4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

General

Target

cosba64.exe
Size

238.2MB
MD5

f08f7876b0414cee5a471f456790ecd3
SHA1

935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f
SHA256

4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28
SHA512

f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d
SSDEEP

98304:efoB/2sOjbllT1/gTA/8DGEWXrwR75sIQpz5MNv4xi3npUmcLBgy2enlHnRJsNPb:enljn14L9WXr67xQLMSMpZcLRJnGb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cosba64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cosba64.exe

Executes dropped EXE 5 IoCs

pid	Process
4924	cosba64.exe
3040	cosba64.exe
2280	cosba64.exe
2448	cosba64.exe
3492	cosba64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2128	cosba64.exe
2128	cosba64.exe
4924	cosba64.exe
4924	cosba64.exe
3040	cosba64.exe
3040	cosba64.exe
2280	cosba64.exe
2280	cosba64.exe
2448	cosba64.exe
2448	cosba64.exe
3492	cosba64.exe
3492	cosba64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2128	cosba64.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4924	2128	cosba64.exe	82
PID 2128 wrote to memory of 4924	2128	cosba64.exe	82
PID 2128 wrote to memory of 4924	2128	cosba64.exe	82
PID 4924 wrote to memory of 2340	4924	cosba64.exe	87
PID 4924 wrote to memory of 2340	4924	cosba64.exe	87
PID 4924 wrote to memory of 2340	4924	cosba64.exe	87
PID 4924 wrote to memory of 628	4924	cosba64.exe	88
PID 4924 wrote to memory of 628	4924	cosba64.exe	88
PID 4924 wrote to memory of 628	4924	cosba64.exe	88
PID 628 wrote to memory of 3172	628	cmd.exe	91
PID 628 wrote to memory of 3172	628	cmd.exe	91
PID 628 wrote to memory of 3172	628	cmd.exe	91
PID 628 wrote to memory of 1488	628	cmd.exe	92
PID 628 wrote to memory of 1488	628	cmd.exe	92
PID 628 wrote to memory of 1488	628	cmd.exe	92
PID 628 wrote to memory of 3360	628	cmd.exe	93
PID 628 wrote to memory of 3360	628	cmd.exe	93
PID 628 wrote to memory of 3360	628	cmd.exe	93
PID 628 wrote to memory of 4328	628	cmd.exe	94
PID 628 wrote to memory of 4328	628	cmd.exe	94
PID 628 wrote to memory of 4328	628	cmd.exe	94
PID 628 wrote to memory of 4960	628	cmd.exe	95
PID 628 wrote to memory of 4960	628	cmd.exe	95
PID 628 wrote to memory of 4960	628	cmd.exe	95
PID 628 wrote to memory of 1364	628	cmd.exe	96
PID 628 wrote to memory of 1364	628	cmd.exe	96
PID 628 wrote to memory of 1364	628	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\cosba64.exe
"C:\Users\Admin\AppData\Local\Temp\cosba64.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
  "C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN cosba64.exe /TR "C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "cosba64.exe" /P "Admin:N"&&CACLS "cosba64.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6bb5824ec4" /P "Admin:N"&&CACLS "..\6bb5824ec4" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3172
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "cosba64.exe" /P "Admin:N"
      4⤵
      PID:1488
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "cosba64.exe" /P "Admin:R" /E
      4⤵
      PID:3360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4328
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\6bb5824ec4" /P "Admin:N"
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\6bb5824ec4" /P "Admin:R" /E
      4⤵
      PID:1364

C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bb5824ec4\cosba64.exe

Filesize
238.2MB

MD5
f08f7876b0414cee5a471f456790ecd3

SHA1
935928cfa2e1ba8d4a0afbfe3f89d8f72c6b344f

SHA256
4c01488b3e16e21aeaef9fb3ea1e66ebb5b5d8b41b5b1d0797d2686020a48c28

SHA512
f9a248d6e93308bfbc23adf164c63284aa3d5c13a337e632746f400213afd0af21ccd43bca492d321d675e740dad923bfc909090f575430ff9042c551dc5217d

Download Submit
C:\Users\Admin\AppData\Local\Temp\805025096232

Filesize
77KB

MD5
eb67800a8b32bf2f33c77c0dc939792f

SHA1
632f82583af92eba02e04327a0be567418afb6af

SHA256
8cfaf426e4eca867e36efb47cabefcd6103fdaf05ae779eebfa5c14a882ce0b0

SHA512
eb8dd4a1bdf43685e0efaf67e02ddc4adb01890762d73e01ddf5ddd3d76ff3514e4e0c83a2ff1e49f5a0e361df3b5c522f6cbd873c429df9d771f3d5c6aa03a6

Download Submit
memory/2128-134-0x0000000000660000-0x0000000000B81000-memory.dmp

Filesize
5.1MB

Download
memory/2128-133-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/2280-166-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/2280-167-0x0000000000760000-0x0000000000C81000-memory.dmp

Filesize
5.1MB

Download
memory/2448-171-0x0000000000760000-0x0000000000C81000-memory.dmp

Filesize
5.1MB

Download
memory/2448-170-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3040-163-0x0000000000760000-0x0000000000C81000-memory.dmp

Filesize
5.1MB

Download
memory/3040-162-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3492-174-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/3492-175-0x0000000000760000-0x0000000000C81000-memory.dmp

Filesize
5.1MB

Download
memory/4924-150-0x0000000000760000-0x0000000000C81000-memory.dmp

Filesize
5.1MB

Download
memory/4924-149-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads