Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 09:54
Behavioral task
behavioral1
Sample
6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe
Resource
win7-20220718-en
General
-
Target
6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe
-
Size
1.5MB
-
MD5
951ab6e8be35c4812bd1374b9e45933c
-
SHA1
9d4b39a0404c959e07accda8c8c3c5fb9dd1b0ae
-
SHA256
6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953
-
SHA512
b0fe39f690a4433bc4b6ed37096ff133a421441e721b81b59d9966455654ba503301320b7f9a34edaf191de408082aa3d54ab5e2d79f7708f14065e0c0fa51df
Malware Config
Extracted
cobaltstrike
http://service-k6z1uk8b-1307545782.sh.apigw.tencentcs.com:443/bootstrap-2.min.js
-
user_agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
suricata: ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1
-
Executes dropped EXE 1 IoCs
Processes:
edr.exepid process 4984 edr.exe -
Processes:
resource yara_rule C:\Users\Public\edr.exe upx C:\Users\Public\edr.exe upx behavioral2/memory/4256-136-0x0000000000940000-0x0000000000C42000-memory.dmp upx behavioral2/memory/4984-135-0x00007FF7D7C50000-0x00007FF7D7C6E000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1512 WINWORD.EXE 1512 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
edr.exepid process 4984 edr.exe 4984 edr.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exepid process 4256 6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEpid process 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE 1512 WINWORD.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exeedr.execmd.exedescription pid process target process PID 4256 wrote to memory of 4356 4256 6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe cmd.exe PID 4256 wrote to memory of 4356 4256 6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe cmd.exe PID 4256 wrote to memory of 4984 4256 6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe edr.exe PID 4256 wrote to memory of 4984 4256 6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe edr.exe PID 4984 wrote to memory of 1252 4984 edr.exe svchost.exe PID 4984 wrote to memory of 1252 4984 edr.exe svchost.exe PID 4984 wrote to memory of 1252 4984 edr.exe svchost.exe PID 4356 wrote to memory of 1512 4356 cmd.exe WINWORD.EXE PID 4356 wrote to memory of 1512 4356 cmd.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe"C:\Users\Admin\AppData\Local\Temp\6277ca11e8fa7d6cd07ae3dac8c76afadfc16ea4ad23546018dcdf3904ce4953.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\edr.exeC:\Users\Public\edr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\薪资结构变更通知.docx2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\薪资结构变更通知.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\薪资结构变更通知.docxFilesize
20KB
MD52ec92a9fd99ed4113590d6a0684a4995
SHA1d2ca99729fd54c05c6a8855a131d98d5a2aa0b35
SHA256e178b652fe502be048df8e137a12d2dcc2a295d75909e5565f3dea812c7c784d
SHA51275efc112ebfde8ea78416a7c1059427be2fb5dd43be4523df6b129cd1ae4116e07d117eefe5de4dc85246be06b1af0f91f585655b6acd852085610fe7c75479e
-
C:\Users\Public\edr.exeFilesize
56KB
MD5ac8493048afc0f9ff1530bbf18f56c81
SHA12c975f9da06b964a49b4c4ab98ecac6e6b0c44ff
SHA256e0aff24581e1fd42c6833ff0c30b3b902f2c9bbdcd7e816bdbe38fa79536a3cf
SHA512f8b160e95e40a5c2dac04d18b93d86501bc73e3fc0d626a808f0646f03d3879dff1d14c784064f1fc267bd450551a61619d3c650bbf506795dd6dcf0a29a532d
-
C:\Users\Public\edr.exeFilesize
56KB
MD5ac8493048afc0f9ff1530bbf18f56c81
SHA12c975f9da06b964a49b4c4ab98ecac6e6b0c44ff
SHA256e0aff24581e1fd42c6833ff0c30b3b902f2c9bbdcd7e816bdbe38fa79536a3cf
SHA512f8b160e95e40a5c2dac04d18b93d86501bc73e3fc0d626a808f0646f03d3879dff1d14c784064f1fc267bd450551a61619d3c650bbf506795dd6dcf0a29a532d
-
memory/1252-154-0x0000011B60590000-0x0000011B605DE000-memory.dmpFilesize
312KB
-
memory/1252-148-0x0000011B60590000-0x0000011B605DE000-memory.dmpFilesize
312KB
-
memory/1252-134-0x0000000000000000-mapping.dmp
-
memory/1252-146-0x0000011B60590000-0x0000011B605DE000-memory.dmpFilesize
312KB
-
memory/1252-145-0x0000011B60190000-0x0000011B60590000-memory.dmpFilesize
4.0MB
-
memory/1512-142-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmpFilesize
64KB
-
memory/1512-151-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmpFilesize
64KB
-
memory/1512-140-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmpFilesize
64KB
-
memory/1512-141-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmpFilesize
64KB
-
memory/1512-138-0x0000000000000000-mapping.dmp
-
memory/1512-143-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmpFilesize
64KB
-
memory/1512-144-0x00007FFEF1430000-0x00007FFEF1440000-memory.dmpFilesize
64KB
-
memory/1512-153-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmpFilesize
64KB
-
memory/1512-147-0x00007FFEF1430000-0x00007FFEF1440000-memory.dmpFilesize
64KB
-
memory/1512-139-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmpFilesize
64KB
-
memory/1512-150-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmpFilesize
64KB
-
memory/1512-152-0x00007FFEF3A70000-0x00007FFEF3A80000-memory.dmpFilesize
64KB
-
memory/4256-136-0x0000000000940000-0x0000000000C42000-memory.dmpFilesize
3.0MB
-
memory/4356-130-0x0000000000000000-mapping.dmp
-
memory/4984-135-0x00007FF7D7C50000-0x00007FF7D7C6E000-memory.dmpFilesize
120KB
-
memory/4984-131-0x0000000000000000-mapping.dmp