Overview

overview

9

Static

static

7

Cobalt-Mai...er.exe

windows7-x64

9

Cobalt-Mai...er.exe

windows10-2004-x64

9

Cobalt-Mai...th.dll

windows7-x64

9

Cobalt-Mai...th.dll

windows10-2004-x64

9

Cobalt-Mai...or.exe

windows7-x64

1

Cobalt-Mai...or.exe

windows10-2004-x64

1

Cobalt-Mai...lt.exe

windows7-x64

9

Cobalt-Mai...lt.exe

windows10-2004-x64

9

Cobalt-Mai...ox.dll

windows7-x64

1

Cobalt-Mai...ox.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2024, 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cobalt-Main/Cobalt.exe

  • Size

    57KB

  • MD5

    d7c9cd322313aae1c6d377c2fb55b4e6

  • SHA1

    82018a4918394f57760b3409da34e881b4d85acb

  • SHA256

    228a27a3ed89a391c4e58a5de1909ed0b2e85a30e55020717eded26b71f4fedf

  • SHA512

    bb8b966b7a68844d7470931fe85982b9034d806fb484392e3f928e426678bbe3155188c9788290a5178758889d9cc19da77e4a0018aa483914345e1bb3027f55

  • SSDEEP

    1536:3DBzpoTSaKlIds/o3TSaKlIds/oQTSaKlIds/o6:3Z+TSawIdsA3TSawIdsAQTSawIdsA6

Score
9/10
discoveryevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cobalt-Main\Cobalt.exe
    "C:\Users\Admin\AppData\Local\Temp\Cobalt-Main\Cobalt.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2576
  • C:\Windows\System32\GameBarPresenceWriter.exe
    "C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
    1⤵
    • Network Service Discovery
    PID:3624
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2576-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-1-0x0000000000870000-0x0000000000884000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2576-2-0x0000000005860000-0x0000000005E04000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2576-3-0x00000000052B0000-0x0000000005342000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2576-5-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2576-4-0x0000000005280000-0x000000000528A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2576-6-0x00000000703C0000-0x0000000070C8C000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2576-7-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2576-8-0x00000000703C0000-0x0000000070C8C000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2576-10-0x00000000703C0000-0x0000000070C8C000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2576-9-0x00000000703C0000-0x0000000070C8C000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2576-12-0x00000000703C0000-0x0000000070C8C000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2576-11-0x00000000703C0000-0x0000000070C8C000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2576-13-0x00000000703C0000-0x0000000070C8C000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2576-20-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-21-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2576-22-0x00000000703C0000-0x0000000070C8C000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2576-23-0x00000000703C0000-0x0000000070C8C000-memory.dmp

    Filesize

    8.8MB

    Download