Malware Analysis Report

2025-01-02 14:12

Sample ID 220903-egg1xshacq
Target 4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749
SHA256 4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749
Tags
cobaltstrike hawkeye backdoor keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749

Threat Level: Known bad

The file 4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749 was found to be: Known bad.

Malicious Activity Summary

cobaltstrike hawkeye backdoor keylogger spyware stealer trojan

Cobaltstrike

HawkEye

Executes dropped EXE

Checks computer location settings

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-09-03 03:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-03 03:54

Reported

2022-09-03 03:57

Platform

win7-20220901-en

Max time kernel

45s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe

"C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1340 -s 32

Network

N/A

Files

memory/1276-54-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-03 03:54

Reported

2022-09-03 03:57

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe"

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

HawkEye

keylogger trojan stealer spyware hawkeye

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe

"C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\°¢Àï°Í°Í¼¯ÍÅÄÚÈÝÔËÓªÒµÎñÕÐÆ¸²¿·ÖJDÐÅÏ¢AlibabaGroupOperationsBusinessRecruitmentPartOfJDInformation.docx" /o ""

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 img.asugar.cn udp
CN 221.236.18.250:443 img.asugar.cn tcp
US 13.89.178.27:443 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 down.zvo.cn udp
NL 163.171.160.195:443 down.zvo.cn tcp
US 8.249.91.254:80 tcp
US 8.249.91.254:80 tcp
US 8.249.91.254:80 tcp
CN 221.236.18.250:443 img.asugar.cn tcp
US 93.184.221.240:80 tcp
NL 163.171.160.195:443 down.zvo.cn tcp
CN 221.236.18.250:443 img.asugar.cn tcp
NL 163.171.160.195:443 down.zvo.cn tcp

Files

memory/2000-132-0x0000000000000000-mapping.dmp

memory/204-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

MD5 1cc27d94ab1ea63c0d1aad98d7d9626c
SHA1 db00a0c5d2613f42fbff0241937a001029392854
SHA256 d4199e8e83e02d3db7a143c3a3ed6b5d8dce0b0f294fb4bd825264cfd66686d8
SHA512 cef4542bf6369d9659c725604e736a5988738d94bcd75b7ad1f4226c1dde200673fa5177e0ba40fcb0e60f2254c4d726efb4536ba689c27c48d4dd6f944b5c37

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

MD5 1cc27d94ab1ea63c0d1aad98d7d9626c
SHA1 db00a0c5d2613f42fbff0241937a001029392854
SHA256 d4199e8e83e02d3db7a143c3a3ed6b5d8dce0b0f294fb4bd825264cfd66686d8
SHA512 cef4542bf6369d9659c725604e736a5988738d94bcd75b7ad1f4226c1dde200673fa5177e0ba40fcb0e60f2254c4d726efb4536ba689c27c48d4dd6f944b5c37

memory/4796-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

MD5 1cc27d94ab1ea63c0d1aad98d7d9626c
SHA1 db00a0c5d2613f42fbff0241937a001029392854
SHA256 d4199e8e83e02d3db7a143c3a3ed6b5d8dce0b0f294fb4bd825264cfd66686d8
SHA512 cef4542bf6369d9659c725604e736a5988738d94bcd75b7ad1f4226c1dde200673fa5177e0ba40fcb0e60f2254c4d726efb4536ba689c27c48d4dd6f944b5c37

memory/4796-140-0x000002EB18D65000-0x000002EB18DA7000-memory.dmp

memory/3996-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\license.lst

MD5 c3c66f35413bb9a878b1a12d6ee318e0
SHA1 d3876653bf6964757c46c184cb63fdd1582c280c
SHA256 09a96b97ed0e8246b95b9d9a2abfcc4c7f9609cc41344401c92ec8b26764e0bf
SHA512 81a2a475500df99bd813159d43b65717f62e89111915f348c190d640bc00e6c66fddf682f4c5e1dcd4363f8caf0b365dd52c7f9ff412d725105449efaef05fb1

memory/4796-141-0x000002EB18EF0000-0x000002EB18F3F000-memory.dmp

memory/4796-142-0x000002EB18D65000-0x000002EB18DA7000-memory.dmp

memory/2000-143-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

memory/2000-144-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

memory/2000-145-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

memory/2000-146-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

memory/2000-147-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

memory/4796-148-0x000002EB18D65000-0x000002EB18DA7000-memory.dmp

memory/2000-149-0x00007FFAC0240000-0x00007FFAC0250000-memory.dmp

memory/2000-150-0x00007FFAC0240000-0x00007FFAC0250000-memory.dmp

C:\Users\Admin\AppData\Roaming\°¢Àï°Í°Í¼¯ÍÅÄÚÈÝÔËÓªÒµÎñÕÐÆ¸²¿·ÖJDÐÅÏ¢AlibabaGroupOperationsBusinessRecruitmentPartOfJDInformation.docx

MD5 406dcd4c9c9a8bc69bee7fb16ae88b21
SHA1 4381777c2e75b6b5f720d2b44297368e602b43d3
SHA256 d0613fa0b2d56574276fa3db105b74f189b5486f9fadc879e92606a8c1518322
SHA512 47179f075879b955a80a4db6bb163771c8d6c2f2ceaccf706e6d614dd1db5442dbc28533c6192037922af326174b9125f9d01cc2644dbdc13094aaedfe76ecd5

memory/2000-153-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

memory/2000-154-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

memory/2000-155-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp

memory/2000-156-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp