4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

Analysis

max time kernel
266s
max time network
216s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/06/2023, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cosba64.exe
Size

238.2MB
MD5

f08f7876b0414cee5a471f456790ecd3
SHA1

935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
SHA256

4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
SHA512

f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
SSDEEP

98304:efoB/2sOjbllT1/gTA/8DGEWXrwR75sIQpz5MNv4xi3npUmcLBgy2enlHnRJsNPb:enljn14L9WXr67xQLMSMpZcLRJnGb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
340	cosba64.exe
1172	cosba64.exe
1688	cosba64.exe
1580	cosba64.exe
1692	cosba64.exe
548	cosba64.exe

Loads dropped DLL 1 IoCs

pid	Process
1696	cosba64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1696	cosba64.exe
340	cosba64.exe
1172	cosba64.exe
1688	cosba64.exe
1580	cosba64.exe
1692	cosba64.exe
548	cosba64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1696	cosba64.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 340	1696	cosba64.exe	27
PID 1696 wrote to memory of 340	1696	cosba64.exe	27
PID 1696 wrote to memory of 340	1696	cosba64.exe	27
PID 1696 wrote to memory of 340	1696	cosba64.exe	27
PID 340 wrote to memory of 824	340	cosba64.exe	28
PID 340 wrote to memory of 824	340	cosba64.exe	28
PID 340 wrote to memory of 824	340	cosba64.exe	28
PID 340 wrote to memory of 824	340	cosba64.exe	28
PID 340 wrote to memory of 1492	340	cosba64.exe	30
PID 340 wrote to memory of 1492	340	cosba64.exe	30
PID 340 wrote to memory of 1492	340	cosba64.exe	30
PID 340 wrote to memory of 1492	340	cosba64.exe	30
PID 1492 wrote to memory of 1516	1492	cmd.exe	32
PID 1492 wrote to memory of 1516	1492	cmd.exe	32
PID 1492 wrote to memory of 1516	1492	cmd.exe	32
PID 1492 wrote to memory of 1516	1492	cmd.exe	32
PID 1492 wrote to memory of 1348	1492	cmd.exe	33
PID 1492 wrote to memory of 1348	1492	cmd.exe	33
PID 1492 wrote to memory of 1348	1492	cmd.exe	33
PID 1492 wrote to memory of 1348	1492	cmd.exe	33
PID 1492 wrote to memory of 2028	1492	cmd.exe	34
PID 1492 wrote to memory of 2028	1492	cmd.exe	34
PID 1492 wrote to memory of 2028	1492	cmd.exe	34
PID 1492 wrote to memory of 2028	1492	cmd.exe	34
PID 1492 wrote to memory of 1360	1492	cmd.exe	35
PID 1492 wrote to memory of 1360	1492	cmd.exe	35
PID 1492 wrote to memory of 1360	1492	cmd.exe	35
PID 1492 wrote to memory of 1360	1492	cmd.exe	35
PID 1492 wrote to memory of 1660	1492	cmd.exe	36
PID 1492 wrote to memory of 1660	1492	cmd.exe	36
PID 1492 wrote to memory of 1660	1492	cmd.exe	36
PID 1492 wrote to memory of 1660	1492	cmd.exe	36
PID 1492 wrote to memory of 616	1492	cmd.exe	37
PID 1492 wrote to memory of 616	1492	cmd.exe	37
PID 1492 wrote to memory of 616	1492	cmd.exe	37
PID 1492 wrote to memory of 616	1492	cmd.exe	37
PID 1800 wrote to memory of 1172	1800	taskeng.exe	41
PID 1800 wrote to memory of 1172	1800	taskeng.exe	41
PID 1800 wrote to memory of 1172	1800	taskeng.exe	41
PID 1800 wrote to memory of 1172	1800	taskeng.exe	41
PID 1800 wrote to memory of 1688	1800	taskeng.exe	42
PID 1800 wrote to memory of 1688	1800	taskeng.exe	42
PID 1800 wrote to memory of 1688	1800	taskeng.exe	42
PID 1800 wrote to memory of 1688	1800	taskeng.exe	42
PID 1800 wrote to memory of 1580	1800	taskeng.exe	43
PID 1800 wrote to memory of 1580	1800	taskeng.exe	43
PID 1800 wrote to memory of 1580	1800	taskeng.exe	43
PID 1800 wrote to memory of 1580	1800	taskeng.exe	43
PID 1800 wrote to memory of 1692	1800	taskeng.exe	44
PID 1800 wrote to memory of 1692	1800	taskeng.exe	44
PID 1800 wrote to memory of 1692	1800	taskeng.exe	44
PID 1800 wrote to memory of 1692	1800	taskeng.exe	44
PID 1800 wrote to memory of 548	1800	taskeng.exe	45
PID 1800 wrote to memory of 548	1800	taskeng.exe	45
PID 1800 wrote to memory of 548	1800	taskeng.exe	45
PID 1800 wrote to memory of 548	1800	taskeng.exe	45

C:\Users\Admin\AppData\Local\Temp\cosba64.exe
"C:\Users\Admin\AppData\Local\Temp\cosba64.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  "C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN cosba64.exe /TR "C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "cosba64.exe" /P "Admin:N"&&CACLS "cosba64.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6bb5824ec4" /P "Admin:N"&&CACLS "..\6bb5824ec4" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1516
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "cosba64.exe" /P "Admin:N"
      4⤵
      PID:1348
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "cosba64.exe" /P "Admin:R" /E
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\6bb5824ec4" /P "Admin:N"
      4⤵
      PID:1660
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\6bb5824ec4" /P "Admin:R" /E
      4⤵
      PID:616

C:\Windows\system32\taskeng.exe
taskeng.exe {67B4B6AF-0517-4DF9-BAA2-64F8FEBCD90B} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\563773381203

Filesize
64KB

MD5
55ab304d2096b2645652b191c438c305

SHA1
f7909bdfbff7e9566633adc536d2133a5e4959c9

SHA256
e6f1e365efd64db31cbb830eb05bd2e841cfce1f1286bd1280b62d78ae8a7b51

SHA512
1927a7d4f453019f0626962a5a8bbe7391a3267f29f996b38573d3a8554baa8101a87d50fcf3252ac6283c006ea5eadcfebfb81af6d75101bf8cd85d6fe377c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
memory/340-70-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/340-72-0x0000000000AC0000-0x0000000000FE1000-memory.dmp

Filesize
5.1MB

Download
memory/340-71-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/548-109-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/548-111-0x0000000000AC0000-0x0000000000FE1000-memory.dmp

Filesize
5.1MB

Download
memory/548-110-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1172-87-0x0000000000AC0000-0x0000000000FE1000-memory.dmp

Filesize
5.1MB

Download
memory/1172-86-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1172-85-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1580-99-0x0000000000AC0000-0x0000000000FE1000-memory.dmp

Filesize
5.1MB

Download
memory/1580-98-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1580-97-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1688-92-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1688-93-0x0000000000AC0000-0x0000000000FE1000-memory.dmp

Filesize
5.1MB

Download
memory/1692-105-0x0000000000AC0000-0x0000000000FE1000-memory.dmp

Filesize
5.1MB

Download
memory/1696-55-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1696-59-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1696-57-0x0000000000E60000-0x0000000001381000-memory.dmp

Filesize
5.1MB

Download
memory/1696-56-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1696-54-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download