Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
03-08-2022 06:24
Behavioral task
behavioral1
Sample
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe
Resource
win7-20220718-en
General
-
Target
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe
-
Size
1.1MB
-
MD5
fe1e96958b3daaa6d6a80a20180d558a
-
SHA1
3512a79b0f93e8d82c5d6e9ed01c72895d34cd00
-
SHA256
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49
-
SHA512
80c01b5f188c4080d844c483f825f5e6b4c9e10e765d0e876b2d7617b10702dbf431486e22eabccf0dd074ea0a8fc6bdd608ea466f89de16599c16e28c0f58c5
Malware Config
Extracted
cobaltstrike
1
http://update.micrrosoft.life:8443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
update.micrrosoft.life,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAcSG9zdDogdXBkYXRlLm1pY3Jyb3NvZnQubGlmZQAAAAoAAAAlUmVmZXJlcjogaHR0cDovL3VwZGF0ZS5taWNyb3NvZnQuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAlfX2NmZHVpZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAcSG9zdDogdXBkYXRlLm1pY3Jyb3NvZnQubGlmZQAAAAoAAAAlUmVmZXJlcjogaHR0cDovL3VwZGF0ZS5taWNyb3NvZnQuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
8443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMzD/AZsTe+L9OMJsKFX3v1nhbQkO1ubtGq8teBoaBGRO84Q3felGNQB8iVNbFpmmoykrsbYwDu8Ir2LrfTROG3X5oGN8d6+lOg4zo6Rjfvrnydiv0dnxIfn02T1431q9GcIvSBHb7J7i/7f8tJPSHdJBOGtVJg9ienNWCF2WllwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
1
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
notepad.exepid process 1064 notepad.exe -
Processes:
resource yara_rule behavioral1/memory/1044-59-0x0000000000ED0000-0x00000000010E4000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exepid process 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\实名举报.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exepid process 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1360 AcroRd32.exe 1360 AcroRd32.exe 1360 AcroRd32.exe 1360 AcroRd32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.execmd.exedescription pid process target process PID 1044 wrote to memory of 600 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe cmd.exe PID 1044 wrote to memory of 600 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe cmd.exe PID 1044 wrote to memory of 600 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe cmd.exe PID 1044 wrote to memory of 600 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe cmd.exe PID 1044 wrote to memory of 1064 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe notepad.exe PID 1044 wrote to memory of 1064 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe notepad.exe PID 1044 wrote to memory of 1064 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe notepad.exe PID 1044 wrote to memory of 1064 1044 77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe notepad.exe PID 600 wrote to memory of 1360 600 cmd.exe AcroRd32.exe PID 600 wrote to memory of 1360 600 cmd.exe AcroRd32.exe PID 600 wrote to memory of 1360 600 cmd.exe AcroRd32.exe PID 600 wrote to memory of 1360 600 cmd.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe"C:\Users\Admin\AppData\Local\Temp\77f3cf4c9b1e6c42a9927a04a9c0727fd2d3e576c6a63e49370dfede61f81e49.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\实名举报.pdf2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\实名举报.pdf"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\notepad.exeC:\Users\Public\notepad.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\实名举报.pdfFilesize
35KB
MD5f228c4bce0df6f0adcb25abcaf07ad32
SHA105c562abf45371d29741eec5e184ebf0d94416f9
SHA256be693b95442d67c7b295647c80f31dfe772e89281631ed9a68503ce541d3f4e6
SHA512d9a0c96db7dac9f51392c09983eb0b35556bf4729a53af7ddaa624f25d7c1aa266ef46f557af58677c0540209c8d5038f65bbe11e59ace124fa72e27b64f0761
-
C:\Users\Public\notepad.exeFilesize
19KB
MD5bf93b78f2ae8897ac87b60098900d199
SHA15981781a12454db3e74557a568ab1993486168a4
SHA256748bf468297d335ca4f7213b27e6d38c2e400f98b835cf9f77eb935ec17ba613
SHA512cd8d6db7cf94a4b7b962cbd2659bd7774cbdfc83cd9576ee3dcbf5b213eab217fa0c4ee9297e656386de56a9f27b3ec9e92ef7380b050f10f19c9e1af85d4783
-
\Users\Public\notepad.exeFilesize
19KB
MD5bf93b78f2ae8897ac87b60098900d199
SHA15981781a12454db3e74557a568ab1993486168a4
SHA256748bf468297d335ca4f7213b27e6d38c2e400f98b835cf9f77eb935ec17ba613
SHA512cd8d6db7cf94a4b7b962cbd2659bd7774cbdfc83cd9576ee3dcbf5b213eab217fa0c4ee9297e656386de56a9f27b3ec9e92ef7380b050f10f19c9e1af85d4783
-
memory/600-54-0x0000000000000000-mapping.dmp
-
memory/600-58-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/1044-59-0x0000000000ED0000-0x00000000010E4000-memory.dmpFilesize
2.1MB
-
memory/1064-64-0x0000000003860000-0x0000000003CD2000-memory.dmpFilesize
4.4MB
-
memory/1064-63-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmpFilesize
8KB
-
memory/1064-56-0x0000000000000000-mapping.dmp
-
memory/1064-65-0x0000000003460000-0x0000000003860000-memory.dmpFilesize
4.0MB
-
memory/1064-66-0x0000000003860000-0x0000000003CD2000-memory.dmpFilesize
4.4MB
-
memory/1064-67-0x0000000003460000-0x0000000003860000-memory.dmpFilesize
4.0MB
-
memory/1360-60-0x0000000000000000-mapping.dmp