Overview

overview

10

Static

static

3

PowerISO8-x64.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$R0.exe

windows10-2004-x64

1

$TEMP/$0.dll

windows10-2004-x64

1

devcon.exe

windows10-2004-x64

1

setup64.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PowerISO8-x64.exe

  • Size

    4.9MB

  • Sample

    240616-m4r4ea1bla

  • MD5

    6cfc22a101708bbfc71e9973c6fba41e

  • SHA1

    36bda899114cd51f254dccbd8fbeae9afb4d1575

  • SHA256

    c5eb56a7299f89a4e23e9fd22c1d5485c045b2a8cc9a1688b02aeb373aedb74c

  • SHA512

    709abc646a80f477aa410d117cc42e121016598fabe7c280d7c61b92ae379e6fed0618f9bcb59a4eea0cfe709a197eafaacc1e12b1cc7da57785216e36b873a2

  • SSDEEP

    98304:Gh+CRN2xdTpDYHpZAe8ZlmibClWpWMzBd5ae4jGF29S8GoexEo8P:vCLScJKlWMzBejGF2GxELP

Score
10/10
cobaltstrikebackdoordiscoveryevasionpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      PowerISO8-x64.exe

    • Size

      4.9MB

    • MD5

      6cfc22a101708bbfc71e9973c6fba41e

    • SHA1

      36bda899114cd51f254dccbd8fbeae9afb4d1575

    • SHA256

      c5eb56a7299f89a4e23e9fd22c1d5485c045b2a8cc9a1688b02aeb373aedb74c

    • SHA512

      709abc646a80f477aa410d117cc42e121016598fabe7c280d7c61b92ae379e6fed0618f9bcb59a4eea0cfe709a197eafaacc1e12b1cc7da57785216e36b873a2

    • SSDEEP

      98304:Gh+CRN2xdTpDYHpZAe8ZlmibClWpWMzBd5ae4jGF29S8GoexEo8P:vCLScJKlWMzBejGF2GxELP

    Score
    10/10
    cobaltstrikebackdoordiscoveryevasionpersistencespywarestealertrojan

    • Cobalt Strike reflective loader

      Detects the reflective loader used by Cobalt Strike.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Modifies powershell logging option

      evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral1

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      8cf2ac271d7679b1d68eefc1ae0c5618

    • SHA1

      7cc1caaa747ee16dc894a600a4256f64fa65a9b8

    • SHA256

      6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

    • SHA512

      ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

    • SSDEEP

      192:BenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XB9IwL:B8+Qlt70Fj/lQRY/9VjjlL

    Score
    3/10
    behavioral2

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      ec9640b70e07141febbe2cd4cc42510f

    • SHA1

      64a5e4b90e5fe62aa40e7ac9e16342ed066f0306

    • SHA256

      c5ba017732597a82f695b084d1aa7fe3b356168cc66105b9392a9c5b06be5188

    • SHA512

      47605b217313c7fe6ce3e9a65da156a2fba8d91e4ed23731d3c5e432dd048ff5c8f9ae8bb85a6a39e1eac4e1b6a22862aa72d3b1b1c8255858997cdd4db5d1fe

    • SSDEEP

      192:oRsHeylO012En8pqHtcE0PuAgkOyPIFc:sATI0d8pUP0WAgkBPIFc

    Score
    3/10
    behavioral3

    • Target

      $R0

    • Size

      69KB

    • MD5

      9d199564b65a91a531b23844649459e9

    • SHA1

      8d84359ced1c51d14e70cb5ed36a6083c8b914cf

    • SHA256

      8dc2490d1d650e3ffbf70922b81ae9800ddd29a644e4d7d29e9616e22a7d0f42

    • SHA512

      ae522945d3ddcd7c2d99da14ba62d556928b7e6dfcb07114f13481777878a8ffa448170cebbf76da80d9ae45d0e3a509b0f2a7bd702773c1efcaca26496010d1

    • SSDEEP

      768:Ubrbmi0iAETVvlXjkQnr65WTHBAtgYSofgevxHs4gZWk:ab70GdXoQr65WDBAtgYSoflxHeW

    Score
    1/10
    behavioral4

    • Target

      $TEMP/$0

    • Size

      29KB

    • MD5

      c3b224d15a9036805575b2ff0bcefeda

    • SHA1

      74779ae82a97e97d770435d097821810f16c97c5

    • SHA256

      23d8aeff49ffbac9f9490e9739e059cd7064516dbcd693fe2de77830b127ff8a

    • SHA512

      5a5d98cc9a4aca076049340a4645879a8e4a1d2e24a672015627446d7e3729acf0b64bc8a0f702b8da735d22607fe13ba3ef6a497a57891804576899b06bb461

    • SSDEEP

      384:XE+iXOWKqv0WEXSvQiJb7Mejv14ESgQaMOaA9qqKYu8iFz/pvow3PrCDaU2:XxspKA0ZiVfWEVUfYuhFzVowOD

    Score
    1/10
    behavioral5

    • Target

      devcon.exe

    • Size

      69KB

    • MD5

      9d199564b65a91a531b23844649459e9

    • SHA1

      8d84359ced1c51d14e70cb5ed36a6083c8b914cf

    • SHA256

      8dc2490d1d650e3ffbf70922b81ae9800ddd29a644e4d7d29e9616e22a7d0f42

    • SHA512

      ae522945d3ddcd7c2d99da14ba62d556928b7e6dfcb07114f13481777878a8ffa448170cebbf76da80d9ae45d0e3a509b0f2a7bd702773c1efcaca26496010d1

    • SSDEEP

      768:Ubrbmi0iAETVvlXjkQnr65WTHBAtgYSofgevxHs4gZWk:ab70GdXoQr65WDBAtgYSoflxHeW

    Score
    1/10
    behavioral6

    • Target

      setup64.exe

    • Size

      20KB

    • MD5

      857eace9d87bd6c43142b2b4eed5c1c4

    • SHA1

      03707b309e647ff6f89993e7ba03f1c98750b8a0

    • SHA256

      10bb1c98ab4fb8e18b349fdbdf33f61038318b33e7b04810a71035a7320f00bd

    • SHA512

      af784f62ae993ad83022a098d4aca4e3850018976362ec559f611bec76ef7f5ec70763fa167f255ed13745d496e7ed501b638afbe107e244da652da2a84a129d

    • SSDEEP

      384:8TwBHiBYcYV7r6KZjthU9RLhCm/dJ6KZjthUChCm/xE:MoHiBYcYBmmjtucK+mjtufKC

    Score
    1/10
    behavioral7

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

8
T1012

System Information Discovery

7
T1082

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks