Analysis Overview
SHA256
4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749
Threat Level: Known bad
The file 4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
HawkEye
Executes dropped EXE
Checks computer location settings
Program crash
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-03 03:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-03 03:54
Reported
2022-09-03 03:57
Platform
win7-20220901-en
Max time kernel
45s
Max time network
50s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1340 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe | C:\Windows\system32\WerFault.exe |
| PID 1340 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe | C:\Windows\system32\WerFault.exe |
| PID 1340 wrote to memory of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe
"C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1340 -s 32
Network
Files
memory/1276-54-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-09-03 03:54
Reported
2022-09-03 03:57
Platform
win10v2004-20220812-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Cobaltstrike
HawkEye
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe
"C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe"
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\°¢Àï°Í°Í¼¯ÍÅÄÚÈÝÔËÓªÒµÎñÕÐÆ¸²¿·ÖJDÐÅÏ¢AlibabaGroupOperationsBusinessRecruitmentPartOfJDInformation.docx" /o ""
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\4c243352c6ff56af7a239284c0548c8eb5b29ed607ae27ccd96fc88aae826749.exe
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | img.asugar.cn | udp |
| CN | 221.236.18.250:443 | img.asugar.cn | tcp |
| US | 13.89.178.27:443 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | down.zvo.cn | udp |
| NL | 163.171.160.195:443 | down.zvo.cn | tcp |
| US | 8.249.91.254:80 | tcp | |
| US | 8.249.91.254:80 | tcp | |
| US | 8.249.91.254:80 | tcp | |
| CN | 221.236.18.250:443 | img.asugar.cn | tcp |
| US | 93.184.221.240:80 | tcp | |
| NL | 163.171.160.195:443 | down.zvo.cn | tcp |
| CN | 221.236.18.250:443 | img.asugar.cn | tcp |
| NL | 163.171.160.195:443 | down.zvo.cn | tcp |
Files
memory/2000-132-0x0000000000000000-mapping.dmp
memory/204-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
| MD5 | 1cc27d94ab1ea63c0d1aad98d7d9626c |
| SHA1 | db00a0c5d2613f42fbff0241937a001029392854 |
| SHA256 | d4199e8e83e02d3db7a143c3a3ed6b5d8dce0b0f294fb4bd825264cfd66686d8 |
| SHA512 | cef4542bf6369d9659c725604e736a5988738d94bcd75b7ad1f4226c1dde200673fa5177e0ba40fcb0e60f2254c4d726efb4536ba689c27c48d4dd6f944b5c37 |
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
| MD5 | 1cc27d94ab1ea63c0d1aad98d7d9626c |
| SHA1 | db00a0c5d2613f42fbff0241937a001029392854 |
| SHA256 | d4199e8e83e02d3db7a143c3a3ed6b5d8dce0b0f294fb4bd825264cfd66686d8 |
| SHA512 | cef4542bf6369d9659c725604e736a5988738d94bcd75b7ad1f4226c1dde200673fa5177e0ba40fcb0e60f2254c4d726efb4536ba689c27c48d4dd6f944b5c37 |
memory/4796-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
| MD5 | 1cc27d94ab1ea63c0d1aad98d7d9626c |
| SHA1 | db00a0c5d2613f42fbff0241937a001029392854 |
| SHA256 | d4199e8e83e02d3db7a143c3a3ed6b5d8dce0b0f294fb4bd825264cfd66686d8 |
| SHA512 | cef4542bf6369d9659c725604e736a5988738d94bcd75b7ad1f4226c1dde200673fa5177e0ba40fcb0e60f2254c4d726efb4536ba689c27c48d4dd6f944b5c37 |
memory/4796-140-0x000002EB18D65000-0x000002EB18DA7000-memory.dmp
memory/3996-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\license.lst
| MD5 | c3c66f35413bb9a878b1a12d6ee318e0 |
| SHA1 | d3876653bf6964757c46c184cb63fdd1582c280c |
| SHA256 | 09a96b97ed0e8246b95b9d9a2abfcc4c7f9609cc41344401c92ec8b26764e0bf |
| SHA512 | 81a2a475500df99bd813159d43b65717f62e89111915f348c190d640bc00e6c66fddf682f4c5e1dcd4363f8caf0b365dd52c7f9ff412d725105449efaef05fb1 |
memory/4796-141-0x000002EB18EF0000-0x000002EB18F3F000-memory.dmp
memory/4796-142-0x000002EB18D65000-0x000002EB18DA7000-memory.dmp
memory/2000-143-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp
memory/2000-144-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp
memory/2000-145-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp
memory/2000-146-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp
memory/2000-147-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp
memory/4796-148-0x000002EB18D65000-0x000002EB18DA7000-memory.dmp
memory/2000-149-0x00007FFAC0240000-0x00007FFAC0250000-memory.dmp
memory/2000-150-0x00007FFAC0240000-0x00007FFAC0250000-memory.dmp
C:\Users\Admin\AppData\Roaming\°¢Àï°Í°Í¼¯ÍÅÄÚÈÝÔËÓªÒµÎñÕÐÆ¸²¿·ÖJDÐÅÏ¢AlibabaGroupOperationsBusinessRecruitmentPartOfJDInformation.docx
| MD5 | 406dcd4c9c9a8bc69bee7fb16ae88b21 |
| SHA1 | 4381777c2e75b6b5f720d2b44297368e602b43d3 |
| SHA256 | d0613fa0b2d56574276fa3db105b74f189b5486f9fadc879e92606a8c1518322 |
| SHA512 | 47179f075879b955a80a4db6bb163771c8d6c2f2ceaccf706e6d614dd1db5442dbc28533c6192037922af326174b9125f9d01cc2644dbdc13094aaedfe76ecd5 |
memory/2000-153-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp
memory/2000-154-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp
memory/2000-155-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp
memory/2000-156-0x00007FFAC2970000-0x00007FFAC2980000-memory.dmp