Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 03:56
Static task
static1
Behavioral task
behavioral1
Sample
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe
Resource
win10v2004-20220414-en
General
-
Target
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe
-
Size
515KB
-
MD5
0299feffabdd3815d2249a5643203e3f
-
SHA1
bdba33cf063fada308e401ab34980c62bc7dacbc
-
SHA256
ed220a4ab4a9de44a5d1cd380be9dab98e90f820003e38bff4163ff4c881ea30
-
SHA512
8ff00b998c386bfe96da6c7dce2c1e5cae6b671c0ebcef0d7da7a8f3fd9150af76587c11a3771f4c8e8b3f7301a642691a2d7cf99cc4bac1f052b8486826125d
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
-
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
-
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
-
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
suricata: ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)
-
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
-
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 10 620 rundll32.exe 18 620 rundll32.exe 34 620 rundll32.exe 58 620 rundll32.exe 60 620 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
f42.exepid process 2776 f42.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f42.exedescription pid process target process PID 2776 set thread context of 620 2776 f42.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 712 WINWORD.EXE 712 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
WINWORD.EXEpid process 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE 712 WINWORD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exef42.exedescription pid process target process PID 3936 wrote to memory of 2776 3936 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 3936 wrote to memory of 2776 3936 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 3936 wrote to memory of 2776 3936 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe f42.exe PID 3936 wrote to memory of 712 3936 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 3936 wrote to memory of 712 3936 ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe WINWORD.EXE PID 2776 wrote to memory of 620 2776 f42.exe rundll32.exe PID 2776 wrote to memory of 620 2776 f42.exe rundll32.exe PID 2776 wrote to memory of 620 2776 f42.exe rundll32.exe PID 2776 wrote to memory of 620 2776 f42.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe"C:\Users\Admin\AppData\Local\Temp\ä¸å›½ç”µæœºå·¥ç¨‹å¦ä¼š-2022年度新型电力系统创新奖申报表.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f42.exe"C:\Users\Admin\AppData\Local\Temp\f42.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe3⤵
- Blocklisted process makes network request
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2022年度新型电力系统创新项目申报表.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2022年度新型电力系统创新项目申报表.docFilesize
37KB
MD5528a70e3f75240ae5ef6bfa8f10d6191
SHA117c312f99a0e365168c80ac6395bf1e163951ba3
SHA256f0025b863f02d5507f2f83fe9412ee1436320024a5b6ec48bc2700e61accfc7a
SHA5127cec39187027ab42562c47d1a71da83350792bdcdf7b3b4899a82d742f47ccf4a30cc32086110cfeea03d3f2dccd093fcb2b319b5585a34da6633b614d52f468
-
C:\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
C:\Users\Admin\AppData\Local\Temp\f42.exeFilesize
102KB
MD5f498abb83b98e85ed154fb22b349589c
SHA1e30870eda26c1005a6cfc6d76b450bbfaca9dc84
SHA256f8bd2204390abecacd5bc59a8c56437b1487e39a54fc1aa2254490d139cb64b0
SHA5121c7bf0ce08174381b068adfe99a0b060b6a9881ef87a6a1894feedfe7f7b5b2c247d69fd480ef767888c1d447ef1944c2280a68def27085d66da5ee5ed89468b
-
memory/620-145-0x00000000037B0000-0x00000000037EE000-memory.dmpFilesize
248KB
-
memory/620-134-0x0000000000000000-mapping.dmp
-
memory/620-144-0x00000000037B0000-0x00000000037EE000-memory.dmpFilesize
248KB
-
memory/620-143-0x00000000033B0000-0x00000000037B0000-memory.dmpFilesize
4.0MB
-
memory/712-135-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmpFilesize
64KB
-
memory/712-138-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmpFilesize
64KB
-
memory/712-139-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmpFilesize
64KB
-
memory/712-140-0x00007FFAECBE0000-0x00007FFAECBF0000-memory.dmpFilesize
64KB
-
memory/712-141-0x00007FFAECBE0000-0x00007FFAECBF0000-memory.dmpFilesize
64KB
-
memory/712-137-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmpFilesize
64KB
-
memory/712-136-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmpFilesize
64KB
-
memory/712-133-0x0000000000000000-mapping.dmp
-
memory/712-147-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmpFilesize
64KB
-
memory/712-148-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmpFilesize
64KB
-
memory/712-149-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmpFilesize
64KB
-
memory/712-150-0x00007FFAEED50000-0x00007FFAEED60000-memory.dmpFilesize
64KB
-
memory/2776-130-0x0000000000000000-mapping.dmp