cobaltstrike | bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee

General

Target

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe
Size

832KB
MD5

8f978a1a3775eee75434257415c5018d
SHA1

d632e4dd9212f8b021e52980f8e4d8d8ab2e255a
SHA256

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee
SHA512

0bb2a735dbe379f285ecfcc9d3e415e06db805bf529920654ee94a84a15e73f47b76392dfe3eeebba9b2f743e81296f905d528fc5a9f445dc7ef30797ddb259a

Score

10^/10

cobaltstrike metasploit backdoor suricata trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://124.223.216.170:9443/URjK

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata
Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

5 1712 rundll32.exe
7 1712 rundll32.exe
8 1712 rundll32.exe
10 1712 rundll32.exe
12 1712 rundll32.exe
13 1712 rundll32.exe
15 1712 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

Recyclc.exe

pid process

1920 Recyclc.exe

flow	pid	process
5	1712	rundll32.exe
7	1712	rundll32.exe
8	1712	rundll32.exe
10	1712	rundll32.exe
12	1712	rundll32.exe
13	1712	rundll32.exe
15	1712	rundll32.exe

pid	process
1920	Recyclc.exe

Loads dropped DLL 3 IoCs

Processes:

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe

pid	process
1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe
1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe
1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Recyclc.exe

description pid process target process

PID 1920 set thread context of 1712 1920 Recyclc.exe rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	pid	process	target process
PID 1920 set thread context of 1712	1920	Recyclc.exe	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1760 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1760 WINWORD.EXE
1760 WINWORD.EXE

pid	process
1760	WINWORD.EXE

pid	process
1760	WINWORD.EXE
1760	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exeWINWORD.EXERecyclc.exe

description	pid	process	target process
PID 1980 wrote to memory of 1920	1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	Recyclc.exe
PID 1980 wrote to memory of 1920	1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	Recyclc.exe
PID 1980 wrote to memory of 1920	1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	Recyclc.exe
PID 1980 wrote to memory of 1920	1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	Recyclc.exe
PID 1980 wrote to memory of 1760	1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	WINWORD.EXE
PID 1980 wrote to memory of 1760	1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	WINWORD.EXE
PID 1980 wrote to memory of 1760	1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	WINWORD.EXE
PID 1980 wrote to memory of 1760	1980	bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe	WINWORD.EXE
PID 1760 wrote to memory of 1360	1760	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1360	1760	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1360	1760	WINWORD.EXE	splwow64.exe
PID 1760 wrote to memory of 1360	1760	WINWORD.EXE	splwow64.exe
PID 1920 wrote to memory of 1712	1920	Recyclc.exe	rundll32.exe
PID 1920 wrote to memory of 1712	1920	Recyclc.exe	rundll32.exe
PID 1920 wrote to memory of 1712	1920	Recyclc.exe	rundll32.exe
PID 1920 wrote to memory of 1712	1920	Recyclc.exe	rundll32.exe
PID 1920 wrote to memory of 1712	1920	Recyclc.exe	rundll32.exe
PID 1920 wrote to memory of 1712	1920	Recyclc.exe	rundll32.exe
PID 1920 wrote to memory of 1712	1920	Recyclc.exe	rundll32.exe
PID 1920 wrote to memory of 1712	1920	Recyclc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe
"C:\Users\Admin\AppData\Local\Temp\bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\Recyclc.exe
"C:\Users\Admin\AppData\Local\Temp\Recyclc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe
3⤵
- Blocklisted process makes network request
PID:1712

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\个人简历.doc"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Recyclc.exe
Filesize
86KB

MD5
af3d2135fafa04df6017dbdb53bee5df

SHA1
b0a774d69536ddd1ed844e9ed63a970df3a92127

SHA256
a53c500f89a269f0c3b962de22a1960c6067c9e929bb21337563d9de44b84692

SHA512
2f79597d4af0911bd94e0354c2dc8986098a9d054d0300ea1480b428b50a3903736c357f25f090585354fecdb3644bfa6bf5acf14ddd379e4b253c9db1ddddbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\个人简历.doc
Filesize
449KB

MD5
34c8c172c0991aca090b557c3e254955

SHA1
fd4e7302caf556d260e538dc529550ca87ab4017

SHA256
32d9dbea47e89865435394ec1ea688bb0e1e527a521d18f7f193a8346a710ab9

SHA512
dfb9301408ebd5e80e6e8bba5547859cd82a74c4e797017e0e8d9548454d2c1786825c64527c96635411f6a2cf58ddca22205af5088ae7107a77c76b4af618e2

Download Submit
\Users\Admin\AppData\Local\Temp\Recyclc.exe
Filesize
86KB

MD5
af3d2135fafa04df6017dbdb53bee5df

SHA1
b0a774d69536ddd1ed844e9ed63a970df3a92127

SHA256
a53c500f89a269f0c3b962de22a1960c6067c9e929bb21337563d9de44b84692

SHA512
2f79597d4af0911bd94e0354c2dc8986098a9d054d0300ea1480b428b50a3903736c357f25f090585354fecdb3644bfa6bf5acf14ddd379e4b253c9db1ddddbd

Download Submit
\Users\Admin\AppData\Local\Temp\Recyclc.exe
Filesize
86KB

MD5
af3d2135fafa04df6017dbdb53bee5df

SHA1
b0a774d69536ddd1ed844e9ed63a970df3a92127

SHA256
a53c500f89a269f0c3b962de22a1960c6067c9e929bb21337563d9de44b84692

SHA512
2f79597d4af0911bd94e0354c2dc8986098a9d054d0300ea1480b428b50a3903736c357f25f090585354fecdb3644bfa6bf5acf14ddd379e4b253c9db1ddddbd

Download Submit
\Users\Admin\AppData\Local\Temp\Recyclc.exe
Filesize
86KB

MD5
af3d2135fafa04df6017dbdb53bee5df

SHA1
b0a774d69536ddd1ed844e9ed63a970df3a92127

SHA256
a53c500f89a269f0c3b962de22a1960c6067c9e929bb21337563d9de44b84692

SHA512
2f79597d4af0911bd94e0354c2dc8986098a9d054d0300ea1480b428b50a3903736c357f25f090585354fecdb3644bfa6bf5acf14ddd379e4b253c9db1ddddbd

Download Submit
memory/1360-67-0x0000000000000000-mapping.dmp

Download
memory/1360-69-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1712-70-0x00000000008C178C-mapping.dmp

Download
memory/1712-72-0x00000000028A0000-0x0000000002A64000-memory.dmp

Filesize
1.8MB

Download
memory/1712-73-0x00000000022C0000-0x00000000022F5000-memory.dmp

Filesize
212KB

Download
memory/1712-75-0x00000000028A0000-0x0000000002A64000-memory.dmp

Filesize
1.8MB

Download
memory/1760-74-0x000000007184D000-0x0000000071858000-memory.dmp

Filesize
44KB

Download
memory/1760-68-0x000000007184D000-0x0000000071858000-memory.dmp

Filesize
44KB

Download
memory/1760-61-0x0000000000000000-mapping.dmp

Download
memory/1760-63-0x0000000070861000-0x0000000070863000-memory.dmp

Filesize
8KB

Download
memory/1760-77-0x000000007184D000-0x0000000071858000-memory.dmp

Filesize
44KB

Download
memory/1760-62-0x0000000072DE1000-0x0000000072DE4000-memory.dmp

Filesize
12KB

Download
memory/1760-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1760-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1920-58-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x0000000076C01000-0x0000000076C03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads