Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-11-2020 14:09
Static task
static1
Behavioral task
behavioral1
Sample
插件升级.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
插件升级.exe
Resource
win10v20201028
General
-
Target
插件升级.exe
-
Size
148KB
-
MD5
76da6b8def232c26d12c0d7510d395cf
-
SHA1
7bc2bdb08a9ef794d5ab454e43e31f003f953b91
-
SHA256
1ad6475af8ddde5f8b1be0ace9c7bc9db6edf5ed37f47bc0056e68e53d17227a
-
SHA512
1de410712646b7f3ed2e07db834a62467ce7e54e5816e635c6e0102997448bf0364871fd17d28d2aa926abf8d06f26ebab5b7957d61ebd8a11b2a2083fa084e0
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4496 created 756 4496 WerFault.exe books.exe -
ServiceHost packer 1 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/756-30-0x0000000000000000-mapping.dmp servicehost -
Executes dropped EXE 3 IoCs
Processes:
winbody.exebooks.exebooks.exepid process 3716 winbody.exe 3704 books.exe 756 books.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\books.exe upx C:\Users\Admin\AppData\Roaming\books.exe upx C:\Users\Admin\AppData\Roaming\books.exe upx C:\Users\Admin\AppData\Local\Temp\_MEI37042\python27.dll upx \Users\Admin\AppData\Local\Temp\_MEI37042\python27.dll upx \Users\Admin\AppData\Local\Temp\_MEI37042\bz2.pyd upx \Users\Admin\AppData\Local\Temp\_MEI37042\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI37042\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI37042\bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI37042\pywintypes27.dll upx \Users\Admin\AppData\Local\Temp\_MEI37042\pywintypes27.dll upx \Users\Admin\AppData\Local\Temp\_MEI37042\win32api.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI37042\win32api.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI37042\pythoncom27.dll upx \Users\Admin\AppData\Local\Temp\_MEI37042\pythoncom27.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI37042\_ctypes.pyd upx \Users\Admin\AppData\Local\Temp\_MEI37042\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI37042\win32com.shell.shell.pyd upx \Users\Admin\AppData\Local\Temp\_MEI37042\win32com.shell.shell.pyd upx -
Drops startup file 2 IoCs
Processes:
books.exewinbody.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.dll-d1f22018eb4333fa4d3b6158c5759a37.lnk books.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsLib-E862D7FEA3037BA37E7E466DA0EA99D8.lnk winbody.exe -
Loads dropped DLL 8 IoCs
Processes:
books.exepid process 756 books.exe 756 books.exe 756 books.exe 756 books.exe 756 books.exe 756 books.exe 756 books.exe 756 books.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winbody.exebooks.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsLib-E862D7FEA3037BA37E7E466DA0EA99D8 = "C:\\Users\\Admin\\AppData\\Roaming\\winbody.exe" winbody.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows.dll-d1f22018eb4333fa4d3b6158c5759a37 = "C:\\Users\\Admin\\AppData\\Roaming\\books.exe" books.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4280 756 WerFault.exe books.exe 4496 756 WerFault.exe books.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
WerFault.exeWerFault.exepid process 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4280 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe 4496 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 4280 WerFault.exe Token: SeBackupPrivilege 4280 WerFault.exe Token: SeDebugPrivilege 4280 WerFault.exe Token: SeDebugPrivilege 4496 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
插件升级.exebooks.exedescription pid process target process PID 4796 wrote to memory of 3716 4796 插件升级.exe winbody.exe PID 4796 wrote to memory of 3716 4796 插件升级.exe winbody.exe PID 4796 wrote to memory of 3716 4796 插件升级.exe winbody.exe PID 4796 wrote to memory of 3704 4796 插件升级.exe books.exe PID 4796 wrote to memory of 3704 4796 插件升级.exe books.exe PID 4796 wrote to memory of 3704 4796 插件升级.exe books.exe PID 3704 wrote to memory of 756 3704 books.exe books.exe PID 3704 wrote to memory of 756 3704 books.exe books.exe PID 3704 wrote to memory of 756 3704 books.exe books.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\插件升级.exe"C:\Users\Admin\AppData\Local\Temp\插件升级.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Roaming\winbody.exe"C:\Users\Admin\AppData\Roaming\winbody.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:3716 -
C:\Users\Admin\AppData\Roaming\books.exe"C:\Users\Admin\AppData\Roaming\books.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Users\Admin\AppData\Roaming\books.exe"C:\Users\Admin\AppData\Roaming\books.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
PID:756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 11524⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 11444⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d7f2a6f8ceef96a76dc55064c1d0d065
SHA1336d2ad30f77baf2382a6d8d13618ecf918dff24
SHA25695203f4fa2bb28f83939a8666ea6c975c8123b906a2eccae7f6d75ad9c77a84b
SHA51214929cfbbedf8359be1e373ba69553335c700deff1951ecfa7a2bd53cb4fe157bd5c5d626edd97fcdbb2f3aa3e91ab076d79172673924828e6f59698e82e904b
-
MD5
fe9d1b72e0d336a8066d80423b2c63f6
SHA1f78c95d1b0a8bfdbaa2ec3f353c7b295708a316b
SHA2564a5b0119a05582cb85c35995d3f18c1a429461583c5cd1f2fd95a93ed2afe4ff
SHA512201fc2c0b938128e6041256e8263b6e0da1fe4befcd4d525a1952b1f6e58e08bf645323d06a516774a30ab80769412e2941acbdd49e6dddefb1c43b27a7878d0
-
MD5
521b79738d97bf62ce8383bdbadf5912
SHA1cc87ac6b29303df511fdf1bce93219aa97605141
SHA2563fbd99c265f1ec78763b80bc2da92498a8274de921b98ce7b5935020daa9ce75
SHA512ee6c8308ffbc05954be0adc5132fb3473888cf69e2f81dc00e7a5b4f70e3faac58141dc4d44b9114171ee614e12d7da76dab3940cf9db25c2ad8c19019b77a57
-
MD5
291f0811eb4a4a7df13b499c2d701623
SHA18ebcfc6f172fce8d4e03688ea6e42428c65f7c79
SHA2565aa88b01d0f37d0b2652a17698ef0c003d2b4e87648e368c19c19766c4b68501
SHA51218a36d8cf2eee44c8fbe7eb454f7aa78d88e51cd5382a158e1dd910c5a121275b45c7bf8f0629cee3a959db7a09d61ad7f0b4a58dc8e5347e6a028be7a1e3db0
-
MD5
6138016baaf592eec469d8c12ce4dc8f
SHA15c60a6678d5174bd9b5ee62af37fc9cdf1e4e66b
SHA25697e3d69aee31bc6f3a2e42c37f5f71ce4847f95fed464f0009ad081e7d1046ef
SHA51224455441e57fcc4b6b5f8a2086d6f56ec77549980f62fc028d00431db7d644a1cb008e7f8356873d701aa04caecf5c2d553fe708af10a5c0251d67f291077e97
-
MD5
b5e816d9d5b082ea838ff3c92c17e4eb
SHA1c9cf16f2e5cab843f630120a315ac0ee386b2bd8
SHA2562608e2dc017887d806212d99ee35b22c2d1e2cfb1500a9e42dabccb55d15a00b
SHA512302f7e62c1ed5beb84abac166223849286c45ad2b37fd71f2cc3ecc38deaf2ef0c0d4b729e92361f719ec5f5f1bfe8ee22cac91c46ae62718ede780969d56e91
-
MD5
31e477b8317230a3d3b487cd7602415a
SHA1f819b5c858db5fed1040a8576313917374ca944a
SHA256021363d1945a8f1ec102bc29ecb32a11afa51023a42b4d951a9a50be5a2a42a9
SHA5124f91f80c0d0cf671e637618b810c4e5cdc0699adce6b88ffa55058deb4fff98bdbb319712c6138e3692b9353ad33af9871abd643c63a791844653a9e980000d3
-
MD5
96bc06d86df79fcb05915aa7e9e1ca76
SHA176f6f814869b2b1519c23f8dea96a67646c96882
SHA256f66ee4eac6a46133597eb85a48b1caf10df74db817a96629629e33ac4e68ad57
SHA5125ab22e797bf2cb83b620bc1f84b8e1e31f60973d92ac3ada829f66defbe9c63fc1c107422ffe5cd3042abd0ad36ec9c0c3149470026b8c9fcebe6e361e4adf92
-
MD5
70b6a6e42eb081a629812393ab8b6dfc
SHA16d54a38b86ee4730fc6d24963ef56c8df95433c9
SHA2566b6da79c99e28c32c7df3f85c96da029842fa0bcdbc20af08d4bc7644a772c36
SHA51229873d11e596ebb95898be53f2e9ba2a7c2dadb9b5e51bdc89b9050f9beca574ebd855e5dd47ee88544028c4592c526f81308ff0f1906ea5fad7c97c7bb75b4f
-
MD5
b346f27746c82026ddc8d6623bea4d5a
SHA1b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a
SHA2569a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2
SHA5122f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef
-
MD5
b346f27746c82026ddc8d6623bea4d5a
SHA1b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a
SHA2569a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2
SHA5122f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef
-
MD5
b346f27746c82026ddc8d6623bea4d5a
SHA1b1eef214d93f2a5ff7e1b7b5022c2f1fea036e5a
SHA2569a8abce9786e03261035da1aef1aa9fb1272a71ab73155ca9faabc435c8528f2
SHA5122f017f37c95df0471b045ab283a127de18944a52ff702adde36cdac65a4b93f795c5755388bbb3aeb73b2f2e1506f5d8402398430ec7f07df5cf8a802fb754ef
-
MD5
b195e7e16f89ac53a504c5b8d80fdf43
SHA1042894b9486a0f04884a0b26ed4a486ad8c77ef0
SHA25641d60178ee87a1eeee563c0935fe646ecacca616513c421799dd1d030c133f42
SHA512aeef61ab25a0301ee1ff036c64ae2c6551d0425aa9a8d10f52535f8b02f6a8e666dc491c87a1e322f7f279eeb6d783da7340b2d585ef836527c429172b4c5af8
-
MD5
b195e7e16f89ac53a504c5b8d80fdf43
SHA1042894b9486a0f04884a0b26ed4a486ad8c77ef0
SHA25641d60178ee87a1eeee563c0935fe646ecacca616513c421799dd1d030c133f42
SHA512aeef61ab25a0301ee1ff036c64ae2c6551d0425aa9a8d10f52535f8b02f6a8e666dc491c87a1e322f7f279eeb6d783da7340b2d585ef836527c429172b4c5af8
-
MD5
d7f2a6f8ceef96a76dc55064c1d0d065
SHA1336d2ad30f77baf2382a6d8d13618ecf918dff24
SHA25695203f4fa2bb28f83939a8666ea6c975c8123b906a2eccae7f6d75ad9c77a84b
SHA51214929cfbbedf8359be1e373ba69553335c700deff1951ecfa7a2bd53cb4fe157bd5c5d626edd97fcdbb2f3aa3e91ab076d79172673924828e6f59698e82e904b
-
MD5
fe9d1b72e0d336a8066d80423b2c63f6
SHA1f78c95d1b0a8bfdbaa2ec3f353c7b295708a316b
SHA2564a5b0119a05582cb85c35995d3f18c1a429461583c5cd1f2fd95a93ed2afe4ff
SHA512201fc2c0b938128e6041256e8263b6e0da1fe4befcd4d525a1952b1f6e58e08bf645323d06a516774a30ab80769412e2941acbdd49e6dddefb1c43b27a7878d0
-
MD5
291f0811eb4a4a7df13b499c2d701623
SHA18ebcfc6f172fce8d4e03688ea6e42428c65f7c79
SHA2565aa88b01d0f37d0b2652a17698ef0c003d2b4e87648e368c19c19766c4b68501
SHA51218a36d8cf2eee44c8fbe7eb454f7aa78d88e51cd5382a158e1dd910c5a121275b45c7bf8f0629cee3a959db7a09d61ad7f0b4a58dc8e5347e6a028be7a1e3db0
-
MD5
6138016baaf592eec469d8c12ce4dc8f
SHA15c60a6678d5174bd9b5ee62af37fc9cdf1e4e66b
SHA25697e3d69aee31bc6f3a2e42c37f5f71ce4847f95fed464f0009ad081e7d1046ef
SHA51224455441e57fcc4b6b5f8a2086d6f56ec77549980f62fc028d00431db7d644a1cb008e7f8356873d701aa04caecf5c2d553fe708af10a5c0251d67f291077e97
-
MD5
b5e816d9d5b082ea838ff3c92c17e4eb
SHA1c9cf16f2e5cab843f630120a315ac0ee386b2bd8
SHA2562608e2dc017887d806212d99ee35b22c2d1e2cfb1500a9e42dabccb55d15a00b
SHA512302f7e62c1ed5beb84abac166223849286c45ad2b37fd71f2cc3ecc38deaf2ef0c0d4b729e92361f719ec5f5f1bfe8ee22cac91c46ae62718ede780969d56e91
-
MD5
31e477b8317230a3d3b487cd7602415a
SHA1f819b5c858db5fed1040a8576313917374ca944a
SHA256021363d1945a8f1ec102bc29ecb32a11afa51023a42b4d951a9a50be5a2a42a9
SHA5124f91f80c0d0cf671e637618b810c4e5cdc0699adce6b88ffa55058deb4fff98bdbb319712c6138e3692b9353ad33af9871abd643c63a791844653a9e980000d3
-
MD5
96bc06d86df79fcb05915aa7e9e1ca76
SHA176f6f814869b2b1519c23f8dea96a67646c96882
SHA256f66ee4eac6a46133597eb85a48b1caf10df74db817a96629629e33ac4e68ad57
SHA5125ab22e797bf2cb83b620bc1f84b8e1e31f60973d92ac3ada829f66defbe9c63fc1c107422ffe5cd3042abd0ad36ec9c0c3149470026b8c9fcebe6e361e4adf92
-
MD5
70b6a6e42eb081a629812393ab8b6dfc
SHA16d54a38b86ee4730fc6d24963ef56c8df95433c9
SHA2566b6da79c99e28c32c7df3f85c96da029842fa0bcdbc20af08d4bc7644a772c36
SHA51229873d11e596ebb95898be53f2e9ba2a7c2dadb9b5e51bdc89b9050f9beca574ebd855e5dd47ee88544028c4592c526f81308ff0f1906ea5fad7c97c7bb75b4f