Overview
overview
10Static
static
20220119_T...ts.lnk
windows7-x64
320220119_T...ts.lnk
windows10-2004-x64
1020220119_T...io.dll
windows7-x64
120220119_T...io.dll
windows10-2004-x64
320220119_T...z2.dll
windows7-x64
120220119_T...z2.dll
windows10-2004-x64
320220119_T...es.dll
windows7-x64
120220119_T...es.dll
windows10-2004-x64
320220119_T...al.dll
windows7-x64
120220119_T...al.dll
windows10-2004-x64
320220119_T...ee.dll
windows7-x64
120220119_T...ee.dll
windows10-2004-x64
320220119_T...ib.dll
windows7-x64
120220119_T...ib.dll
windows10-2004-x64
320220119_T...ma.dll
windows7-x64
120220119_T...ma.dll
windows10-2004-x64
20220119_T...si.dll
windows7-x64
120220119_T...si.dll
windows10-2004-x64
320220119_T...ng.dll
windows7-x64
120220119_T...ng.dll
windows10-2004-x64
320220119_T...ed.dll
windows7-x64
120220119_T...ed.dll
windows10-2004-x64
320220119_T...ue.dll
windows7-x64
120220119_T...ue.dll
windows10-2004-x64
320220119_T...e3.dll
windows7-x64
120220119_T...e3.dll
windows10-2004-x64
320220119_T...sl.dll
windows7-x64
120220119_T...sl.dll
windows10-2004-x64
120220119_T...id.dll
windows7-x64
120220119_T...id.dll
windows10-2004-x64
320220119_T...fo.dll
windows7-x64
120220119_T...fo.dll
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2023 16:10
Static task
static1
Behavioral task
behavioral1
Sample
20220119_TA580/Requirements.lnk
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
20220119_TA580/Requirements.lnk
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
20220119_TA580/project/_asyncio.dll
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
20220119_TA580/project/_asyncio.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
20220119_TA580/project/_bz2.dll
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
20220119_TA580/project/_bz2.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral7
Sample
20220119_TA580/project/_ctypes.dll
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
20220119_TA580/project/_ctypes.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
20220119_TA580/project/_decimal.dll
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
20220119_TA580/project/_decimal.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
20220119_TA580/project/_elementtree.dll
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
20220119_TA580/project/_elementtree.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
20220119_TA580/project/_hashlib.dll
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
20220119_TA580/project/_hashlib.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
20220119_TA580/project/_lzma.dll
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
20220119_TA580/project/_lzma.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
20220119_TA580/project/_msi.dll
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
20220119_TA580/project/_msi.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
20220119_TA580/project/_multiprocessing.dll
Resource
win7-20220812-en
Behavioral task
behavioral20
Sample
20220119_TA580/project/_multiprocessing.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral21
Sample
20220119_TA580/project/_overlapped.dll
Resource
win7-20220812-en
Behavioral task
behavioral22
Sample
20220119_TA580/project/_overlapped.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral23
Sample
20220119_TA580/project/_queue.dll
Resource
win7-20221111-en
Behavioral task
behavioral24
Sample
20220119_TA580/project/_queue.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
20220119_TA580/project/_sqlite3.dll
Resource
win7-20221111-en
Behavioral task
behavioral26
Sample
20220119_TA580/project/_sqlite3.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
20220119_TA580/project/_ssl.dll
Resource
win7-20220812-en
Behavioral task
behavioral28
Sample
20220119_TA580/project/_ssl.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral29
Sample
20220119_TA580/project/_uuid.dll
Resource
win7-20220812-en
Behavioral task
behavioral30
Sample
20220119_TA580/project/_uuid.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral31
Sample
20220119_TA580/project/_zoneinfo.dll
Resource
win7-20220812-en
Behavioral task
behavioral32
Sample
20220119_TA580/project/_zoneinfo.dll
Resource
win10v2004-20221111-en
General
-
Target
20220119_TA580/Requirements.lnk
-
Size
1KB
-
MD5
2157d05171e0a32c30a8c8350d25335a
-
SHA1
3af6b7bcd388b88d71ae09789b18a7a01e23b14b
-
SHA256
6e37e051433faa97a381fc8d8a51e8d0a5384d2fc7abc3dcf727d036bc196a74
-
SHA512
80585b023390d8adbb199e054cc1bfbf82b59c68965b1549f95ae45f33eb1b7f22fa448ff9ed134d6fb04d965216f4a884ed63a6bdbe743c7f5e5233e3b46e5d
Malware Config
Extracted
cobaltstrike
1580103814
http://95.168.191.223:443/r-arrow
http://45.11.19.22:443/ku
-
access_type
512
-
beacon_type
2048
-
host
95.168.191.223,/r-arrow,45.11.19.22,/ku
-
http_header1
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAABwAAAAAAAAANAAAAAwAAAAIAAAAQbWFkZV93cml0ZV9jb25uPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAAA1Ib3N0OiBtc24uY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAANAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
10496
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGR0Qh3y+EUBYe3BK7qolMM8JPwPWG3qSISL7jSnjkuexL5sMHLtzoO5zoQBy+e4TrkofBD2/CsND498lUEN11cFR9Kw1NFw6DnLSlodbOZoq4yAd4rqFrAU7pQXMn+TDas8ZyiZ1Gk0sb29Z3S9pi2fsZj2g4ZLC8cpJipJJRmQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.025605888e+09
-
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/link
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
-
watermark
1580103814
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3368-143-0x00000252A64B0000-0x00000252A64FD000-memory.dmp mimikatz -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepid process 3368 rundll32.exe 3368 rundll32.exe 3368 rundll32.exe 3368 rundll32.exe 3368 rundll32.exe 3368 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3368 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
cmd.execmd.exepythonw.execmd.exedescription pid process target process PID 1872 wrote to memory of 4180 1872 cmd.exe cmd.exe PID 1872 wrote to memory of 4180 1872 cmd.exe cmd.exe PID 4180 wrote to memory of 4932 4180 cmd.exe pythonw.exe PID 4180 wrote to memory of 4932 4180 cmd.exe pythonw.exe PID 4932 wrote to memory of 4012 4932 pythonw.exe cmd.exe PID 4932 wrote to memory of 4012 4932 pythonw.exe cmd.exe PID 4932 wrote to memory of 4008 4932 pythonw.exe cmd.exe PID 4932 wrote to memory of 4008 4932 pythonw.exe cmd.exe PID 4008 wrote to memory of 960 4008 cmd.exe systeminfo.exe PID 4008 wrote to memory of 960 4008 cmd.exe systeminfo.exe PID 4932 wrote to memory of 3368 4932 pythonw.exe rundll32.exe PID 4932 wrote to memory of 3368 4932 pythonw.exe rundll32.exe PID 4932 wrote to memory of 3368 4932 pythonw.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\20220119_TA580\Requirements.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd project && pythonw.exe projectt.py & taskkill /F /IM cmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20220119_TA580\project\pythonw.exepythonw.exe projectt.py3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C systmeinfo4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C systeminfo4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/960-141-0x0000000000000000-mapping.dmp
-
memory/3368-142-0x00000252A6250000-0x00000252A6299000-memory.dmpFilesize
292KB
-
memory/3368-143-0x00000252A64B0000-0x00000252A64FD000-memory.dmpFilesize
308KB
-
memory/4008-140-0x0000000000000000-mapping.dmp
-
memory/4012-139-0x0000000000000000-mapping.dmp
-
memory/4180-133-0x0000000000000000-mapping.dmp
-
memory/4932-134-0x0000000000000000-mapping.dmp
-
memory/4932-135-0x00000231A3440000-0x00000231A34CB000-memory.dmpFilesize
556KB
-
memory/4932-136-0x00000231A3930000-0x00000231A3D30000-memory.dmpFilesize
4.0MB
-
memory/4932-137-0x00000231A3440000-0x00000231A34CB000-memory.dmpFilesize
556KB
-
memory/4932-138-0x00000231A3930000-0x00000231A3D30000-memory.dmpFilesize
4.0MB