Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
273s -
max time network
262s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2023, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
cosba64.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cosba64.exe
Resource
win10v2004-20230221-en
General
-
Target
cosba64.exe
-
Size
238.2MB
-
MD5
f08f7876b0414cee5a471f456790ecd3
-
SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
-
SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
-
SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
-
SSDEEP
98304:efoB/2sOjbllT1/gTA/8DGEWXrwR75sIQpz5MNv4xi3npUmcLBgy2enlHnRJsNPb:enljn14L9WXr67xQLMSMpZcLRJnGb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation cosba64.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation cosba64.exe -
Executes dropped EXE 5 IoCs
pid Process 4924 cosba64.exe 3040 cosba64.exe 2280 cosba64.exe 2448 cosba64.exe 3492 cosba64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2340 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2128 cosba64.exe 2128 cosba64.exe 4924 cosba64.exe 4924 cosba64.exe 3040 cosba64.exe 3040 cosba64.exe 2280 cosba64.exe 2280 cosba64.exe 2448 cosba64.exe 2448 cosba64.exe 3492 cosba64.exe 3492 cosba64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2128 cosba64.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2128 wrote to memory of 4924 2128 cosba64.exe 82 PID 2128 wrote to memory of 4924 2128 cosba64.exe 82 PID 2128 wrote to memory of 4924 2128 cosba64.exe 82 PID 4924 wrote to memory of 2340 4924 cosba64.exe 87 PID 4924 wrote to memory of 2340 4924 cosba64.exe 87 PID 4924 wrote to memory of 2340 4924 cosba64.exe 87 PID 4924 wrote to memory of 628 4924 cosba64.exe 88 PID 4924 wrote to memory of 628 4924 cosba64.exe 88 PID 4924 wrote to memory of 628 4924 cosba64.exe 88 PID 628 wrote to memory of 3172 628 cmd.exe 91 PID 628 wrote to memory of 3172 628 cmd.exe 91 PID 628 wrote to memory of 3172 628 cmd.exe 91 PID 628 wrote to memory of 1488 628 cmd.exe 92 PID 628 wrote to memory of 1488 628 cmd.exe 92 PID 628 wrote to memory of 1488 628 cmd.exe 92 PID 628 wrote to memory of 3360 628 cmd.exe 93 PID 628 wrote to memory of 3360 628 cmd.exe 93 PID 628 wrote to memory of 3360 628 cmd.exe 93 PID 628 wrote to memory of 4328 628 cmd.exe 94 PID 628 wrote to memory of 4328 628 cmd.exe 94 PID 628 wrote to memory of 4328 628 cmd.exe 94 PID 628 wrote to memory of 4960 628 cmd.exe 95 PID 628 wrote to memory of 4960 628 cmd.exe 95 PID 628 wrote to memory of 4960 628 cmd.exe 95 PID 628 wrote to memory of 1364 628 cmd.exe 96 PID 628 wrote to memory of 1364 628 cmd.exe 96 PID 628 wrote to memory of 1364 628 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\cosba64.exe"C:\Users\Admin\AppData\Local\Temp\cosba64.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe"C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN cosba64.exe /TR "C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe" /F3⤵
- Creates scheduled task(s)
PID:2340
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "cosba64.exe" /P "Admin:N"&&CACLS "cosba64.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6bb5824ec4" /P "Admin:N"&&CACLS "..\6bb5824ec4" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3172
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "cosba64.exe" /P "Admin:N"4⤵PID:1488
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "cosba64.exe" /P "Admin:R" /E4⤵PID:3360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4328
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\6bb5824ec4" /P "Admin:N"4⤵PID:4960
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\6bb5824ec4" /P "Admin:R" /E4⤵PID:1364
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exeC:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exeC:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exeC:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2448
-
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exeC:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3492
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238.2MB
MD5f08f7876b0414cee5a471f456790ecd3
SHA1935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
SHA2564c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
SHA512f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
-
Filesize
238.2MB
MD5f08f7876b0414cee5a471f456790ecd3
SHA1935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
SHA2564c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
SHA512f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
-
Filesize
238.2MB
MD5f08f7876b0414cee5a471f456790ecd3
SHA1935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
SHA2564c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
SHA512f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
-
Filesize
238.2MB
MD5f08f7876b0414cee5a471f456790ecd3
SHA1935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
SHA2564c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
SHA512f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
-
Filesize
238.2MB
MD5f08f7876b0414cee5a471f456790ecd3
SHA1935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
SHA2564c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
SHA512f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
-
Filesize
238.2MB
MD5f08f7876b0414cee5a471f456790ecd3
SHA1935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
SHA2564c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
SHA512f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
-
Filesize
238.2MB
MD5f08f7876b0414cee5a471f456790ecd3
SHA1935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
SHA2564c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
SHA512f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
-
Filesize
77KB
MD5eb67800a8b32bf2f33c77c0dc939792f
SHA1632f82583af92eba02e04327a0be567418afb6af
SHA2568cfaf426e4eca867e36efb47cabefcd6103fdaf05ae779eebfa5c14a882ce0b0
SHA512eb8dd4a1bdf43685e0efaf67e02ddc4adb01890762d73e01ddf5ddd3d76ff3514e4e0c83a2ff1e49f5a0e361df3b5c522f6cbd873c429df9d771f3d5c6aa03a6