General

  • Target

    c7b127cce5262dd1d7fd058575485e265b27b97e905d15fffda2bd586cf17089

  • Size

    1001KB

  • Sample

    220629-npvreshbel

  • MD5

    912513de1655c2093c4713b7d05a2493

  • SHA1

    3c6e50d942b40fd5ef202a9c0fc5dced4ee3e53c

  • SHA256

    c7b127cce5262dd1d7fd058575485e265b27b97e905d15fffda2bd586cf17089

  • SHA512

    90032c16795cfe681f61016ff3f1be4aa0f8272924eb2589f61d33d3f186dace2addfc2a74ecf66bd1b96aea141355d8253263184ae958c11d9038e81911875b

Malware Config

Extracted

Family

cobaltstrike

Botnet

1

C2

http://service-odolei17-1309297788.bj.apigw.tencentcs.com:443/api/x

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    service-odolei17-1309297788.bj.apigw.tencentcs.com,/api/x

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    3000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYculBeZmrbMS1tUHgTa52vQn/jGzbJuxK3983bRJiS0d0xvEEpjfJ2NEtptZBL9yhhf8IIwbMBDqJj4fuVvUsHrQ26Zkxv0KrEuuIo60BUZ43Fcvi1VF555t4NL1wMOMPoz9NcxpSJ1Z+Am4vlaGTSg/Fxx6/0/Mh+UQMcZYvOwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    1.481970944e+09

  • unknown2

    AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /api/y

  • user_agent

    Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)

  • watermark

    1

Targets

    • Target

      ??/????????.pdf.lnk

    • Size

      2KB

    • MD5

      e8f4cdac3d6f993250b0826c60e82a16

    • SHA1

      aa0b8bc05c16a6c975c27918bc9c9ae0b8644c68

    • SHA256

      76346302d0b6ff9ee21f2929802f20ec3ff9324d1e69f3fcfd4967df728911c8

    • SHA512

      54d6d22383f5452f8ce6f9a82895d418bc3a84cb86932772039cd6b38ba748a1984c9673ed2e9aa241a92735cea695bb07c9a2ec355b802580ec30a09a9698a3

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      ??/__MACOSX/calcs.exe

    • Size

      1.8MB

    • MD5

      fb8d6996c4490d2b40d68e3b411a7d6f

    • SHA1

      a5b98a13de3566edd9670e0351daa67d46a2674b

    • SHA256

      b479bd1189c13ffbc65d3e098113241b702cf96bc981ff388e40bd76c2f163a9

    • SHA512

      ac61089eaea2ef7f261262a2da96dcf69319accd614b11aaa7b3d8393dfe59d51729119cdc63c5111d8e3724299944be1176e14fb7b3baf8cb581e01c5961c5d

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks