Analysis
-
max time kernel
269s -
max time network
320s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 16:18
Static task
static1
Behavioral task
behavioral1
Sample
cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe
Resource
win10v2004-20221111-en
General
-
Target
cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe
-
Size
120KB
-
MD5
0e446dc5045c9948e10864cd8b230e71
-
SHA1
f3738c9f9d20d304f821372b127b07ec05c1f1eb
-
SHA256
cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c
-
SHA512
9a39e6fed232d9ca095a5369ae7e969aeeb4a9ad32db7739f4aeb4c9e3d7296533028a129ad4b0cb31f466f14ad4dce948e973350b77602414670e599bf295d0
-
SSDEEP
1536:oX2tAh15hxrmf7VlBSBzD7TbNau3doRzEg0H86Lx8CAcf+SuqGMLefNe6WE5RXQ:+v5hm7VmBP7PtReQJUhMLgEE5RX
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StubPath = "\"C:\\ProgramData\\CacheMgr.exe\" -as" cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exedescription pid process target process PID 2128 wrote to memory of 1400 2128 cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe cmd.exe PID 2128 wrote to memory of 1400 2128 cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe cmd.exe PID 2128 wrote to memory of 1400 2128 cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe"C:\Users\Admin\AppData\Local\Temp\cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\cdc9af3b60568c4eb2506895a67fcb4f972cca3c4ad8c2f9da393a92fcde859c.exe" "C:\ProgramData\CacheMgr.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1400-137-0x0000000000000000-mapping.dmp
-
memory/2128-132-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2128-134-0x00000000008F0000-0x00000000009F0000-memory.dmpFilesize
1024KB
-
memory/2128-135-0x00000000001D0000-0x00000000001E6000-memory.dmpFilesize
88KB
-
memory/2128-136-0x00000000008F0000-0x00000000009F0000-memory.dmpFilesize
1024KB
-
memory/2128-138-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB