1360f4f2f527cbf817f6134574ee43ceebdbacd182936e60bd5e8ca3cd6257cb

Analysis

max time kernel
129s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64684838614fed75f6915e5a0b04c074.exe
Size

306KB
MD5

64684838614fed75f6915e5a0b04c074
SHA1

e5590c0e136be0db370238ce29708e92ac7a2567
SHA256

1360f4f2f527cbf817f6134574ee43ceebdbacd182936e60bd5e8ca3cd6257cb
SHA512

4ea835263428f6f413794cf83f90ce9d69057897f5b3bcf37c42eec1fa3f59dbd4b3466b17ee14ee9ef5aefd633ce426217151cde480ebc7bf6cc92a1e9df6bb
SSDEEP

6144:LteuvLG5DfKo+hXr8+yDrQkNEBxKyfhW0oRu:Y6LG5Di1Xr8+ynQ9KyoRu

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cobato = "cobato\\cbtup.exe"	64684838614fed75f6915e5a0b04c074.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4068	64684838614fed75f6915e5a0b04c074.exe
4068	64684838614fed75f6915e5a0b04c074.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	64684838614fed75f6915e5a0b04c074.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4068	64684838614fed75f6915e5a0b04c074.exe
4068	64684838614fed75f6915e5a0b04c074.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2220	4068	64684838614fed75f6915e5a0b04c074.exe	104
PID 4068 wrote to memory of 2220	4068	64684838614fed75f6915e5a0b04c074.exe	104
PID 4068 wrote to memory of 2220	4068	64684838614fed75f6915e5a0b04c074.exe	104

C:\Users\Admin\AppData\Local\Temp\64684838614fed75f6915e5a0b04c074.exe
"C:\Users\Admin\AppData\Local\Temp\64684838614fed75f6915e5a0b04c074.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c \DelUS.bat
  2⤵
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DelUS.bat

Filesize
200B

MD5
439ef98820c02bebfafbc0ae98efa286

SHA1
340d57bca5c853132644eddd23f5d367beba3ac5

SHA256
165fa1562d0e76aec05a665986f1bdcf0b3a9786fe3d0f0f606134b0335f53c4

SHA512
9e87e98885db83edc2d14a94c3787429acdafa694a11321d9c61feae161c87c8d42ee2868b9852fb11ccb6831c9a29337ecd6a82abb27cf6a4aa8c51e79035ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cobato\cbtdel.exe

Filesize
41KB

MD5
e9688ff363353ac187734e95737a56b2

SHA1
dda351118469aeeb60f99862869d15b4853134b7

SHA256
ba8388e074e25154b96f0a3e4fb16a7fc33b49d4f0e0450ce200c790aaec0773

SHA512
9c38ec17b41dbadbc918ff75c7ec1f7a23690db7de51bae7583324a7e3dff98936d2240f9f7ed780c414bee532397aed943453a8c522e9ecbfd76e72749a483f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cobato\cbtup.exe

Filesize
6KB

MD5
65c26eadb5771af9c4288fac1ad501e8

SHA1
034456d0e2c30179258d56872f35c6cadbbefc03

SHA256
bcd1b245bc54fa6302092cf3de0d97aa35cb7553dfa21ea9cf3fbb7866760d9b

SHA512
64f407aeacaaba282ea4430746518dc6f50cb8f9dabcd7c93ba2af3035019f38c70ec91628db1a116c296193c778c0c933f02d950e40fa7e40ea2340138d057a

Download Submit