Analysis
-
max time kernel
142s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 14:36
Static task
static1
Behavioral task
behavioral1
Sample
顺丰2023年4月裁员名单/2023年4月裁员人员名单.doc.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
顺丰2023年4月裁员名单/2023年4月裁员人员名单.doc.lnk
Resource
win10v2004-20230220-en
General
-
Target
顺丰2023年4月裁员名单/2023年4月裁员人员名单.doc.lnk
-
Size
1KB
-
MD5
c4273f81b467411ecf04f3d738ce7d46
-
SHA1
dbf01e0b38962457605f2ca6a0fe6cb0796606be
-
SHA256
223aa57937a946d01b70ee4d5be7862edf7923a8f8b8fbb2cbecfd836d786533
-
SHA512
69115a4d18cfea01a41adffae2d81a7be1bc65abf14f2b0cf16d99a00c60c3f6f71b2a48f9bcfe9736b6998b0cf0b893d2fdf510cccf3a08d14025cc23179304
Malware Config
Extracted
cobaltstrike
100000
http://bsupport.huawei.com:80/audiencemanager.js
-
access_type
512
-
host
bsupport.huawei.com,/audiencemanager.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEhSlSrqe08fqi2sm/HDDQ/TULIO/SwoS+x4kBoCzrWo49EzP4g4IiU4V9blbEBfc48fOrI7vVMRHBnnibaOsgAgnfzQ7n2/jw3af65qHQSOgbt8SSfs36WfCbzPKMc1tGpgiqYG+hAFGu/snKl0iZSddRLL8csTaipueoauIGWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.435374848e+09
-
unknown2
AAAABAAAAAEAAAf+AAAAAgAAIUwAAAACAAAPtQAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/audiencemanager-v2.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exeexplorer.exeWScript.exedescription pid process target process PID 1368 wrote to memory of 1104 1368 cmd.exe explorer.exe PID 1368 wrote to memory of 1104 1368 cmd.exe explorer.exe PID 1368 wrote to memory of 1104 1368 cmd.exe explorer.exe PID 908 wrote to memory of 1128 908 explorer.exe WScript.exe PID 908 wrote to memory of 1128 908 explorer.exe WScript.exe PID 908 wrote to memory of 1128 908 explorer.exe WScript.exe PID 1128 wrote to memory of 1800 1128 WScript.exe NisSrv.exe PID 1128 wrote to memory of 1800 1128 WScript.exe NisSrv.exe PID 1128 wrote to memory of 1800 1128 WScript.exe NisSrv.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\顺丰2023年4月裁员名单\2023年4月裁员人员名单.doc.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" ".\清单列表\.__MACOSX__\闕ウ�ュ隴�\._MACOS_\apt.vbs"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\顺丰2023年4月裁员名单\清单列表\.__MACOSX__\闕ウ�ュ隴�\._MACOS_\apt.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\顺丰2023年4月裁员名单\清单列表\.__MACOSX__\闕ウ�ュ隴�\._MACOS_\NisSrv.exe"C:\Users\Admin\AppData\Local\Temp\顺丰2023年4月裁员名单\清单列表\.__MACOSX__\闕ウ�ュ隴�\._MACOS_\NisSrv.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1800-90-0x0000000001D40000-0x0000000001D81000-memory.dmpFilesize
260KB
-
memory/1800-92-0x0000000027A40000-0x0000000027A8F000-memory.dmpFilesize
316KB
-
memory/1800-95-0x0000000027BC0000-0x0000000027C0F000-memory.dmpFilesize
316KB
-
memory/1800-96-0x0000000074C60000-0x0000000075482000-memory.dmpFilesize
8.1MB