cobaltstrike | 88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
Size

501KB
MD5

d21944dc08bafdc1570abe278633cc82
SHA1

ea422f3c297cb8f5eddddbdb9252819a180a9a17
SHA256

88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727
SHA512

62f3ee25edc1652b1b9d419782f62896b66dc94ad24797b3076b706a7f37731de442af2ba806d71ca4b642e532d1589a8ef7512a8165658bf732da040ecf9d1a
SSDEEP

12288:d8CoMHybjto5+DAKkH103gEmFdfOB/dmHV:yCj5CJ

Score

10^/10

cobaltstrike backdoor bootkit persistence trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2016 cmd.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1100 rundll32.exe
1100 rundll32.exe
1100 rundll32.exe
1100 rundll32.exe
1612 rundll32.exe
1612 rundll32.exe
1612 rundll32.exe
1612 rundll32.exe

pid	process
2016	cmd.exe

pid	process
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\RSA662865501 = "C:\\Windows\\system32\\rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RSA662865501.dll\",DllInitialize"	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\RSA662865501 = "C:\\Windows\\system32\\rundll32.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\RSA662865501.dll\",DllInitialize"	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exerundll32.exe

description	pid	process	target process
PID 1220 set thread context of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1612 set thread context of 980	1612	rundll32.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{196611B1-6DF8-11ED-AAA1-C6F54D7498C3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{087E8DF1-6DF8-11ED-AAA1-C6F54D7498C3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0166cfb0402d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f060e545e7a27244a3e21fe2c9ca14f100000000020000000000106600000001000020000000d4f28fd0c33cf19a7f1f8c6b2c7afd8e6434b7a2628cd8a08af20dd5bfc5898f000000000e8000000002000020000000c9ee407577905cb19622c3eefb4d10c14282490f5caf2f37024ad5c537334a9f9000000095613583f8e24a88541d154001dc5a1750d8de442b970e6d297b50c362efd1b77d692330e0e5f666210cf42013213287742c246e023a88819a6adca6cad3505fe61a8104c06abf4476231a0fedcba7a6d82ff4aa461349ea039ba77e1fcabaa6fc43117f9fa8300700fa45c64670b8eaa955e156c26c2c4debf2cfa3f7a8305063717ae4ea7ac84355627a83a96c34fe400000009de0a481b1b8484e9c0c5a99970f28623fbc74f675ac84b9999d4aecd214ca27d2ca68e2df5650c4f78213c68795ea67d9bcd1e9b9800dfa60fd189da8a0e2fb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f060e545e7a27244a3e21fe2c9ca14f100000000020000000000106600000001000020000000d0964d821996fa032fd8b490e4ccb6194446d222d6686e57b1efc09359e3b646000000000e8000000002000020000000d232528f03de3604907a6aa31059ece4ed31f3b8ab4882c71cb2bedb96eb1f932000000037f43a3184e3fa506d64dc2eafb7172a32a5f62778f557f4f9b738fb09366f3840000000ba72f569687d20b50f06eb20409d3bc5ee4a45790fe6e982a4e95a0949cff839db85de0e4620e4abe680314f74c57f56f7777bd75d9169bbd1e2186d8fd2605b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe

pid	process
1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe

description	pid	process
Token: SeDebugPrivilege	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
Token: SeLoadDriverPrivilege	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
Token: SeShutdownPrivilege	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

1160 iexplore.exe
1688 iexplore.exe
1628 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1160	iexplore.exe
1160	iexplore.exe
988	IEXPLORE.EXE
988	IEXPLORE.EXE
1688	iexplore.exe
1688	iexplore.exe
432	IEXPLORE.EXE
432	IEXPLORE.EXE
1628	iexplore.exe
1628	iexplore.exe
268	IEXPLORE.EXE
268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exeiexplore.exeiexplore.exeiexplore.exe88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1220 wrote to memory of 2000	1220	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
PID 1160 wrote to memory of 988	1160	iexplore.exe	IEXPLORE.EXE
PID 1160 wrote to memory of 988	1160	iexplore.exe	IEXPLORE.EXE
PID 1160 wrote to memory of 988	1160	iexplore.exe	IEXPLORE.EXE
PID 1160 wrote to memory of 988	1160	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 432	1688	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 432	1688	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 432	1688	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 432	1688	iexplore.exe	IEXPLORE.EXE
PID 1628 wrote to memory of 268	1628	iexplore.exe	IEXPLORE.EXE
PID 1628 wrote to memory of 268	1628	iexplore.exe	IEXPLORE.EXE
PID 1628 wrote to memory of 268	1628	iexplore.exe	IEXPLORE.EXE
PID 1628 wrote to memory of 268	1628	iexplore.exe	IEXPLORE.EXE
PID 2000 wrote to memory of 1100	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	rundll32.exe
PID 2000 wrote to memory of 1100	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	rundll32.exe
PID 2000 wrote to memory of 1100	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	rundll32.exe
PID 2000 wrote to memory of 1100	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	rundll32.exe
PID 2000 wrote to memory of 1100	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	rundll32.exe
PID 2000 wrote to memory of 1100	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	rundll32.exe
PID 2000 wrote to memory of 1100	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	rundll32.exe
PID 1100 wrote to memory of 1612	1100	rundll32.exe	rundll32.exe
PID 1100 wrote to memory of 1612	1100	rundll32.exe	rundll32.exe
PID 1100 wrote to memory of 1612	1100	rundll32.exe	rundll32.exe
PID 1100 wrote to memory of 1612	1100	rundll32.exe	rundll32.exe
PID 1612 wrote to memory of 980	1612	rundll32.exe	svchost.exe
PID 1612 wrote to memory of 980	1612	rundll32.exe	svchost.exe
PID 1612 wrote to memory of 980	1612	rundll32.exe	svchost.exe
PID 1612 wrote to memory of 980	1612	rundll32.exe	svchost.exe
PID 1612 wrote to memory of 980	1612	rundll32.exe	svchost.exe
PID 2000 wrote to memory of 2016	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	cmd.exe
PID 2000 wrote to memory of 2016	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	cmd.exe
PID 2000 wrote to memory of 2016	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	cmd.exe
PID 2000 wrote to memory of 2016	2000	88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
"C:\Users\Admin\AppData\Local\Temp\88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe
  "C:\Users\Admin\AppData\Local\Temp\88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe"
  2⤵
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll",DllInitialize
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\system32\rundll32.exe
      C:\Windows\system32\rundll32.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll",DllInitialize
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Adds Run key to start application
        
        PID:980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C del "C:\Users\Admin\AppData\Local\Temp\88f7fe8fe68d98400883978c509949d0ee5244ceee66a5c7099c36050dfc1727.exe"
    3⤵
    - Deletes itself
    PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{087E8DF1-6DF8-11ED-AAA1-C6F54D7498C3}.dat

Filesize
5KB

MD5
b6f1c10b5a109a0e503bb3972043d860

SHA1
98cc0daa2c4e49b2a462ff884afdee87f195d02d

SHA256
6b996c6c3204859930af95d9549fec23bdaec51d431001eb19413f9a766c1cb6

SHA512
3ccb187d4fc427e595a02109dca5a6eafc858b3a4864718fabaad1eaf8f14740a77ad90d3f01daec3e064f65c75b22a5b751fd9cec5baead6a8529711df2b8ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{196611B1-6DF8-11ED-AAA1-C6F54D7498C3}.dat

Filesize
5KB

MD5
4d85a452de27961b8c39f90286675a05

SHA1
663c6a15d947946a07ca5c925da8764a200582ce

SHA256
4872316be6f8564f40b6e9120d7ff68d742eda177666a1bdfd390d276a295506

SHA512
52f3d3842e8e3919f3fc61f8d13ee65c5a44018a8864e51e6dc00d28d11a66dbfb7d7ef3e02930b8da1eafd73df78d40d3dc9e4823a9085134b874a418d2e0bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{087E8DF3-6DF8-11ED-AAA1-C6F54D7498C3}.dat

Filesize
4KB

MD5
3be1730320ec2d5c74acd4f564f6a406

SHA1
17dd3f541bc18f42b9ed4a91f23cfc04f26bdd4b

SHA256
11a04c14b0fb7b56b32acc5079bb47994fab6f4f6d1eb2924ec875889b2dba43

SHA512
cf7ccf157e437abaa49cc1a426fd92b8dea6c389ef24f9ea88bd76ed87aa65fcf12bcb801bb833acdc1b222141269bcbb9eb6759687fde1e9d909aea7acd9952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{196611B3-6DF8-11ED-AAA1-C6F54D7498C3}.dat

Filesize
4KB

MD5
042f6e4ee36bf4079007ba94a1e5eaed

SHA1
9085adc49e9424a0181b79b04c94686e96e25925

SHA256
8c0874d91ad2fc70d019ab5d58ad9e2f3e454a07cae1370de053720472a246dd

SHA512
14442651ee70b8ead753fbd9f95732b9d6d0ef5a89495638d5d0323893568be258f8c6a01118f3182e992887957f82565497407cda88dd92a5147acd1106fe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\L662865501

Filesize
554B

MD5
79f97e73d5f6b6bed8ddad64a7840ea8

SHA1
f3b629f4062ea43d04a2733eee7986cdc078a77f

SHA256
732a18f1e4f11f672ed35abad06b04b6b8995ed09bfb34502d4409466348164b

SHA512
3e961d215716c5d4e6e11da67ace7af3f143aa92d58bf082df92ea791e0e38dc8e8372e8e417aa861b952be79336819d4422ebd2742c4fcea068811132c8e8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTFS.sys

Filesize
12KB

MD5
ac95ea72a833d54be29791008f3ced14

SHA1
ac9f69c6c4fbe05a7a680883a8c761c60f3aacd0

SHA256
f7a21e5e75fe70c4bd6acf6641cc9be0261ea0931c36878258665940e25ee14a

SHA512
c097d856e8728b39059c49429d642dc00b2ce87453de71e0a3a4fc261e383f7c08ffbe4149925b148bdc2111abb6f50dc2d338e53fe137bc82fe7747251aa311

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4187.tmp

Filesize
484B

MD5
e9dd4bea50a9d2f78573379ea643bab4

SHA1
7de46217a32fe093067c103c334f10d2884e78a8

SHA256
6930e42a04491957f63785568f9fa0a72ea4e3d770681809b84e6bbe748f277b

SHA512
fd6e23e6c6709fc2b3a0164be8948d21c740240a8fa7a3b0ca24b173b6e728f12ed241216e045031af241ccd59117490cecc53227b1a7b814c2eff81990fe391

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F6D.tmp

Filesize
27B

MD5
2c260daf0565026c8a6bdd4a39451bc5

SHA1
01cee86723a98ae3344cfa4b541e17476be6343d

SHA256
99371270f3cd51a87beb766d40980fd730886f291c0e138c04a930a6f66140d9

SHA512
0f90322f4a770ff936bc8a10cade45178bd8392590e56c312d6816359b6ad5e47bafac90c1bff861e64b3c74d0ea77247dc67113dc275ac380b72a5afb89c1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAFD.tmp

Filesize
2KB

MD5
0ea257b6046f8876f7de9274f1fdfe08

SHA1
46a1b335aad0383a9d77d5f056efc82d23fd7938

SHA256
0a5e35e46c34d3493adcfbcf0728cf628d3f83cf33591c48aba2833b4c83c1fb

SHA512
c7157742e0bc80966dc3c4b793391e36256084e362dc64ceff52639d31b8feddb96638953feaf1087410f6349a2a8544306770c98899d636efd4d60a2db6cb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF04B.tmp

Filesize
421B

MD5
72cf2cfdeb363d108f6aae871b20ffc6

SHA1
ea5d199fe27812b4626c615bbf0b48051aa259d2

SHA256
1834c6cadd2217dedc9b13470968af9950f3334c53ce063178714e7018e217ed

SHA512
b387a4a70b875832f37b539a909fb5dbc5e52c83735be5d2e7015cb05383a984ac127b0f281fbb422975764f01537b12ffcbb66fad728ba3f0071b75fc28fa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF96599DE0A3F6FE7F.TMP

Filesize
16KB

MD5
e2d7b0a9258d3fefa28f5a2d218c5b9a

SHA1
8640c4c23c5403a321099cec8215f74279d2543e

SHA256
ed90e3dc28c04ee01b81f639f8bb4dacb588659a2423c08e78087ed5e39efe57

SHA512
3bf643fed775942d4108f31ad26031668e97093071e9d7d0bf5fe681c33e07f6dd25f44962ab0f1f245ca0ba01c3473a8bed2e7ce7c4ff8cf869f03a29e23a76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll

Filesize
78KB

MD5
4f5d2153fd1c6b5aa381e35a17849447

SHA1
07bbe26b5644e8b660709399e265dce4d4e7a437

SHA256
7182214a607947e1b50932965df954b5a86299fc325c9da7184130edc303ef64

SHA512
6e948c90fe47c4484929e17c3d02db57479b588708102015c9c88cb61941001e25bf341dd4e741e334ab85bc1bc016c7f42f6efa6ade2a5fca34ab70c3ae90c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll

Filesize
78KB

MD5
4f5d2153fd1c6b5aa381e35a17849447

SHA1
07bbe26b5644e8b660709399e265dce4d4e7a437

SHA256
7182214a607947e1b50932965df954b5a86299fc325c9da7184130edc303ef64

SHA512
6e948c90fe47c4484929e17c3d02db57479b588708102015c9c88cb61941001e25bf341dd4e741e334ab85bc1bc016c7f42f6efa6ade2a5fca34ab70c3ae90c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll

Filesize
78KB

MD5
4f5d2153fd1c6b5aa381e35a17849447

SHA1
07bbe26b5644e8b660709399e265dce4d4e7a437

SHA256
7182214a607947e1b50932965df954b5a86299fc325c9da7184130edc303ef64

SHA512
6e948c90fe47c4484929e17c3d02db57479b588708102015c9c88cb61941001e25bf341dd4e741e334ab85bc1bc016c7f42f6efa6ade2a5fca34ab70c3ae90c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll

Filesize
78KB

MD5
4f5d2153fd1c6b5aa381e35a17849447

SHA1
07bbe26b5644e8b660709399e265dce4d4e7a437

SHA256
7182214a607947e1b50932965df954b5a86299fc325c9da7184130edc303ef64

SHA512
6e948c90fe47c4484929e17c3d02db57479b588708102015c9c88cb61941001e25bf341dd4e741e334ab85bc1bc016c7f42f6efa6ade2a5fca34ab70c3ae90c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll

Filesize
78KB

MD5
4f5d2153fd1c6b5aa381e35a17849447

SHA1
07bbe26b5644e8b660709399e265dce4d4e7a437

SHA256
7182214a607947e1b50932965df954b5a86299fc325c9da7184130edc303ef64

SHA512
6e948c90fe47c4484929e17c3d02db57479b588708102015c9c88cb61941001e25bf341dd4e741e334ab85bc1bc016c7f42f6efa6ade2a5fca34ab70c3ae90c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll

Filesize
78KB

MD5
4f5d2153fd1c6b5aa381e35a17849447

SHA1
07bbe26b5644e8b660709399e265dce4d4e7a437

SHA256
7182214a607947e1b50932965df954b5a86299fc325c9da7184130edc303ef64

SHA512
6e948c90fe47c4484929e17c3d02db57479b588708102015c9c88cb61941001e25bf341dd4e741e334ab85bc1bc016c7f42f6efa6ade2a5fca34ab70c3ae90c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll

Filesize
78KB

MD5
4f5d2153fd1c6b5aa381e35a17849447

SHA1
07bbe26b5644e8b660709399e265dce4d4e7a437

SHA256
7182214a607947e1b50932965df954b5a86299fc325c9da7184130edc303ef64

SHA512
6e948c90fe47c4484929e17c3d02db57479b588708102015c9c88cb61941001e25bf341dd4e741e334ab85bc1bc016c7f42f6efa6ade2a5fca34ab70c3ae90c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll

Filesize
78KB

MD5
4f5d2153fd1c6b5aa381e35a17849447

SHA1
07bbe26b5644e8b660709399e265dce4d4e7a437

SHA256
7182214a607947e1b50932965df954b5a86299fc325c9da7184130edc303ef64

SHA512
6e948c90fe47c4484929e17c3d02db57479b588708102015c9c88cb61941001e25bf341dd4e741e334ab85bc1bc016c7f42f6efa6ade2a5fca34ab70c3ae90c3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\RSA662865501.dll

Filesize
78KB

MD5
4f5d2153fd1c6b5aa381e35a17849447

SHA1
07bbe26b5644e8b660709399e265dce4d4e7a437

SHA256
7182214a607947e1b50932965df954b5a86299fc325c9da7184130edc303ef64

SHA512
6e948c90fe47c4484929e17c3d02db57479b588708102015c9c88cb61941001e25bf341dd4e741e334ab85bc1bc016c7f42f6efa6ade2a5fca34ab70c3ae90c3

Download Submit
memory/980-96-0x000000007600B5D0-mapping.dmp

Download
memory/980-88-0x0000000076000000-0x000000007601A000-memory.dmp

Filesize
104KB

Download
memory/980-90-0x0000000076000000-0x000000007601A000-memory.dmp

Filesize
104KB

Download
memory/1100-76-0x0000000000000000-mapping.dmp

Download
memory/1220-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1220-67-0x0000000000240000-0x000000000028F000-memory.dmp

Filesize
316KB

Download
memory/1612-83-0x0000000000000000-mapping.dmp

Download
memory/2000-68-0x0000000000500000-0x000000000059D000-memory.dmp

Filesize
628KB

Download
memory/2000-65-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2000-70-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2000-71-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2000-66-0x000000007600CB50-mapping.dmp

Download
memory/2000-63-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2000-62-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2000-60-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2000-58-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2000-56-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2000-55-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2000-105-0x0000000076000000-0x0000000076051000-memory.dmp

Filesize
324KB

Download
memory/2016-104-0x0000000000000000-mapping.dmp

Download