Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 10:57
Static task
static1
Behavioral task
behavioral1
Sample
????.docx.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
????.docx.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
WzComAddrBook64.dll
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
WzComAddrBook64.dll
Resource
win10v2004-20220414-en
General
-
Target
????.docx.exe
-
Size
1.4MB
-
MD5
30f2444fe84adfbf39c60bb0c8e6d7d1
-
SHA1
3ec347b49517b1d165a3797db9816f78652e8988
-
SHA256
288084c0dc8bd71f5a09bda594f4f2f6f18271eca4fa459dcfc771a19dd46a25
-
SHA512
0b33a9cf6c820025bb61c7cf103e24a54c2a6326cd0f54cbc41d110e6be5e2a35b6348886964165b38f688c7f7d7a2a54cd410d784a46ec2619e32c28a210855
Malware Config
Extracted
cobaltstrike
0
-
watermark
0
Extracted
cobaltstrike
305419896
http://42.249.219.112:443/push
http://117.139.142.248:443/__utm.gif
http://58.221.30.69:443/dot.gif
-
access_type
512
-
beacon_type
2048
-
host
42.249.219.112,/push,117.139.142.248,/__utm.gif,58.221.30.69,/dot.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCm6dDNosecwYifTVCVelinAuAlJwa3XU3XMOkS290iPmPmofjMd/+EOcoCE8d7xvj4mNtcSWHspfOAMs/dTabxOJDIqvrJQHVNimp3j1kB36AU92BokpBAlZ+i5NrOaQE1XC3RV2dU2e1PewC+QwIOsCvU7ljzvySxMN1oHGi0DQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; InfoPath.3)
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
____.docx.exepid process 4720 ____.docx.exe 4720 ____.docx.exe