Analysis
-
max time kernel
156s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe
Resource
win10v2004-20220812-en
General
-
Target
3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe
-
Size
1.9MB
-
MD5
c812ef291c2b9711c3566c44e6a3f143
-
SHA1
09a6ab08244ae284c7a9b93ae457be1d46bfe40b
-
SHA256
3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482
-
SHA512
5e96aa4579e52393478e4b1859be4236eb722882935b6548a288314839bf02a74d3ab9f87b623d6f61eeed6fa28cfe2c45e4f05a0a89f61866acd6af12f5f21b
-
SSDEEP
24576:UAK38HHY72CcJJF/5bAfUo1veNSFnwohhOcDVK65DjHxYSb1v9WugiXDcqxvg/8n:UUX5oS9UDN5jpvC8b1J
Malware Config
Extracted
cobaltstrike
305419896
http://43.142.80.49:443/search
-
access_type
512
-
beacon_type
2048
-
host
43.142.80.49,/search
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vd3d3LmNsb3VkLnRlbmNlbnQuY29tAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAA4Q29va2llOiBEVVA9UT1HcE8xbkpwTW5hbTRVbGxFZm1lTWRnMiZUPTI4Mzc2NzA4OCZBPTEmSUcAAAAHAAAAAAAAAAMAAAACAAAACUpTRVNTSU9OPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
maxdns
255
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTUlJ7J79z/MkkV8+MsYlOvREE2hhdGNzrKPFZ10lY0K5legA+um5JxESEaC0woDgSmOGrkh1giz/aQwd6tG4mihFgpi0oIbfwu6XZbE6ghYGyu2F7+A5TifRUzvU0YLXjK78EW12XhjHx4KopMF/AtOAueGwfiI2DmXwNzrBDvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.82554112e+09
-
unknown2
AAAABAAAAAEAAANBAAAAAgAAAqMAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/switch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 5036 EXCEL.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exepid process 1692 3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
EXCEL.EXEpid process 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE 5036 EXCEL.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.execmd.exedescription pid process target process PID 1692 wrote to memory of 228 1692 3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe cmd.exe PID 1692 wrote to memory of 228 1692 3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe cmd.exe PID 1692 wrote to memory of 228 1692 3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe cmd.exe PID 228 wrote to memory of 5036 228 cmd.exe EXCEL.EXE PID 228 wrote to memory of 5036 228 cmd.exe EXCEL.EXE PID 228 wrote to memory of 5036 228 cmd.exe EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe"C:\Users\Admin\AppData\Local\Temp\3eae63f6ccc836090a020988f5aa654cb7b99a8ad5d7feec918852d050750482.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\账单.xlsx2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\账单.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\账单.xlsxFilesize
30KB
MD5719a9d96c596acc3187dbcdf5c3f7e36
SHA1490bde5317dea08e1aa490cf197419d89fdba992
SHA2565b71b2d754dd0ddcab59411eabb7941ea46a47bc21b9fdac688524a4d3b14964
SHA512375292a65c087626b7aa1deebffb1985912a771929777f090fda295ae6ea26cc8930d1565fc30902ea2d6d41d7e5745909af282d93157d525cf1068558bd5724
-
memory/228-132-0x0000000000000000-mapping.dmp
-
memory/1692-137-0x00000000339F0000-0x0000000033DF0000-memory.dmpFilesize
4.0MB
-
memory/1692-136-0x0000000033DF0000-0x0000000033E6D000-memory.dmpFilesize
500KB
-
memory/5036-141-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/5036-138-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/5036-139-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/5036-140-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/5036-135-0x0000000000000000-mapping.dmp
-
memory/5036-142-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/5036-143-0x00007FF80C140000-0x00007FF80C150000-memory.dmpFilesize
64KB
-
memory/5036-144-0x00007FF80C140000-0x00007FF80C150000-memory.dmpFilesize
64KB
-
memory/5036-146-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/5036-147-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/5036-148-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB
-
memory/5036-149-0x00007FF80E8D0000-0x00007FF80E8E0000-memory.dmpFilesize
64KB