Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2023 17:31
Static task
static1
Behavioral task
behavioral1
Sample
document01.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
document01.lnk
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
ipchains.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
ipchains.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
price.bat
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
price.bat
Resource
win10v2004-20221111-en
General
-
Target
price.bat
-
Size
2KB
-
MD5
2a677a2e87d30723a7f85db0e68246a0
-
SHA1
8d6e8fd707166f6989d025b6e47eb32251ddf007
-
SHA256
b9f0301c363e3e874f0020090db489b4621a7df827aa5202971d789f9762e145
-
SHA512
fd976416ff65521c01c7c3cb5ccc4a7ce1fe786032868ed58314b5c412fc7dd5f7bd00aaae169adf0a0be0bd6caf6b40aaa91aba6c2945670d4d4e718f0dfe56
Malware Config
Extracted
cobaltstrike
1580103814
http://23.108.57.161:443/Forums.css
http://157.254.194.123:443/Forums.css
http://182.23.109.22:443/bn.css
http://157.72.142.1:443/Forums.css
-
access_type
512
-
beacon_type
2048
-
host
23.108.57.161,/Forums.css,157.254.194.123,/Forums.css,182.23.109.22,/bn.css,157.72.142.1,/Forums.css
-
http_header1
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAcAAAAAAAAAAwAAAAMAAAACAAAAEG1hZGVfd3JpdGVfY29ubj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAADAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
10496
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGR0Qh3y+EUBYe3BK7qolMM8JPwPWG3qSISL7jSnjkuexL5sMHLtzoO5zoQBy+e4TrkofBD2/CsND498lUEN11cFR9Kw1NFw6DnLSlodbOZoq4yAd4rqFrAU7pQXMn+TDas8ZyiZ1Gk0sb29Z3S9pi2fsZj2g4ZLC8cpJipJJRmQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.708806656e+09
-
unknown2
AAAABAAAAAIAAAPVAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/dz
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
-
watermark
1580103814
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
cmVhpKJSis23S.exepid process 1804 cmVhpKJSis23S.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cmVhpKJSis23S.exepid process 1804 cmVhpKJSis23S.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3012 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3012 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exedescription pid process target process PID 1980 wrote to memory of 4244 1980 cmd.exe cmd.exe PID 1980 wrote to memory of 4244 1980 cmd.exe cmd.exe PID 1980 wrote to memory of 4900 1980 cmd.exe xcopy.exe PID 1980 wrote to memory of 4900 1980 cmd.exe xcopy.exe PID 1980 wrote to memory of 1804 1980 cmd.exe cmVhpKJSis23S.exe PID 1980 wrote to memory of 1804 1980 cmd.exe cmVhpKJSis23S.exe PID 1980 wrote to memory of 3012 1980 cmd.exe taskkill.exe PID 1980 wrote to memory of 3012 1980 cmd.exe taskkill.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\price.bat"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K copy /y C:\Windows\System32\rundll32.exe C:\ProgramData\cmVhpKJSis23S.exe2⤵
-
C:\Windows\system32\xcopy.exexcopy /h /y ipchains.dll C:\ProgramData\2⤵
-
C:\ProgramData\cmVhpKJSis23S.exe"C:\ProgramData\cmVhpKJSis23S.exe" ipchains.dll,Sdrpst2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cmVhpKJSis23S.exeFilesize
70KB
MD5ef3179d498793bf4234f708d3be28633
SHA1dd399ae46303343f9f0da189aee11c67bd868222
SHA256b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA51202aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e
-
C:\ProgramData\cmVhpKJSis23S.exeFilesize
70KB
MD5ef3179d498793bf4234f708d3be28633
SHA1dd399ae46303343f9f0da189aee11c67bd868222
SHA256b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA51202aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e
-
C:\ProgramData\ipchains.dllFilesize
572KB
MD58fdd7858bf72589cafba3e8f98a6730b
SHA1ee3d8b9e6c4fc004a167d8ad5cfd1b479d009769
SHA25639cc8085e331d0fbf1122e561472f87611de3df5f70344ac7b160d96b3cf576f
SHA5120666c91cdf842f5755cffbfb7da8d69a84de024d90d56772e3fe9b71b0c923791205e9215469c96cd3d66f8ba2956fc9d3fc99303481b72eb00ac7de7b97a7ad
-
C:\ProgramData\ipchains.dllFilesize
572KB
MD58fdd7858bf72589cafba3e8f98a6730b
SHA1ee3d8b9e6c4fc004a167d8ad5cfd1b479d009769
SHA25639cc8085e331d0fbf1122e561472f87611de3df5f70344ac7b160d96b3cf576f
SHA5120666c91cdf842f5755cffbfb7da8d69a84de024d90d56772e3fe9b71b0c923791205e9215469c96cd3d66f8ba2956fc9d3fc99303481b72eb00ac7de7b97a7ad
-
memory/1804-135-0x0000000000000000-mapping.dmp
-
memory/1804-140-0x000001FDFFE10000-0x000001FDFFE9B000-memory.dmpFilesize
556KB
-
memory/1804-141-0x000001FD81750000-0x000001FD81B50000-memory.dmpFilesize
4.0MB
-
memory/1804-142-0x000001FDFFE10000-0x000001FDFFE9B000-memory.dmpFilesize
556KB
-
memory/1804-143-0x000001FD81750000-0x000001FD81B50000-memory.dmpFilesize
4.0MB
-
memory/3012-137-0x0000000000000000-mapping.dmp
-
memory/4244-132-0x0000000000000000-mapping.dmp
-
memory/4900-133-0x0000000000000000-mapping.dmp