Analysis Overview
SHA256
41c651cd03e40f9991bb09802947717b604a62f658474d6e7974dfdc80ef1705
Threat Level: Likely malicious
The file 2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message was found to be: Likely malicious.
Malicious Activity Summary
Deletes shadow copies
Checks computer location settings
Reads user/profile data of web browsers
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 01:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 01:06
Reported
2024-11-15 01:09
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Deletes shadow copies
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 756 wrote to memory of 3980 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe | C:\Windows\System32\cmd.exe |
| PID 756 wrote to memory of 3980 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe | C:\Windows\System32\cmd.exe |
| PID 3980 wrote to memory of 5020 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 3980 wrote to memory of 5020 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 01:06
Reported
2024-11-15 01:09
Platform
win7-20241010-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Deletes shadow copies
Reads user/profile data of web browsers
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_a80d048f183b5f1faabd7701da03d0f4_cobalt-strike_luca-stealer_money-message.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe