Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 07:20
Static task
static1
Behavioral task
behavioral1
Sample
94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe
Resource
win10v2004-20240226-en
General
-
Target
94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe
-
Size
315KB
-
MD5
36eed47751bc04ee9fb82d3f0e836239
-
SHA1
e17fbeefbdca5b0a87393f031479e35cd38d8a68
-
SHA256
94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6
-
SHA512
b0a76342e605cfa95940cb41f61579a8bd2fb347521a6c10a34fc526546abbdc721ec499a8e9c422137eced2a9ad966c69e1ace7ba976e059e273838f8ce3066
-
SSDEEP
6144:SCGaECnpAoDO1A8dg3iTPJLMfgQZX+tJs0dxm:DGHCnaomAEg3uPdkgOX+tZdxm
Malware Config
Extracted
cobaltstrike
http://192.168.209.130:80/6Uco
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUS)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe -
Executes dropped EXE 1 IoCs
Processes:
artifact.exepid process 4636 artifact.exe -
Drops file in Windows directory 5 IoCs
Processes:
94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exedescription ioc process File created C:\Windows\__tmp_rar_sfx_access_check_240662328 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe File created C:\Windows\artifact.exe 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe File opened for modification C:\Windows\artifact.exe 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe File created C:\Windows\1.txt 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe File opened for modification C:\Windows\1.txt 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2532 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exedescription pid process target process PID 224 wrote to memory of 4636 224 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe artifact.exe PID 224 wrote to memory of 4636 224 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe artifact.exe PID 224 wrote to memory of 2532 224 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe NOTEPAD.EXE PID 224 wrote to memory of 2532 224 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe NOTEPAD.EXE PID 224 wrote to memory of 2532 224 94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe"C:\Users\Admin\AppData\Local\Temp\94a7c995a3f87308dea447de9c3e84ef086fe0379d108332970bc7f2d22efed6.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\artifact.exe"C:\windows\artifact.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\windows\1.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\artifact.exeFilesize
17KB
MD54c3a97498bc22396427d1219c0ec9f32
SHA1cf4e60fee510fe040b68e23fd12ae862f8e9e01f
SHA256e2f7be9ba9a6a7efedf2dbdcf4be285a3d886d54528b60a5432d5e0ba9054ced
SHA5124e1fdc6a8d26834fcc0de67a59cda8c154ff86a219b4b3f443a6199488ceb1562bf01c14b90e049dc2cd3edc7aeee9fbedbbef83392fc305aaf84ba7f61583b8
-
memory/4636-9-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/4636-10-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB