General

  • Target

    files.zip

  • Size

    225KB

  • Sample

    221205-wb5cpseg5v

  • MD5

    1ea28e2e6c8fd1aaa2742ad3e0a805bd

  • SHA1

    4c73abba890dddd25e3d06f6386d5033e59421d7

  • SHA256

    4ce24c022e799db363340739967bfe40edc4ed1d81588a86007eb16c8ec601e7

  • SHA512

    9a8d32c9fa1c50594051a66f29f1946bf892ae7e1b026105777805cdc08ced7f6e6de3f6bb05e4270c981320235fb1e634b55735a4c51c02296170fdfcf39a69

  • SSDEEP

    3072:Ct3tJCTUtEmYXK8mzKSBAnbvIBOx8HRxRupjMbycZ5KYU3aUgsheatst9OjeHAGA:C5tEmYXJmmbn2TueWcpmgfLYF+I5H

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Targets

    • Target

      8969122ef3485d.log

    • Size

      24KB

    • MD5

      dbe7e2c61dae4abd32c335f281aba3bc

    • SHA1

      ea67556c09a8d1206da53f534bbdd1d8fd90beaf

    • SHA256

      8b1a3a5a86823d261bad786382bd1d98416022cdcbbccc9b158517fd1c3b1ec5

    • SHA512

      adfc28a0b9e83b3b65ec1680b65a01111c2209022d3a97f2da984bb081ca0acfc1a5666c2856d447c15ecb219f8bd78c87366f70d6f413d538a387b25729a879

    • SSDEEP

      768:GRoYsM/gzp15ILVndPrwt1mBy0XqFSJFhpre6jFwnFl:GST5IL/PkPmBlXqcLh5ljO7

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

    • Blocklisted process makes network request

    • Drops startup file

    • Target

      8969122ef3485df.log

    • Size

      424KB

    • MD5

      7e17e5f94d45e854c6855f557d4c3b62

    • SHA1

      dc1894577c77ea178a40510d676fc31e4049bce3

    • SHA256

      d19fc72db9725c704b88f4dbf52fdc11d609d6adeedaafa8b79ca76dc7da12c2

    • SHA512

      80f6dbc86f5825b5935d775614e531981fcd0d768092e83f6e364514ae6ec868b916d057c739f0cf8e2226aa5a495f72d1aafed1b9196a9ce5976994be38b6bd

    • SSDEEP

      6144:cJg4cOlXYM0DPGj7fw0xB2pPBrGyMsY7iGBa5fIoYAUdfv05Xs0lHBMjMlzN0s:cu4cO+MkPGI4MpPBrCi1B+05Xll90s

    Score
    8/10
    • Blocklisted process makes network request

    • Target

      PO-12-5-2022.lnk

    • Size

      2KB

    • MD5

      4f86eb0c1fac722e4c7b4f6f089bd127

    • SHA1

      9d459b6ebc01d6e937785e1e118000bebdd3f700

    • SHA256

      89a1a6cb000a66b841ad26a8d0d5af507cc17efc00a109d61d52a65caa4cef43

    • SHA512

      c8f1d53629d14ddbe84b6878104a773e7a1bd8da47ab2b3d5ac04955916978bd79db0a9c3a94652889580344cf21416d7791b2982afeb7da5839ce33c7cc76a0

    Score
    8/10
    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Target

      document.pdf

    • Size

      10KB

    • MD5

      8a7cadbe3c40344007c5334b41f0e8cf

    • SHA1

      fbc916f065157cc5a13f22453c19f7dfecc3c228

    • SHA256

      3902e1734b1d0187d3404dafa4616212342630cb46913242060f485e58201a75

    • SHA512

      8c5e0d7a938ac13537041335d5ea185e83e025b6da138c0c3c49794825e873a52c048b08579711a888bae6e9fedc03996dbb5a2696844bb5335b8f96017dcbdb

    • SSDEEP

      192:GWY3Ro9kPRzjVap5F5rBfHOHAo9u8wGW1/Pgk/pDqX1TX5DESqyuZnZgprCZ5npK:GWaHhjVsHmAocZd1/f/pO1VDULERCZ58

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

3
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Tasks