076000000-0x000000007605F000-memory.dmp

Filesize
380KB

Download
memory/4116-139-0x0000000010000000-0x0000000010023000-memory.dmp

Filesize
140KB

Download
memory/4116-164-0x0000000076000000-0x000000007605F000-memory.dmp

Filesize
380KB

Download