Overview

overview

10

Static

static

405038bb90...19.exe

windows7-x64

10

405038bb90...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    405038bb905e5740fb8363dfdc8b03a7d40d7ea80715bb5697a65a0fbcd45119.exe

  • Size

    1.3MB

  • MD5

    f721d46e0049e7604741f53f79fe39a3

  • SHA1

    2bb22da15b74e26de1ffecb81583c403f1893257

  • SHA256

    405038bb905e5740fb8363dfdc8b03a7d40d7ea80715bb5697a65a0fbcd45119

  • SHA512

    89bcac2c72bddc50922381b0a92dcda4a1c2ee26dd8830393a983c19f804096792aa404ff786d5cc7928cae77c448c398c4606b6f869951f92e32931a933cfe3

  • SSDEEP

    24576:R0FGMqzFkMiE4nAcQB2kWf65NShgDAzkxFPh3kEpS:e+Fk+MHn6/SKDIkxxh3

Score
10/10
cobaltstrikemetasploitbackdoorpersistencetrojan

Malware Config

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\405038bb905e5740fb8363dfdc8b03a7d40d7ea80715bb5697a65a0fbcd45119.exe
    "C:\Users\Admin\AppData\Local\Temp\405038bb905e5740fb8363dfdc8b03a7d40d7ea80715bb5697a65a0fbcd45119.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Users\Admin\AppData\Local\Temp\theYNC.com.exe
      "C:\Users\Admin\AppData\Local\Temp\theYNC.com.exe"
      2⤵
      • Executes dropped EXE
      PID:3076
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\Cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\Cvtres.exe"
      2⤵
        PID:4544

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\theYNC.com.exe
      Filesize

      245KB

      MD5

      f356cb1e06242e5f221aa20cf33a044a

      SHA1

      75715369757ea20f51791a4c5fb3e6daf407611a

      SHA256

      648cfca36bcd7ad8ae0cb623a7edf04196b7490eebec364b586fb37428214f96

      SHA512

      cd6673482fa6c7d0070f54d53932781a8e27537cd18b067488b607d3f3cb88c88754e5f3ec499b207ef210ca0e3e4b687a7a9eb09fe11f0123ed5b0742aa5a34

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\theYNC.com.exe
      Filesize

      245KB

      MD5

      f356cb1e06242e5f221aa20cf33a044a

      SHA1

      75715369757ea20f51791a4c5fb3e6daf407611a

      SHA256

      648cfca36bcd7ad8ae0cb623a7edf04196b7490eebec364b586fb37428214f96

      SHA512

      cd6673482fa6c7d0070f54d53932781a8e27537cd18b067488b607d3f3cb88c88754e5f3ec499b207ef210ca0e3e4b687a7a9eb09fe11f0123ed5b0742aa5a34

      Download Submit
    • memory/732-132-0x0000000074E50000-0x0000000075401000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/732-143-0x0000000074E50000-0x0000000075401000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/3076-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3076-142-0x000000001C650000-0x000000001D086000-memory.dmp
      Filesize

      10.2MB

      Download
    • memory/4544-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4544-137-0x0000000000400000-0x00000000004EF000-memory.dmp
      Filesize

      956KB

      Download
    • memory/4544-139-0x0000000000400000-0x00000000004EF000-memory.dmp
      Filesize

      956KB

      Download
    • memory/4544-140-0x0000000000400000-0x00000000004EEB38-memory.dmp
      Filesize

      954KB

      Download
    • memory/4544-141-0x0000000000A00000-0x0000000000AE0000-memory.dmp
      Filesize

      896KB

      Download