Overview

overview

10

Static

static

12baff892d...b3.exe

windows7-x64

10

12baff892d...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 00:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12baff892dc37e78e427790d4a41ab84df33309db3b54f2b9f75bb31644c30b3.exe

  • Size

    312KB

  • MD5

    6f123e6d33cc280d6138bdf61490bd9d

  • SHA1

    230459646d4c8985409879520eb88eaf698a5689

  • SHA256

    12baff892dc37e78e427790d4a41ab84df33309db3b54f2b9f75bb31644c30b3

  • SHA512

    cfbe9e7ff481b820f9fcf2694b1f5d2aceab9c6a01072bd13fd2bdf1f471e2b9bd4eaafb2566b0d795ce62ed1e7245e045640a7df1435fe1a86bc000ef9c64e7

  • SSDEEP

    6144:0yAaQ1BdglcE19mMOJ64SszizGMWS9QcCeLZrdIC0wPysIeN20fu59Bdvka:0yAR1Boc2mMOJYszizPxVCIPpysIG20C

Score
10/10
cobaltstrikebackdoorbootkitpersistencetrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Deletes itself 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12baff892dc37e78e427790d4a41ab84df33309db3b54f2b9f75bb31644c30b3.exe
    "C:\Users\Admin\AppData\Local\Temp\12baff892dc37e78e427790d4a41ab84df33309db3b54f2b9f75bb31644c30b3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Users\Admin\AppData\Local\Temp\12baff892dc37e78e427790d4a41ab84df33309db3b54f2b9f75bb31644c30b3.exe
      "C:\Users\Admin\AppData\Local\Temp\12baff892dc37e78e427790d4a41ab84df33309db3b54f2b9f75bb31644c30b3.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C del "C:\Users\Admin\AppData\Local\Temp\12baff892dc37e78e427790d4a41ab84df33309db3b54f2b9f75bb31644c30b3.exe"
        3⤵
        • Deletes itself
        PID:1896
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2016 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1620
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1556
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:275457 /prefetch:2
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:568
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B54069B1-6D89-11ED-9172-7ADD0904B6AC}.dat
    Filesize

    5KB

    MD5

    0ad5ed39477f9c8d5f5a2e35bed4b9b1

    SHA1

    af2e8cd47102319842cf815b3b2da1bd7d964180

    SHA256

    7317c887b009fcaee709796b4b31256d7d6a225e245c648be810739f8dc4b09c

    SHA512

    3b2be7829b6372ad473efcd1b0eedf258a4a50f6de9998e4b668d5e8cfda20f721d5c298b1d46cd303f764eff2fc68636e6a7941f1320e37aa6e0861e215fda2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C225FCD1-6D89-11ED-9172-7ADD0904B6AC}.dat
    Filesize

    5KB

    MD5

    88c49edca4357b6a4d9d83d90d6d6405

    SHA1

    5e1e4e98cfabefe984e6c097145f3a947112f5a4

    SHA256

    95d4d4dc2e6917cb8b740e47cf7734a3f1d5c9f91bb910c1624532cf4170f0ff

    SHA512

    f8ae56595755c386e0fcef83e02f4e1c36c3c9d057c42735423f1915a647f24494b5f4c6a3d8c9d63f20bf8acb6186ec01d2fc889110169abdeeaf1f53e89684

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DA76A871-6D89-11ED-9172-7ADD0904B6AC}.dat
    Filesize

    5KB

    MD5

    8dccc1c8d30d9d9e39069cc58872e4bc

    SHA1

    ef740cfa4b546ebe5429ead7203b26cdcab5bd62

    SHA256

    d1fed0fb95cedd6751217a0ae1e34dc3d38a52077db7a30da91a585c49c09010

    SHA512

    1b120e4d9a812d4261421d788e1bc289eabb9cc8199dd58cb3da2aab8036faa38935ae29a3774483bb9fccb97aa151ab0a07b1380fc772850af9881723eb84a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B54069B3-6D89-11ED-9172-7ADD0904B6AC}.dat
    Filesize

    3KB

    MD5

    d82ce5415db32fd313ab0d85b2cc5bf9

    SHA1

    d71402f0e63918e4edb7350f89ee9f4c4822e247

    SHA256

    f72454e1051546c4417f21f3c5b85747908be2fe7a273a85143a10ef810b2b50

    SHA512

    ac6cd3ec79ae47bcacf22f8ae41eaa3a10c1f01dd91d4a0964f5ec1ff1ef8a7e24defb698a79a140cb15771a503aa00e078ded1e856a4c2f94147e440e1a4532

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C225FCD3-6D89-11ED-9172-7ADD0904B6AC}.dat
    Filesize

    4KB

    MD5

    f8ef961b36338f9d81f75e96d3e84d01

    SHA1

    47945141232ffafcb17b55ba5e5e387c0a808699

    SHA256

    dfd902720814c672d1868e4325df0508a988fe6f30fdeea205956d8de4376194

    SHA512

    37c4861fe162a42b09ac1e9eacd411bc4ebfa93e8f91be2633d26eddc65acede932f0c4d0c0ea2b4b3d5a5181270fd8d69a16bc721243eaff99655b1abea28a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DA76A873-6D89-11ED-9172-7ADD0904B6AC}.dat
    Filesize

    4KB

    MD5

    f4ddb9ae4b663c983563b07802d2957a

    SHA1

    12fe54b4059a3cc1b0dad0b6ce871c42f61e91ab

    SHA256

    fb4d95663a14fd2109d56689a42cb00a323f95dfbd3589840b1e2e9d1732511c

    SHA512

    03f2d479bb15bc5784c0b9b4254ff0f3243986b0be8dbca8a1ae1e9805ff6d51e3eace04824bf292aa44f9b047460c44a776c8f21f6686652d774a080d252dc2

    Download Submit

  • memory/1896-81-0x0000000000000000-mapping.dmp

    Download

  • memory/1940-64-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1940-56-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1940-69-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1940-70-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1940-67-0x000000007600BB00-mapping.dmp

    Download

  • memory/1940-72-0x0000000010000000-0x0000000010022000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1940-66-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1940-68-0x0000000076181000-0x0000000076183000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1940-63-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1940-61-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1940-59-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1940-80-0x0000000003990000-0x0000000003B2D000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1940-82-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1940-57-0x0000000076000000-0x0000000076041000-memory.dmp

    Filesize

    260KB

    Download