Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2022 07:51
Static task
static1
Behavioral task
behavioral1
Sample
关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.exe
Resource
win10v2004-20220722-en
General
-
Target
关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.exe
-
Size
4.5MB
-
MD5
3f2202e24ad0a66c08f88a18dd7b5fb4
-
SHA1
62df51eb1351279afa4dbe5920758d6974427ac9
-
SHA256
eb94cd39cde6a5270181d6e6788c69a2a90ab2b27f9236c8382e810e4dfead1d
-
SHA512
cd87c99ce09a29a5317343e04bb55fd63cd0b98cebcb08793a9b1dd275a9c6ce09c53fb7f901fc6083d8992360d3fbe02438d4143a907be64e7bdca15567bc27
Malware Config
Extracted
cobaltstrike
0
http://124.221.206.154:1443/submit.php
-
access_type
512
-
beacon_type
2048
-
host
124.221.206.154,/submit.php
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAANzaWQAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
1443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.jsp
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
åŽé™†å·¥ç¨‹ç§‘技有é™è´£ä»»å…¬å¸.exepid process 516 åŽé™†å·¥ç¨‹ç§‘技有é™è´£ä»»å…¬å¸.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1468 WINWORD.EXE 1468 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE 1468 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.execmd.exedescription pid process target process PID 4504 wrote to memory of 516 4504 关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.exe åŽé™†å·¥ç¨‹ç§‘技有é™è´£ä»»å…¬å¸.exe PID 4504 wrote to memory of 516 4504 关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.exe åŽé™†å·¥ç¨‹ç§‘技有é™è´£ä»»å…¬å¸.exe PID 4504 wrote to memory of 448 4504 关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.exe cmd.exe PID 4504 wrote to memory of 448 4504 关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.exe cmd.exe PID 448 wrote to memory of 1468 448 cmd.exe WINWORD.EXE PID 448 wrote to memory of 1468 448 cmd.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.exe"C:\Users\Admin\AppData\Local\Temp\关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\åŽé™†å·¥ç¨‹ç§‘技有é™è´£ä»»å…¬å¸.exeC:\Windows\Temp\åŽé™†å·¥ç¨‹ç§‘技有é™è´£ä»»å…¬å¸.exe s96cx2rtm82⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.execmd.exe /c start 关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.docx2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\关于集团åŠåå…¬å¸å¼€å±•ç½‘ç»œå®‰å…¨æ”»é˜²æ¼”ä¹ çš„é€šçŸ¥.docxFilesize
16KB
MD55f48bbb1aac3b8d63aaae3ec114ba340
SHA131fc3508af156d67da4bc6fe8d41206bda5276ee
SHA25680596668abc2c8c42481ad06713039198f08eb11c543061c3f9657a51248d04f
SHA512f5c3af4e2269094c5381c512ae2a13c8204a34477dd47db5d7ed4fc7bc986ecb36b2ef17b0a7470d1cb64404b8035cb7d27563c45e7f8e94fa92cfb9e3f6b9e8
-
C:\Windows\Temp\åŽé™†å·¥ç¨‹ç§‘技有é™è´£ä»»å…¬å¸.exeFilesize
2.0MB
MD584e3d79da5e503374e61a17351781c14
SHA16c4710e5e6bc0f991c6954e64e76ec8bf796a2e1
SHA2566254e9f7f9e61a1a80e8a3c01757b8d29c9ac0eb0d596236fc0a2944fd44dfd6
SHA512b287d405b01aaa7b7c35ae1787395cce626a4565b28bb74d2aa715d251d580aab4eee513d29885728b56f0175cb13238b6dcf0ec228db83c6ac90ca7eeecc4d8
-
C:\Windows\Temp\åŽé™†å·¥ç¨‹ç§‘技有é™è´£ä»»å…¬å¸.exeFilesize
2.0MB
MD584e3d79da5e503374e61a17351781c14
SHA16c4710e5e6bc0f991c6954e64e76ec8bf796a2e1
SHA2566254e9f7f9e61a1a80e8a3c01757b8d29c9ac0eb0d596236fc0a2944fd44dfd6
SHA512b287d405b01aaa7b7c35ae1787395cce626a4565b28bb74d2aa715d251d580aab4eee513d29885728b56f0175cb13238b6dcf0ec228db83c6ac90ca7eeecc4d8
-
memory/448-134-0x0000000000000000-mapping.dmp
-
memory/516-132-0x0000000000000000-mapping.dmp
-
memory/516-137-0x0000021D06850000-0x0000021D06891000-memory.dmpFilesize
260KB
-
memory/516-138-0x0000021D068A0000-0x0000021D068EE000-memory.dmpFilesize
312KB
-
memory/1468-140-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmpFilesize
64KB
-
memory/1468-139-0x0000000000000000-mapping.dmp
-
memory/1468-141-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmpFilesize
64KB
-
memory/1468-142-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmpFilesize
64KB
-
memory/1468-143-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmpFilesize
64KB
-
memory/1468-144-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmpFilesize
64KB
-
memory/1468-145-0x00007FFAE60B0000-0x00007FFAE60C0000-memory.dmpFilesize
64KB
-
memory/1468-146-0x00007FFAE60B0000-0x00007FFAE60C0000-memory.dmpFilesize
64KB
-
memory/1468-148-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmpFilesize
64KB
-
memory/1468-149-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmpFilesize
64KB
-
memory/1468-150-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmpFilesize
64KB
-
memory/1468-151-0x00007FFAE8A10000-0x00007FFAE8A20000-memory.dmpFilesize
64KB