Overview
overview
10Static
static
1Downloads/...09.exe
windows7-x64
1Downloads/...09.exe
windows10-2004-x64
1Downloads/...d3.exe
windows7-x64
1Downloads/...d3.exe
windows10-2004-x64
1Downloads/...9e.exe
windows7-x64
1Downloads/...9e.exe
windows10-2004-x64
10Downloads/...80.exe
windows7-x64
10Downloads/...80.exe
windows10-2004-x64
10Downloads/...a7.exe
windows7-x64
10Downloads/...a7.exe
windows10-2004-x64
7Downloads/...a6.exe
windows7-x64
10Downloads/...a6.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-03-2023 08:54
Static task
static1
Behavioral task
behavioral1
Sample
Downloads/56b5116db18b2599a5ea7f3b2302c709.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Downloads/56b5116db18b2599a5ea7f3b2302c709.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
Downloads/5a45119a2603b6ad08c7f5e44e9588d3.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
Downloads/5a45119a2603b6ad08c7f5e44e9588d3.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
Downloads/7880a7beae205f43c9f2155785b7959e.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
Downloads/7880a7beae205f43c9f2155785b7959e.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
Downloads/c620d1f1f0d646823126ac3f36c5a780.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
Downloads/c620d1f1f0d646823126ac3f36c5a780.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
Downloads/cde34053c215372ba47c1c8fbd6b25a7.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
Downloads/cde34053c215372ba47c1c8fbd6b25a7.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
Downloads/fff09f45a81ce93c0a01f7bc9221aaa6.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
Downloads/fff09f45a81ce93c0a01f7bc9221aaa6.exe
Resource
win10v2004-20230221-en
General
-
Target
Downloads/cde34053c215372ba47c1c8fbd6b25a7.exe
-
Size
586KB
-
MD5
cde34053c215372ba47c1c8fbd6b25a7
-
SHA1
6958eea76c1097ef9c205e734c4baf93b0f47e04
-
SHA256
c243a13a3604d8c29d04b46eebbbd590f1d5b1d39ae5be93f800763a5a592a6e
-
SHA512
f6e018d9454c206a6b3449d4a6162c59c21cef8a832270b66b6a125e5bd1dca2f1048e0e85b4da594403b9c2218908d42f61d7593aa79f009486b7f927a77f14
-
SSDEEP
12288:/k5L2FqPvuuuuuuuuuz95QRuLtH/J2IW+xItN7dmqJCt4I3U:/2yQPK3COHEvhVaK/
Malware Config
Extracted
cobaltstrike
666666
http://43.143.225.146:8443/level/v5.7/AZF0ZH83YKV
-
access_type
512
-
beacon_type
2048
-
host
43.143.225.146,/level/v5.7/AZF0ZH83YKV
-
http_header1
AAAACgAAACxBY2NlcHQ6IGltYWdlLyosIGFwcGxpY2F0aW9uL2pzb24sIHRleHQvaHRtbAAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiByby1tZAAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgZ3ppcAAAAAcAAAAAAAAADwAAAAsAAAACAAAAJDlZX0dZQlBXNVNTU1FZNVFZSUNXTDdTMVpKOU1VTFdBVjE0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAADFBY2NlcHQ6IHRleHQvaHRtbCwgYXBwbGljYXRpb24veGh0bWwreG1sLCBpbWFnZS8qAAAACgAAABNBY2NlcHQtTGFuZ3VhZ2U6IGJlAAAACgAAABxBY2NlcHQtRW5jb2Rpbmc6ICosIGNvbXByZXNzAAAABwAAAAAAAAAPAAAADQAAAAUAAAAJX05QSFZUVkVaAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
8704
-
polling_time
63580
-
port_number
8443
-
sc_process32
%windir%\syswow64\getmac.exe /V
-
sc_process64
%windir%\sysnative\systray.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC53EG450Ux+rh7A05/O3iLUyU7CVL1EdIDVu98Sx0RIOam+KhO+TQPZ27BfnYKRCivOu0kxd6A+2eI4PMO4M17etouh/qiRyb2csLTbLWMO5p2AmGCFMaEsm7ZkuCtw1SIb72SbhCAWZCwug9MHsoddP+uDk/GzLZuB1BUJ8MLWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.241980928e+09
-
unknown2
AAAABAAAAAEAAAOhAAAAAgAAA6EAAAALAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/sub/developement/ZPC8QJVNZBY
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
-
watermark
666666
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
poso.exepid process 272 poso.exe -
Loads dropped DLL 2 IoCs
Processes:
cde34053c215372ba47c1c8fbd6b25a7.exeposo.exepid process 1724 cde34053c215372ba47c1c8fbd6b25a7.exe 272 poso.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cde34053c215372ba47c1c8fbd6b25a7.exedescription pid process target process PID 1724 wrote to memory of 272 1724 cde34053c215372ba47c1c8fbd6b25a7.exe poso.exe PID 1724 wrote to memory of 272 1724 cde34053c215372ba47c1c8fbd6b25a7.exe poso.exe PID 1724 wrote to memory of 272 1724 cde34053c215372ba47c1c8fbd6b25a7.exe poso.exe PID 1724 wrote to memory of 272 1724 cde34053c215372ba47c1c8fbd6b25a7.exe poso.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downloads\cde34053c215372ba47c1c8fbd6b25a7.exe"C:\Users\Admin\AppData\Local\Temp\Downloads\cde34053c215372ba47c1c8fbd6b25a7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Libraries\poso.exe"C:\Users\Public\Libraries\poso.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\Local\Temp\Tar45B0.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
C:\Users\Public\Libraries\Public.aviFilesize
259KB
MD542717fabe6bd5bc3ad0525b4e2f798cb
SHA1a375801df689de89ccf76d3809d4c0312ae9b6b4
SHA256208f27df0b90098d7034c5b1525db5955abf56add5a7392f77bc1d1b63fc6044
SHA512bcd8f51e054d1b5723ceb34e76d6f2c43c470c99eeac6e4be7a2064cf970f1f7d01b639880a4463a1e53d6391d5d6fa3e93f0bb88052eb1cba1867726c256bb5
-
C:\Users\Public\Libraries\calibre-launcher.dllFilesize
263KB
MD5c7ce5c2433a4611b178b9a96fd9fee51
SHA12d4a3820be3a714e054249cc08de9262f6015f27
SHA2567bad55073d046baba4e9a9e1ac4167c096e9577d6e7b2edd3ae79e1ce13e4681
SHA5127b732c013a9f58547a75f58a8f49de2f454a926b05518e57971e3d8e799994fdc2d481d85deb072fb347f3d318a913fb4a45176e514370c9e2b9ad3b37991d06
-
C:\Users\Public\Libraries\poso.exeFilesize
85KB
MD50cefb63147949f535c5a13714609fa81
SHA11f3bd5fdb7a4694e9842a59a2ce014bd00268c3b
SHA256eb0677c279e0ba23d3cdef33a4f8abc2e1018884647908fa8e1a97ed63752803
SHA512456e4d9e6c56a14ad6cbe1a059b43ac13c26a487bb78492dc33d24d86e388f24b0c8d5f5ffa9aec3f643bbf4efb7da15ed2acd5fb51ea7ea03f25f0a1a9c9138
-
\Users\Public\Libraries\calibre-launcher.dllFilesize
263KB
MD5c7ce5c2433a4611b178b9a96fd9fee51
SHA12d4a3820be3a714e054249cc08de9262f6015f27
SHA2567bad55073d046baba4e9a9e1ac4167c096e9577d6e7b2edd3ae79e1ce13e4681
SHA5127b732c013a9f58547a75f58a8f49de2f454a926b05518e57971e3d8e799994fdc2d481d85deb072fb347f3d318a913fb4a45176e514370c9e2b9ad3b37991d06
-
\Users\Public\Libraries\poso.exeFilesize
85KB
MD50cefb63147949f535c5a13714609fa81
SHA11f3bd5fdb7a4694e9842a59a2ce014bd00268c3b
SHA256eb0677c279e0ba23d3cdef33a4f8abc2e1018884647908fa8e1a97ed63752803
SHA512456e4d9e6c56a14ad6cbe1a059b43ac13c26a487bb78492dc33d24d86e388f24b0c8d5f5ffa9aec3f643bbf4efb7da15ed2acd5fb51ea7ea03f25f0a1a9c9138
-
memory/272-70-0x0000000000110000-0x0000000000151000-memory.dmpFilesize
260KB
-
memory/272-69-0x0000000077830000-0x000000007792A000-memory.dmpFilesize
1000KB
-
memory/272-68-0x0000000077930000-0x0000000077A4F000-memory.dmpFilesize
1.1MB
-
memory/272-73-0x000007FEBD8F0000-0x000007FEBD900000-memory.dmpFilesize
64KB
-
memory/272-72-0x0000000037A90000-0x0000000037AA0000-memory.dmpFilesize
64KB
-
memory/272-74-0x0000000001C50000-0x0000000001CD2000-memory.dmpFilesize
520KB
-
memory/272-76-0x000007FEBD8F0000-0x000007FEBD900000-memory.dmpFilesize
64KB
-
memory/272-67-0x000007FEFD900000-0x000007FEFD96C000-memory.dmpFilesize
432KB
-
memory/272-66-0x0000000077A50000-0x0000000077BF9000-memory.dmpFilesize
1.7MB