Analysis
-
max time kernel
152s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 12:34
Static task
static1
Behavioral task
behavioral1
Sample
88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe
Resource
win10v2004-20221111-en
General
-
Target
88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe
-
Size
571KB
-
MD5
0dd4eddc02f1144a3a829b18b303ec1a
-
SHA1
f8a26ebf852dfd63920cdc98f44eb4e53e29f13b
-
SHA256
88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4
-
SHA512
0dda2bda39a322c6f26347b4e3e017954319d0f22bc7ea517db526da464cd7d8d024feb5d0e0ef34f6d971f6a41e73a9c7b98b0fd3d16b3cada71165e8134416
-
SSDEEP
6144:xrmNILc6DM/D3COXFMk2UwNNVJZc6aoFZe6+jrYGHL8742qI:ZmNI5DMD3CaFZ8NVJZc6fE6ssGHL
Malware Config
Extracted
cobaltstrike
http://service-758414h5-1311271430.sh.apigw.tencentcs.com:80/bootstrap-2.min.js
-
user_agent
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3412 svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exe88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 760 WINWORD.EXE 760 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exedescription pid process Token: SeIncBasePriorityPrivilege 4860 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE 760 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.execmd.execmd.exedescription pid process target process PID 4860 wrote to memory of 4212 4860 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe cmd.exe PID 4860 wrote to memory of 4212 4860 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe cmd.exe PID 4860 wrote to memory of 4216 4860 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe cmd.exe PID 4860 wrote to memory of 4216 4860 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe cmd.exe PID 4216 wrote to memory of 3412 4216 cmd.exe svchost.exe PID 4216 wrote to memory of 3412 4216 cmd.exe svchost.exe PID 4860 wrote to memory of 2908 4860 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe cmd.exe PID 4860 wrote to memory of 2908 4860 88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe cmd.exe PID 4212 wrote to memory of 760 4212 cmd.exe WINWORD.EXE PID 4212 wrote to memory of 760 4212 cmd.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe"C:\Users\Admin\AppData\Local\Temp\88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /C "ÄÚ²¿×Ô²âÇëÎðÁ÷´«.docx"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿×Ô²âÇëÎðÁ÷´«.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\cmd.execmd /C "C:\Users\Public\Downloads\svchost.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Downloads\svchost.exeC:\Users\Public\Downloads\svchost.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\88aa597508cf45522711b678bb0596da0f1d16773aa7ca4504b6f2784e2a82a4.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ÄÚ²¿×Ô²âÇëÎðÁ÷´«.docxFilesize
351KB
MD5cf0367cede49e99b8ca7c1a3d12e3f3b
SHA1137f9660787fc106cd16b9e99040299335492009
SHA25671d40e329eca20223e3e3119d2f08e10f1be2f4c8ed3d72e586b595e31f50d37
SHA51267818c6dc922736123696e36fe09d2c7b40f476062cad30b2f73349167a0b601d59d063454630955c2c19390a9894b6cdba982024e9075025f184dd94f171e5f
-
C:\Users\Public\Downloads\svchost.exeFilesize
19KB
MD55cb39016c85da40eabc8a950341281d7
SHA1d6b7a92de878f212dd241a85891a97237995a93f
SHA256d2f3cfb42504051a27b3412af312996f47991ffc91be33c1346fe0aec9dc927f
SHA5129f15a92ee63a6fcfb25e805919bbd324497e082ad59a761f61bd4697dfaf14033537a1c7d57e2ba5243548c4b314e546579714fbf328058d1e63cc45dcfd46be
-
C:\Users\Public\Downloads\svchost.exeFilesize
19KB
MD55cb39016c85da40eabc8a950341281d7
SHA1d6b7a92de878f212dd241a85891a97237995a93f
SHA256d2f3cfb42504051a27b3412af312996f47991ffc91be33c1346fe0aec9dc927f
SHA5129f15a92ee63a6fcfb25e805919bbd324497e082ad59a761f61bd4697dfaf14033537a1c7d57e2ba5243548c4b314e546579714fbf328058d1e63cc45dcfd46be
-
memory/760-140-0x0000000000000000-mapping.dmp
-
memory/760-145-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmpFilesize
64KB
-
memory/760-147-0x00007FFB3A6D0000-0x00007FFB3A6E0000-memory.dmpFilesize
64KB
-
memory/760-146-0x00007FFB3A6D0000-0x00007FFB3A6E0000-memory.dmpFilesize
64KB
-
memory/760-144-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmpFilesize
64KB
-
memory/760-143-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmpFilesize
64KB
-
memory/760-141-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmpFilesize
64KB
-
memory/760-142-0x00007FFB3C790000-0x00007FFB3C7A0000-memory.dmpFilesize
64KB
-
memory/2908-137-0x0000000000000000-mapping.dmp
-
memory/3412-139-0x000000CBAD30D000-0x000000CBAD310000-memory.dmpFilesize
12KB
-
memory/3412-134-0x0000000000000000-mapping.dmp
-
memory/3412-148-0x000001ECB5FD0000-0x000001ECB63D0000-memory.dmpFilesize
4.0MB
-
memory/3412-149-0x000001ECB63D0000-0x000001ECB641E000-memory.dmpFilesize
312KB
-
memory/3412-150-0x000001ECB63D0000-0x000001ECB641E000-memory.dmpFilesize
312KB
-
memory/4212-132-0x0000000000000000-mapping.dmp
-
memory/4216-133-0x0000000000000000-mapping.dmp