Analysis
-
max time kernel
115s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2022 10:03
Static task
static1
Behavioral task
behavioral1
Sample
3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe
Resource
win10v2004-20220812-en
General
-
Target
3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe
-
Size
2.7MB
-
MD5
10a6d0e4221cd751292a89659979f6b7
-
SHA1
55d9095ed66b636633125f7dc7253343109784d4
-
SHA256
3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927
-
SHA512
002f4865517aeb942b9373cc3d6831da8fec193a3ad09ed1b77962ff2d3b791b96efa1ff3c2840641e6d099454c3b502d208634fc0deb1d494f026f36f4a9f40
Malware Config
Extracted
cobaltstrike
305419896
http://43.142.80.49:443/search
-
access_type
512
-
beacon_type
2048
-
host
43.142.80.49,/search
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vd3d3LmNsb3VkLnRlbmNlbnQuY29tAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAHAAAAAAAAAAMAAAACAAAACUpTRVNTSU9OPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
maxdns
255
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/switch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4936 EXCEL.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exepid process 4284 3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE 4936 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.execmd.exedescription pid process target process PID 4284 wrote to memory of 4868 4284 3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe cmd.exe PID 4284 wrote to memory of 4868 4284 3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe cmd.exe PID 4284 wrote to memory of 4868 4284 3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe cmd.exe PID 4868 wrote to memory of 4936 4868 cmd.exe EXCEL.EXE PID 4868 wrote to memory of 4936 4868 cmd.exe EXCEL.EXE PID 4868 wrote to memory of 4936 4868 cmd.exe EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe"C:\Users\Admin\AppData\Local\Temp\3f0b5c37d09d93f2b3f2226b34b71d8c32581d17ed761c56fa96146f9bcd9927.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\可囤.xlsx2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\可囤.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\可囤.xlsxFilesize
30KB
MD5719a9d96c596acc3187dbcdf5c3f7e36
SHA1490bde5317dea08e1aa490cf197419d89fdba992
SHA2565b71b2d754dd0ddcab59411eabb7941ea46a47bc21b9fdac688524a4d3b14964
SHA512375292a65c087626b7aa1deebffb1985912a771929777f090fda295ae6ea26cc8930d1565fc30902ea2d6d41d7e5745909af282d93157d525cf1068558bd5724
-
memory/4284-144-0x0000000033B90000-0x0000000033F90000-memory.dmpFilesize
4.0MB
-
memory/4284-143-0x0000000033F90000-0x000000003400D000-memory.dmpFilesize
500KB
-
memory/4868-132-0x0000000000000000-mapping.dmp
-
memory/4936-141-0x00007FF9DE600000-0x00007FF9DE610000-memory.dmpFilesize
64KB
-
memory/4936-138-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmpFilesize
64KB
-
memory/4936-139-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmpFilesize
64KB
-
memory/4936-140-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmpFilesize
64KB
-
memory/4936-137-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmpFilesize
64KB
-
memory/4936-142-0x00007FF9DE600000-0x00007FF9DE610000-memory.dmpFilesize
64KB
-
memory/4936-136-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmpFilesize
64KB
-
memory/4936-135-0x0000000000000000-mapping.dmp
-
memory/4936-146-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmpFilesize
64KB
-
memory/4936-147-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmpFilesize
64KB
-
memory/4936-148-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmpFilesize
64KB
-
memory/4936-149-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmpFilesize
64KB