Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 02:58
Static task
static1
Behavioral task
behavioral1
Sample
服务器架构及规划说明.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
服务器架构及规划说明.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
服务器采购配置单列表.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
服务器采购配置单列表.exe
Resource
win10v2004-20220901-en
General
-
Target
服务器采购配置单列表.exe
-
Size
725KB
-
MD5
ff21732afcff0761880966cb73498f37
-
SHA1
1dabd85046019672c83aa27e962a8e723460f67a
-
SHA256
ed8b2627ba8a708b78f5dc8da4fe73aecc030482cbbbe73cb8e89e36475be70e
-
SHA512
6e343f1950b0a19ae08efcd1d0711d01615e9874f262a845ec6e47a5323a6b75c7ad99e770bf3fd7a2773096a540e8ec842c63703dba8c25f422bfd8178baf5b
-
SSDEEP
12288:WXsy4wauAlLKUj6jTo+s7AMC1WBvEG6rgc39okWh+XCEz/ZkiWVN62l78LZ6pwKd:EayCFYh+FjDc8dFEUlVZ
Malware Config
Extracted
cobaltstrike
666666
http://open.th1sworld.ga:443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
open.th1sworld.ga,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAXSG9zdDogb3Blbi50aDFzd29ybGQuZ2EAAAAKAAAAI1JlZmVyZXI6IGh0dHBzOi8vb3Blbi50aDFzd29ybGQuZ2EvAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAAMAAAACAAAACV9fY2ZkdWlkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAXSG9zdDogb3Blbi50aDFzd29ybGQuZ2EAAAAKAAAAI1JlZmVyZXI6IGh0dHBzOi8vb3Blbi50aDFzd29ybGQuZ2EvAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAAMAAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyuDnaczPLBZEHfKiN3TGpwWK1FHrBVAsFbLKMYJW87Gbp7TFql1RiVaSCwSwW74QgvPgjj21ILLmuFv0iba4cf1Fb9XS8nWThYCtJZSha1I/BE8bXZ2BtCIk3YKb8pkNR3MAbKX45HCmccM9vyBeZfWEc8E4CMTINHyPJevtSFwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.184478976e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
-
watermark
666666
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
服务器采购配置单列表.exedescription pid process target process PID 3960 created 616 3960 服务器采购配置单列表.exe winlogon.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
服务器采购配置单列表.exedescription pid process target process PID 3960 set thread context of 1588 3960 服务器采购配置单列表.exe calc.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
calc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing calc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ calc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" calc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" calc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" calc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" calc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
服务器采购配置单列表.exepid process 3960 服务器采购配置单列表.exe 3960 服务器采购配置单列表.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
服务器采购配置单列表.exepid process 3960 服务器采购配置单列表.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
服务器采购配置单列表.exedescription pid process Token: SeDebugPrivilege 3960 服务器采购配置单列表.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
服务器采购配置单列表.exedescription pid process target process PID 3960 wrote to memory of 1588 3960 服务器采购配置单列表.exe calc.exe PID 3960 wrote to memory of 1588 3960 服务器采购配置单列表.exe calc.exe PID 3960 wrote to memory of 1588 3960 服务器采购配置单列表.exe calc.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"2⤵
- Modifies data under HKEY_USERS
PID:1588
-
C:\Users\Admin\AppData\Local\Temp\服务器采购配置单列表.exe"C:\Users\Admin\AppData\Local\Temp\服务器采购配置单列表.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1588-133-0x000001F96F5B0000-0x000001F96F5F1000-memory.dmpFilesize
260KB
-
memory/1588-132-0x00007FF7951814C0-mapping.dmp
-
memory/1588-134-0x000001F96F600000-0x000001F96FA72000-memory.dmpFilesize
4.4MB
-
memory/1588-135-0x000001F96F600000-0x000001F96FA72000-memory.dmpFilesize
4.4MB