Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 01:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe
-
Size
720KB
-
MD5
a80d048f183b5f1faabd7701da03d0f4
-
SHA1
0ca0009d58e6cc06232367e8f67db0a8b6f233cc
-
SHA256
41c651cd03e40f9991bb09802947717b604a62f658474d6e7974dfdc80ef1705
-
SHA512
1ce6ff6f26b34de91a16f49d2d207f05d9480691bae499915b7e8320ce10cd8ae4619a88261a40843814dc1adfa41a213833d14ed801bec9db04539e83b24c9e
-
SSDEEP
12288:A+2ZzbQ32UC1pC0q1oJn2OR9YA/SnHaetVkiIGjltRzth:A+4OECVCn2OR9r/kaetNIOtR
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exedescription ioc Process File opened (read-only) \??\K: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\N: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\O: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\W: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\X: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\Y: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\F: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\H: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\Z: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\E: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\J: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\M: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\P: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\V: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\A: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\B: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\Q: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\U: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\G: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\L: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\R: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\S: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\T: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\D: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe File opened (read-only) \??\I: 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 2740 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exepid Process 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exevssvc.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe Token: SeBackupPrivilege 2888 vssvc.exe Token: SeRestorePrivilege 2888 vssvc.exe Token: SeAuditPrivilege 2888 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.execmd.exedescription pid Process procid_target PID 2084 wrote to memory of 2436 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 33 PID 2084 wrote to memory of 2436 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 33 PID 2084 wrote to memory of 2436 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 33 PID 2084 wrote to memory of 2436 2084 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe 33 PID 2436 wrote to memory of 2740 2436 cmd.exe 35 PID 2436 wrote to memory of 2740 2436 cmd.exe 35 PID 2436 wrote to memory of 2740 2436 cmd.exe 35 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2740
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1