Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:32
Static task
static1
Behavioral task
behavioral1
Sample
7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe
Resource
win10v2004-20231215-en
General
-
Target
7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe
-
Size
409KB
-
MD5
7c8ec206d0043df90b7eccf6bd266576
-
SHA1
b73615aedbafea3d4be7d436e6b88299e5c147f3
-
SHA256
7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30
-
SHA512
b7f9a68b71e438425a1673f9dc82403ac8be3ad343657673524817c851728e1595589f94df8fb66c6ae1b23e0c092ee835c8071ab15ec838a66a636a7de71a86
-
SSDEEP
6144:kIPnx3+QPLWV9MAud5fcq2nES078acb+IYEKskHS/hoEI:jx3+QSV9Ad5f8nES0YacY9DH4W
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 23 3972 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid Process 1132 svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc Process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\svchost rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exedescription pid Process procid_target PID 2152 set thread context of 4720 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 94 PID 2152 set thread context of 3972 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 97 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid Process 3972 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exedescription pid Process Token: SeDebugPrivilege 3972 rundll32.exe Token: SeRestorePrivilege 3972 rundll32.exe Token: SeBackupPrivilege 3972 rundll32.exe Token: SeTakeOwnershipPrivilege 3972 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exedescription pid Process procid_target PID 2152 wrote to memory of 4720 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 94 PID 2152 wrote to memory of 4720 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 94 PID 2152 wrote to memory of 4720 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 94 PID 2152 wrote to memory of 4720 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 94 PID 2152 wrote to memory of 3972 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 97 PID 2152 wrote to memory of 3972 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 97 PID 2152 wrote to memory of 3972 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 97 PID 2152 wrote to memory of 3972 2152 7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe"C:\Users\Admin\AppData\Local\Temp\7f5bc615e401caaf9252dbbe0349c59710e9b63efc5a50a0f6dacb0fb06f0b30.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\windows\system32\rundll32.exec:\windows\system32\rundll32.exe2⤵PID:4720
-
-
\??\c:\windows\system32\rundll32.exec:\windows\system32\rundll32.exe2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\svchost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\svchost.exe mNdo0E628Vi3A/aK+LZvSUTvcBDsgbUU3GdwwRmyoWk= fTF6MeWgWzszxbdUPqDjfg==1⤵
- Executes dropped EXE
PID:1132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
MD58946a237072c06f4b0a779444f075caf
SHA1ca4ba5d29ef9274c76a3b6c7c1fbfc923c57d9c6
SHA256aa59fb01d1c289c959e179c33e0aa3950de12c40213979a6191d4b1a984abf70
SHA5123cacb9e3a0456a45a7c773c14c7ea807b58085c441821f1e3078805676cc2bac1950390ca2a63fb842097880a9c9decaf73ae9e7151098c0a0dea6c64e9c6106