Windows Analysis Report
gJtW7azO4o.exe

Overview

General Information

Sample name:	gJtW7azO4o.exe renamed because original name is a hash value
Original sample name:	8dbd0ea7fed26a8963c847daa3ede4574822c036342e3bc787160fadb065f20d.exe
Analysis ID:	1542743
MD5:	f0d90fa9d8b8dfdb5861d9506ec6b41c
SHA1:	f81a4b95d1f9546b4ed231f5affab9304a894bf1
SHA256:	8dbd0ea7fed26a8963c847daa3ede4574822c036342e3bc787160fadb065f20d
Tags:	20-25-126-96exeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Powershell download and execute

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gJtW7azO4o.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/j.ad", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Multi AV Scanner detection for submitted file

Source: gJtW7azO4o.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: gJtW7azO4o.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393B1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	0_2_00000200393B1184
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393E2020 CryptGenRandom,	0_2_00000200393E2020
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393E2010 CryptReleaseContext,	0_2_00000200393E2010

Source: gJtW7azO4o.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_00000200393C9220
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_00000200393C1C30

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 4x nop then sub rsp, 58h

0_2_00007FF7B3AD2E70

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 20.25.126.96

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49703 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:55401 -> 20.25.126.96:443

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393BE68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,

0_2_00000200393BE68C

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: gJtW7azO4o.exe, 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/.adc
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/.ads
Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/ecurity=Impersonation
Source: gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.ad
Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.ad2;C:
Source: gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.ad4
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.adG
Source: gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.adSPb
Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.adSystem3
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.1469738037.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2069707591.0000020039226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.adw

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55403
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 55403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 55402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55401 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Contains functionality to call native functions

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD1C97 GetCurrentProcess,NtSetTimer,	0_2_00007FF7B3AD1C97
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD14D8 GetCurrentProcess,GetCurrentProcess,NtAlpcCreatePortSection,GetCurrentProcess,GetCurrentProcess,NtCreatePagingFile,	0_2_00007FF7B3AD14D8
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD1C4B NtAccessCheckAndAuditAlarm,	0_2_00007FF7B3AD1C4B
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD16CA GetCurrentProcess,GetCurrentProcess,NtCreateJobSet,GetCurrentProcess,NtCompareSigningLevels,	0_2_00007FF7B3AD16CA

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C1268 CreateProcessWithLogonW,GetLastError,

0_2_00000200393C1268

Detected potential crypto function

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039100334	0_2_0000020039100334
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039110374	0_2_0000020039110374
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911C397	0_2_000002003911C397
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911239C	0_2_000002003911239C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039111264	0_2_0000020039111264
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911AAB0	0_2_000002003911AAB0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003910F5A8	0_2_000002003910F5A8
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039106F38	0_2_0000020039106F38
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911B7B0	0_2_000002003911B7B0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911CFF0	0_2_000002003911CFF0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911E600	0_2_000002003911E600
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200390FCE3C	0_2_00000200390FCE3C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200390F9680	0_2_00000200390F9680
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911C680	0_2_000002003911C680
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039115914	0_2_0000020039115914
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039111928	0_2_0000020039111928
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200390F916C	0_2_00000200390F916C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C7B38	0_2_00000200393C7B38
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DC3B0	0_2_00000200393DC3B0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DDBF0	0_2_00000200393DDBF0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393BDA3C	0_2_00000200393BDA3C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DF200	0_2_00000200393DF200
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393BA280	0_2_00000200393BA280
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DD280	0_2_00000200393DD280
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D2528	0_2_00000200393D2528
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D6514	0_2_00000200393D6514
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393B9D6C	0_2_00000200393B9D6C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C0F34	0_2_00000200393C0F34
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D0F74	0_2_00000200393D0F74
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D2F9C	0_2_00000200393D2F9C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DCF97	0_2_00000200393DCF97
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C867C	0_2_00000200393C867C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D1E64	0_2_00000200393D1E64
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DB6B0	0_2_00000200393DB6B0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D01A8	0_2_00000200393D01A8

PE file contains more sections than normal

Source: gJtW7azO4o.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: gJtW7azO4o.exe, 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs gJtW7azO4o.exe
Source: gJtW7azO4o.exe	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs gJtW7azO4o.exe

Yara signature match

Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C0B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_00000200393C0B70

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C3A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,

0_2_00000200393C3A64

Source: gJtW7azO4o.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gJtW7azO4o.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

File read: C:\Users\user\Desktop\gJtW7azO4o.exe

Jump to behavior

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: gJtW7azO4o.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: gJtW7azO4o.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00000200393D9744

PE file contains sections with non-standard names

Source: gJtW7azO4o.exe

Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003912776C push 0000006Ah; retf		0_2_0000020039127784
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393E916C push 0000006Ah; retf		0_2_00000200393E9184

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393D01A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00000200393D01A8

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393BFA1C		0_2_00000200393BFA1C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C5854		0_2_00000200393C5854

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

API coverage: 7.1 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C5854

0_2_00000200393C5854

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_00000200393C9220
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_00000200393C1C30

Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.1469738037.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2069707591.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393D8B30 IsDebuggerPresent,__crtUnhandledException,

0_2_00000200393D8B30

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

0_2_00000200393D9744

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

0_2_00000200393D9744

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393E03C8 VirtualQuery,GetModuleFileNameW,GetPdbDllFromInstallPath,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00000200393E03C8

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393E24F0 SetUnhandledExceptionFilter,	0_2_00000200393E24F0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D44D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00000200393D44D0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,	0_2_00007FF7B3AD1180

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtMapViewOfSection: Indirect: 0x7FF7B3AD1D04	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtCreateThreadEx: Indirect: 0x7FF7B3AD17B1	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtProtectVirtualMemory: Indirect: 0x7FF7B3AD15F6	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtProtectVirtualMemory: Indirect: 0x7FF7B3AD1593	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtProtectVirtualMemory: Indirect: 0x7FF7B3AD1768	Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393CDF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_00000200393CDF50

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393CDEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00000200393CDEC8

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C0920 CreateNamedPipeA,

0_2_00000200393C0920

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393BF3C0 GetLocalTime,

0_2_00000200393BF3C0

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_00000200393C5E28

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_00000200393C5E28

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C6A78 socket,htons,ioctlsocket,closesocket,bind,listen,	0_2_00000200393C6A78
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C6670 htonl,htons,socket,closesocket,bind,ioctlsocket,	0_2_00000200393C6670
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393CEE8C socket,closesocket,htons,bind,listen,	0_2_00000200393CEE8C

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.25.126.96	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

Contacted Domains

Name	IP	Active
206.23.85.13.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
20.25.126.96	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gJtW7azO4o.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: gJtW7azO4o.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: gJtW7azO4o.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393B1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	0_2_00000200393B1184
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393E2020 CryptGenRandom,	0_2_00000200393E2020
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393E2010 CryptReleaseContext,	0_2_00000200393E2010

Source: gJtW7azO4o.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_00000200393C9220
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_00000200393C1C30

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 4x nop then sub rsp, 58h

0_2_00007FF7B3AD2E70

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 20.25.126.96

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49703 -> 20.25.126.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:55401 -> 20.25.126.96:443

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393BE68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,

0_2_00000200393BE68C

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: gJtW7azO4o.exe, 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/.adc
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/.ads
Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/ecurity=Impersonation
Source: gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.ad
Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.ad2;C:
Source: gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.ad4
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.adG
Source: gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.adSPb
Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.adSystem3
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.1469738037.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2069707591.0000020039226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/j.adw

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55403
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55402
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 55403 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 55402 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55401 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Contains functionality to call native functions

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD1C97 GetCurrentProcess,NtSetTimer,	0_2_00007FF7B3AD1C97
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD14D8 GetCurrentProcess,GetCurrentProcess,NtAlpcCreatePortSection,GetCurrentProcess,GetCurrentProcess,NtCreatePagingFile,	0_2_00007FF7B3AD14D8
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD1C4B NtAccessCheckAndAuditAlarm,	0_2_00007FF7B3AD1C4B
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD16CA GetCurrentProcess,GetCurrentProcess,NtCreateJobSet,GetCurrentProcess,NtCompareSigningLevels,	0_2_00007FF7B3AD16CA

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C1268 CreateProcessWithLogonW,GetLastError,

0_2_00000200393C1268

Detected potential crypto function

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039100334	0_2_0000020039100334
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039110374	0_2_0000020039110374
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911C397	0_2_000002003911C397
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911239C	0_2_000002003911239C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039111264	0_2_0000020039111264
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911AAB0	0_2_000002003911AAB0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003910F5A8	0_2_000002003910F5A8
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039106F38	0_2_0000020039106F38
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911B7B0	0_2_000002003911B7B0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911CFF0	0_2_000002003911CFF0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911E600	0_2_000002003911E600
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200390FCE3C	0_2_00000200390FCE3C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200390F9680	0_2_00000200390F9680
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003911C680	0_2_000002003911C680
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039115914	0_2_0000020039115914
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_0000020039111928	0_2_0000020039111928
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200390F916C	0_2_00000200390F916C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C7B38	0_2_00000200393C7B38
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DC3B0	0_2_00000200393DC3B0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DDBF0	0_2_00000200393DDBF0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393BDA3C	0_2_00000200393BDA3C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DF200	0_2_00000200393DF200
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393BA280	0_2_00000200393BA280
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DD280	0_2_00000200393DD280
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D2528	0_2_00000200393D2528
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D6514	0_2_00000200393D6514
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393B9D6C	0_2_00000200393B9D6C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C0F34	0_2_00000200393C0F34
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D0F74	0_2_00000200393D0F74
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D2F9C	0_2_00000200393D2F9C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DCF97	0_2_00000200393DCF97
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C867C	0_2_00000200393C867C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D1E64	0_2_00000200393D1E64
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393DB6B0	0_2_00000200393DB6B0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D01A8	0_2_00000200393D01A8

PE file contains more sections than normal

Source: gJtW7azO4o.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: gJtW7azO4o.exe, 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs gJtW7azO4o.exe
Source: gJtW7azO4o.exe	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs gJtW7azO4o.exe

Yara signature match

Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C0B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_00000200393C0B70

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C3A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,

0_2_00000200393C3A64

Source: gJtW7azO4o.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gJtW7azO4o.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

File read: C:\Users\user\Desktop\gJtW7azO4o.exe

Jump to behavior

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Section loaded: schannel.dll	Jump to behavior

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: gJtW7azO4o.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: gJtW7azO4o.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

0_2_00000200393D9744

PE file contains sections with non-standard names

Source: gJtW7azO4o.exe

Static PE information: section name: .xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_000002003912776C push 0000006Ah; retf		0_2_0000020039127784
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393E916C push 0000006Ah; retf		0_2_00000200393E9184

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

0_2_00000200393D01A8

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393BFA1C		0_2_00000200393BFA1C
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C5854		0_2_00000200393C5854

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

API coverage: 7.1 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C5854

0_2_00000200393C5854

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_00000200393C9220
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_00000200393C1C30

Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.1469738037.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2069707591.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393D8B30 IsDebuggerPresent,__crtUnhandledException,

0_2_00000200393D8B30

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

0_2_00000200393D9744

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

0_2_00000200393D9744

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393E03C8 VirtualQuery,GetModuleFileNameW,GetPdbDllFromInstallPath,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00000200393E03C8

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393E24F0 SetUnhandledExceptionFilter,	0_2_00000200393E24F0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393D44D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00000200393D44D0
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00007FF7B3AD1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,	0_2_00007FF7B3AD1180

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtMapViewOfSection: Indirect: 0x7FF7B3AD1D04	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtCreateThreadEx: Indirect: 0x7FF7B3AD17B1	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtProtectVirtualMemory: Indirect: 0x7FF7B3AD15F6	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtProtectVirtualMemory: Indirect: 0x7FF7B3AD1593	Jump to behavior
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	NtProtectVirtualMemory: Indirect: 0x7FF7B3AD1768	Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393CDF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_00000200393CDF50

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393CDEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00000200393CDEC8

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C0920 CreateNamedPipeA,

0_2_00000200393C0920

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393BF3C0 GetLocalTime,

0_2_00000200393BF3C0

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_00000200393C5E28

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Code function: 0_2_00000200393C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_00000200393C5E28

Source: C:\Users\user\Desktop\gJtW7azO4o.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C6A78 socket,htons,ioctlsocket,closesocket,bind,listen,	0_2_00000200393C6A78
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393C6670 htonl,htons,socket,closesocket,bind,ioctlsocket,	0_2_00000200393C6670
Source: C:\Users\user\Desktop\gJtW7azO4o.exe	Code function: 0_2_00000200393CEE8C socket,closesocket,htons,bind,listen,	0_2_00000200393CEE8C

ID:	1542743
Product:	CloudBasic
Start time:	09:10:14
Start date:	26.10.2024
Sample:	gJtW7azO4o.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f0d90fa9d8b8dfdb5861d9506ec6b41c
SHA1:	f81a4b95d1f9546b4ed231f5affab9304a894bf1
SHA256:	8dbd0ea7fed26a8963c847daa3ede4574822c036342e3bc787160fadb065f20d
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Windows Analysis Report
gJtW7azO4o.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report gJtW7azO4o.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
gJtW7azO4o.exe

Malware Threat Intel
Provided by