Overview
overview
10Static
static
????-???/....??.exe
windows7_x64
1????-???/....??.exe
windows10-2004_x64
1????-???/....ip.exe
windows7_x64
1????-???/....ip.exe
windows10-2004_x64
1????-???/....og.exe
windows7_x64
10????-???/....og.exe
windows10-2004_x64
10????-???/?...cx.lnk
windows7_x64
10????-???/?...cx.lnk
windows10-2004_x64
10Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 09:15
Static task
static1
Behavioral task
behavioral1
Sample
????-???/.__MACOS__/.__MACOS__/.__MACOS__/.__MACOS1__/360zip - ??.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
????-???/.__MACOS__/.__MACOS__/.__MACOS__/.__MACOS1__/360zip - ??.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
????-???/.__MACOS__/.__MACOS__/.__MACOS__/.__MACOS1__/360zip.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
????-???/.__MACOS__/.__MACOS__/.__MACOS__/.__MACOS1__/360zip.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
????-???/.__MACOS__/.__MACOS__/.__MACOS__/.__MACOS1__/log.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
????-???/.__MACOS__/.__MACOS__/.__MACOS__/.__MACOS1__/log.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
????-???/????-???.docx.lnk
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
????-???/????-???.docx.lnk
Resource
win10v2004-20220414-en
General
-
Target
????-???/????-???.docx.lnk
-
Size
1KB
-
MD5
595b692c96eab950790501f4099c032d
-
SHA1
b9324edd0706b8297dd6c23c91a19d4ed1acc8c6
-
SHA256
cf61bbe7cd523f4a7b619c5f3c8edf8632fd38d3aacf7534236da38a9f57c0f0
-
SHA512
a85b6bca5ae843be75c372e0a29e6cd6e1f14f56c176d9a5bbfe38c170901e88f9294f5de1b42bf6d03b971361d74ad2c9611ba05598c5ad1be278c474357cf6
Malware Config
Extracted
cobaltstrike
1234567890
http://iqiyiv101.gslb.c.cdnhwc2.com:80/audiencemanager.js
-
access_type
512
-
host
iqiyiv101.gslb.c.cdnhwc2.com,/audiencemanager.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpqQ7Mn7l+ao5tHedYx56Hknzc/ning7Hw8Hyyx5LFalgrfQ7/aTC2oBLeXtXXjtFXB/TSxg2r/eQH7NgRv3Uzt6Uyw/DA9kdZgeQAWi3AxWYi45PpNCX0BavPZmCa9kO9F9Iev5bkRvtj2QcOGGhTZy3JkHToQA2EUQIHMO4QFwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.435374848e+09
-
unknown2
AAAABAAAAAEAAAf+AAAAAgAAIUwAAAACAAAPtQAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/audiencemanager-v2.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
-
watermark
1234567890
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exeexplorer.exedescription pid process target process PID 3872 wrote to memory of 312 3872 cmd.exe explorer.exe PID 3872 wrote to memory of 312 3872 cmd.exe explorer.exe PID 3264 wrote to memory of 1892 3264 explorer.exe log.com PID 3264 wrote to memory of 1892 3264 explorer.exe log.com
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\____-___\____-___.docx.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" ".\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\log.com"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\____-___\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\log.com"C:\Users\Admin\AppData\Local\Temp\____-___\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\log.com"2⤵