Analysis Overview
SHA256
64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662
Threat Level: Known bad
The file 64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-25 13:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 13:21
Reported
2024-06-25 13:23
Platform
win7-20240221-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Cobaltstrike
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\artifact.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe
"C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe"
C:\Windows\SysWOW64\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\1.png
C:\Users\Public\artifact.exe
C:\Users\Public\artifact.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp |
Files
\Users\Public\artifact.exe
| MD5 | f76da48c0ed1c19bf726a06bf80a8882 |
| SHA1 | f8a5a2a2050dc0084c7badd0630193436f798247 |
| SHA256 | a676c87e4140740d2c1d8dfa455796db1ff79014e28a6f8fee50de28bdf98bb1 |
| SHA512 | bdc395e0d9cfe4f6e3f134d865ae9e87cada0bb6223bdd34a6350fbee79a6c24273dbc49fb88ea2c454b8144a51cae6e1cbe26f9d1961608f9a16f989ac0462b |
memory/2220-8-0x0000000000400000-0x00000000005CB000-memory.dmp
memory/2244-59-0x0000000000470000-0x0000000000472000-memory.dmp
memory/2440-60-0x0000000000160000-0x0000000000162000-memory.dmp
memory/2440-61-0x0000000000750000-0x0000000000751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.png
| MD5 | cc366db4527cce2f1b28233320fa4a0c |
| SHA1 | fb9ad0d67e3926b3fefa4f79e5bbe5ff6af55843 |
| SHA256 | 91dea1e5974ceac43d475f2e6ebcdedb7b4c46dc2e5fd8ef0b10e443d184d548 |
| SHA512 | e4cc211e15d1e4f93c87e63383ccdf10d0f4b66a3fcdd5e852be7a5cab2c9e84ceb9519bec86638cbe05c245069cc60ca390af819620b5a94dd0845d1d4c9289 |
memory/1244-63-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1244-64-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2440-66-0x0000000000750000-0x0000000000751000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 13:21
Reported
2024-06-25 13:23
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobaltstrike
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\artifact.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4364 wrote to memory of 6116 | N/A | C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4364 wrote to memory of 6116 | N/A | C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4364 wrote to memory of 6116 | N/A | C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4364 wrote to memory of 4440 | N/A | C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe | C:\Users\Public\artifact.exe |
| PID 4364 wrote to memory of 4440 | N/A | C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe | C:\Users\Public\artifact.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe
"C:\Users\Admin\AppData\Local\Temp\64803bb4129dfc6fe9c9d6bf05f65c35ea73cc57a2cafd25737e51169b8a6662.exe"
C:\Windows\SysWOW64\cmd.exe
cmd " /c " C:\Users\Admin\AppData\Local\Temp\1.png
C:\Users\Public\artifact.exe
C:\Users\Public\artifact.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| N/A | 192.168.159.137:8088 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| N/A | 192.168.159.137:8088 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| N/A | 192.168.159.137:8088 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp | |
| N/A | 192.168.159.137:8088 | tcp |
Files
C:\Users\Public\artifact.exe
| MD5 | f76da48c0ed1c19bf726a06bf80a8882 |
| SHA1 | f8a5a2a2050dc0084c7badd0630193436f798247 |
| SHA256 | a676c87e4140740d2c1d8dfa455796db1ff79014e28a6f8fee50de28bdf98bb1 |
| SHA512 | bdc395e0d9cfe4f6e3f134d865ae9e87cada0bb6223bdd34a6350fbee79a6c24273dbc49fb88ea2c454b8144a51cae6e1cbe26f9d1961608f9a16f989ac0462b |
memory/4364-3-0x0000000000F40000-0x000000000110B000-memory.dmp
memory/4440-7-0x0000000000020000-0x0000000000021000-memory.dmp
memory/4440-8-0x0000000000400000-0x000000000040C000-memory.dmp