Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2023 03:15
Static task
static1
Behavioral task
behavioral1
Sample
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
Resource
win10v2004-20230220-en
General
-
Target
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe
-
Size
494KB
-
MD5
94b4eb33f72c5df6e7823407e12fa2b5
-
SHA1
e59fbee36c7604f2fbbb05a13aa2ef6fe2e0f56f
-
SHA256
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03
-
SHA512
19539f69b0cbcc7c6be91f347d9289b19331f1def5606dc80600edf6b7d2923eefde62fd996614a22bbd56c8bb49293345d8f824f960220bdb91d56d539eb491
-
SSDEEP
12288:fzxzTDWikLSb4NS7/dc+tkUXY1AfOY7llq7KKIoYy:dDWHSb4NpnVYPq5Yy
Malware Config
Extracted
cobaltstrike
0
http://85.175.101.203:80/access/
-
access_type
512
-
host
85.175.101.203,/access/
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAAEAAAACBIb3N0OiBhdWRpby1zdjUtdDEtMy5wYW5kb3JhLmNvbQAAAAoAAABIQ29va2llOiAgX191dG1hPTIxMDA3NzYyMi4xNzMyNDM5OTk1LjE0MzMyMDE0NjIuMTQwMzIwNDM3Mi4xMzg1MjAyNDkzLjI7AAAACQAAAAl2ZXJzaW9uPTQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAABwAAAAAAAAAIAAAABQAAAAV0b2tlbgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFUhvc3Q6IHd3dy5wYW5kb3JhLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNTgyNTAyNzI0AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
1000
-
port_number
80
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.382016e+08
-
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/radio/xmlrpc/v35
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 11 4680 rundll32.exe 12 4680 rundll32.exe 13 4680 rundll32.exe 46 4680 rundll32.exe 47 4680 rundll32.exe 56 4680 rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exeServis.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation Servis.exe -
Executes dropped EXE 2 IoCs
Processes:
Servis.exeUAC.exepid process 4944 Servis.exe 4868 UAC.exe -
Drops file in System32 directory 4 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
UAC.exedescription pid process target process PID 4868 set thread context of 4680 4868 UAC.exe rundll32.exe -
Drops file in Windows directory 5 IoCs
Processes:
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exedescription ioc process File created C:\Windows\__tmp_rar_sfx_access_check_240544140 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe File created C:\Windows\Servis.exe 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe File opened for modification C:\Windows\Servis.exe 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe File created C:\Windows\UAC.exe 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe File opened for modification C:\Windows\UAC.exe 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exerundll32.exepid process 1568 powershell.exe 1568 powershell.exe 1592 powershell.exe 1592 powershell.exe 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe 4680 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3116 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exepowershell.exepowershell.exeExplorer.EXEdescription pid process Token: SeSecurityPrivilege 2368 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Token: SeRestorePrivilege 2368 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3116 Explorer.EXE 3116 Explorer.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exeServis.execmd.exeUAC.exerundll32.exedescription pid process target process PID 2368 wrote to memory of 4944 2368 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Servis.exe PID 2368 wrote to memory of 4944 2368 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Servis.exe PID 2368 wrote to memory of 4944 2368 7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe Servis.exe PID 4944 wrote to memory of 2016 4944 Servis.exe cmd.exe PID 4944 wrote to memory of 2016 4944 Servis.exe cmd.exe PID 2016 wrote to memory of 1568 2016 cmd.exe powershell.exe PID 2016 wrote to memory of 1568 2016 cmd.exe powershell.exe PID 2016 wrote to memory of 1592 2016 cmd.exe powershell.exe PID 2016 wrote to memory of 1592 2016 cmd.exe powershell.exe PID 4868 wrote to memory of 4680 4868 UAC.exe rundll32.exe PID 4868 wrote to memory of 4680 4868 UAC.exe rundll32.exe PID 4868 wrote to memory of 4680 4868 UAC.exe rundll32.exe PID 4868 wrote to memory of 4680 4868 UAC.exe rundll32.exe PID 4680 wrote to memory of 3116 4680 rundll32.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe"C:\Users\Admin\AppData\Local\Temp\7e3a6c1639668f468cbc03704bba47d70851775b3666bc58ab98cded79154e03.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Servis.exe"C:\Windows\Servis.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6D45.tmp\6D46.tmp\6D47.bat C:\Windows\Servis.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy bypass -command "New-Service -Name UAC -BinaryPathName C:\Windows\UAC.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy bypass -command "Start-Service -Name UAC -PassThru"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\UAC.exeC:\Windows\UAC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD592f89789864052cac0862ed6b4f1e706
SHA1aa6594951427e103fa025c8ebef3ec5a5f85866c
SHA25673123d6e562b26b1fd2cf4fece67930d95fc4738bad8d1f386345a5311274739
SHA51271a0261ee6ffcd2e9bb336dde7110f80ac6fa01df5433e77cc170649b7936653d89229255fbeac15692e8736c9f3e5d15d62b2372865fe3d7ab933c511c2894e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD50ff7e1af4cc86e108eef582452b35523
SHA1c2ccf2811d56c3a3a58dced2b07f95076c6b5b96
SHA25662ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0
SHA512374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937
-
C:\Users\Admin\AppData\Local\Temp\6D45.tmp\6D46.tmp\6D47.batFilesize
211B
MD5ceb3c06960136b0e3ebadca62fdf415e
SHA18b67ec15381aad2453ad9f78f9ebd469de1a2925
SHA256d821ecc0208b6fcb11311f7c0abc45f640da48c09a37051da3320676495d5b16
SHA5129cf6ea5b486b33add21944225e6cc62fd2402628caf43d76ac3dfdb58ea4a3c965489de627c0c11d7a26065ae4d158ff687860ac0d3fe2dd5a502912100fb9d3
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u2ttnzew.qtk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\Servis.exeFilesize
87KB
MD5461938519e0d15b209cf0da74d686e05
SHA1f7a21d413eba8ee1b8c82546cb1d0396aea6dc73
SHA256013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b
SHA51233640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e
-
C:\Windows\Servis.exeFilesize
87KB
MD5461938519e0d15b209cf0da74d686e05
SHA1f7a21d413eba8ee1b8c82546cb1d0396aea6dc73
SHA256013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b
SHA51233640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e
-
C:\Windows\Servis.exeFilesize
87KB
MD5461938519e0d15b209cf0da74d686e05
SHA1f7a21d413eba8ee1b8c82546cb1d0396aea6dc73
SHA256013f4ea44e1685269f940dced55d46485393c9a58160c79de69eed2f470ac82b
SHA51233640f9d37838b9ecbe842623980eafe24c9fc58e0ab26ee87d97de2edaa709879f593bc383638ba0af1c0f9917bb1c0c1b09762e72f174dbbb39c51c7a51f1e
-
C:\Windows\UAC.exeFilesize
282KB
MD5d8c81b67c27140970e704edb6e0faf63
SHA143d91226c004d2b5538c4e057cd05eb9b52166be
SHA256da68308adf531b3dc93d7443669bfe84650c6fea041e3fdb63b4703b1be1cc5b
SHA5125ec9cb623987ae9ac524a5de02ae1ace0e3cc549cb134fa056d2c257dffafb51fb55c47fbdea29a6c9d215ea6b1b63baf6f3ebba81bc2118dac508d7c68d2268
-
C:\Windows\UAC.exeFilesize
282KB
MD5d8c81b67c27140970e704edb6e0faf63
SHA143d91226c004d2b5538c4e057cd05eb9b52166be
SHA256da68308adf531b3dc93d7443669bfe84650c6fea041e3fdb63b4703b1be1cc5b
SHA5125ec9cb623987ae9ac524a5de02ae1ace0e3cc549cb134fa056d2c257dffafb51fb55c47fbdea29a6c9d215ea6b1b63baf6f3ebba81bc2118dac508d7c68d2268
-
memory/1568-158-0x00000227F4CA0000-0x00000227F4CB0000-memory.dmpFilesize
64KB
-
memory/1568-159-0x00000227F4CA0000-0x00000227F4CB0000-memory.dmpFilesize
64KB
-
memory/1568-153-0x00000227F5600000-0x00000227F5622000-memory.dmpFilesize
136KB
-
memory/1592-180-0x0000028D33DD0000-0x0000028D33DE0000-memory.dmpFilesize
64KB
-
memory/1592-163-0x0000028D33DD0000-0x0000028D33DE0000-memory.dmpFilesize
64KB
-
memory/1592-172-0x0000028D33DD0000-0x0000028D33DE0000-memory.dmpFilesize
64KB
-
memory/3116-184-0x00000000006E0000-0x00000000006F5000-memory.dmpFilesize
84KB
-
memory/3116-185-0x0000000000750000-0x0000000000769000-memory.dmpFilesize
100KB
-
memory/4680-177-0x0000000000110000-0x0000000000144000-memory.dmpFilesize
208KB
-
memory/4680-181-0x00000000005F0000-0x000000000062E000-memory.dmpFilesize
248KB
-
memory/4680-183-0x00000000005F0000-0x000000000062E000-memory.dmpFilesize
248KB
-
memory/4680-187-0x00000000016E0000-0x00000000016E1000-memory.dmpFilesize
4KB
-
memory/4680-186-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/4680-188-0x00000000013C0000-0x00000000013C1000-memory.dmpFilesize
4KB
-
memory/4868-179-0x0000000000D30000-0x0000000000D7D000-memory.dmpFilesize
308KB