Analysis
-
max time kernel
130s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 10:28
Static task
static1
Behavioral task
behavioral1
Sample
bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe
Resource
win10v2004-20220414-en
General
-
Target
bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe
-
Size
832KB
-
MD5
8f978a1a3775eee75434257415c5018d
-
SHA1
d632e4dd9212f8b021e52980f8e4d8d8ab2e255a
-
SHA256
bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee
-
SHA512
0bb2a735dbe379f285ecfcc9d3e415e06db805bf529920654ee94a84a15e73f47b76392dfe3eeebba9b2f743e81296f905d528fc5a9f445dc7ef30797ddb259a
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
-
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
-
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 10 2356 rundll32.exe 20 2356 rundll32.exe 50 2356 rundll32.exe 58 2356 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
Recyclc.exepid process 904 Recyclc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Recyclc.exedescription pid process target process PID 904 set thread context of 2356 904 Recyclc.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2588 WINWORD.EXE 2588 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
WINWORD.EXEpid process 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE 2588 WINWORD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exeRecyclc.exedescription pid process target process PID 4044 wrote to memory of 904 4044 bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe Recyclc.exe PID 4044 wrote to memory of 904 4044 bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe Recyclc.exe PID 4044 wrote to memory of 904 4044 bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe Recyclc.exe PID 4044 wrote to memory of 2588 4044 bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe WINWORD.EXE PID 4044 wrote to memory of 2588 4044 bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe WINWORD.EXE PID 904 wrote to memory of 2356 904 Recyclc.exe rundll32.exe PID 904 wrote to memory of 2356 904 Recyclc.exe rundll32.exe PID 904 wrote to memory of 2356 904 Recyclc.exe rundll32.exe PID 904 wrote to memory of 2356 904 Recyclc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe"C:\Users\Admin\AppData\Local\Temp\bc153eda0f9d1bd526dd32439248d67070d030631ff4e0b8a7aaec654c8e44ee.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Recyclc.exe"C:\Users\Admin\AppData\Local\Temp\Recyclc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe3⤵
- Blocklisted process makes network request
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\个人简历.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Recyclc.exeFilesize
86KB
MD5af3d2135fafa04df6017dbdb53bee5df
SHA1b0a774d69536ddd1ed844e9ed63a970df3a92127
SHA256a53c500f89a269f0c3b962de22a1960c6067c9e929bb21337563d9de44b84692
SHA5122f79597d4af0911bd94e0354c2dc8986098a9d054d0300ea1480b428b50a3903736c357f25f090585354fecdb3644bfa6bf5acf14ddd379e4b253c9db1ddddbd
-
C:\Users\Admin\AppData\Local\Temp\Recyclc.exeFilesize
86KB
MD5af3d2135fafa04df6017dbdb53bee5df
SHA1b0a774d69536ddd1ed844e9ed63a970df3a92127
SHA256a53c500f89a269f0c3b962de22a1960c6067c9e929bb21337563d9de44b84692
SHA5122f79597d4af0911bd94e0354c2dc8986098a9d054d0300ea1480b428b50a3903736c357f25f090585354fecdb3644bfa6bf5acf14ddd379e4b253c9db1ddddbd
-
C:\Users\Admin\AppData\Local\Temp\个人简历.docFilesize
449KB
MD534c8c172c0991aca090b557c3e254955
SHA1fd4e7302caf556d260e538dc529550ca87ab4017
SHA25632d9dbea47e89865435394ec1ea688bb0e1e527a521d18f7f193a8346a710ab9
SHA512dfb9301408ebd5e80e6e8bba5547859cd82a74c4e797017e0e8d9548454d2c1786825c64527c96635411f6a2cf58ddca22205af5088ae7107a77c76b4af618e2
-
memory/904-130-0x0000000000000000-mapping.dmp
-
memory/2356-145-0x00000000031D0000-0x000000000320E000-memory.dmpFilesize
248KB
-
memory/2356-134-0x0000000000000000-mapping.dmp
-
memory/2356-144-0x00000000031D0000-0x000000000320E000-memory.dmpFilesize
248KB
-
memory/2356-143-0x0000000002DD0000-0x00000000031D0000-memory.dmpFilesize
4.0MB
-
memory/2588-135-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/2588-139-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/2588-140-0x00007FF9D41F0000-0x00007FF9D4200000-memory.dmpFilesize
64KB
-
memory/2588-141-0x00007FF9D41F0000-0x00007FF9D4200000-memory.dmpFilesize
64KB
-
memory/2588-138-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/2588-137-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/2588-136-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/2588-133-0x0000000000000000-mapping.dmp
-
memory/2588-147-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/2588-148-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/2588-149-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB
-
memory/2588-150-0x00007FF9D6B50000-0x00007FF9D6B60000-memory.dmpFilesize
64KB