Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 14:36
Static task
static1
Behavioral task
behavioral1
Sample
顺丰2023年4月裁员名单/2023年4月裁员人员名单.doc.lnk
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
顺丰2023年4月裁员名单/2023年4月裁员人员名单.doc.lnk
Resource
win10v2004-20230220-en
General
-
Target
顺丰2023年4月裁员名单/2023年4月裁员人员名单.doc.lnk
-
Size
1KB
-
MD5
c4273f81b467411ecf04f3d738ce7d46
-
SHA1
dbf01e0b38962457605f2ca6a0fe6cb0796606be
-
SHA256
223aa57937a946d01b70ee4d5be7862edf7923a8f8b8fbb2cbecfd836d786533
-
SHA512
69115a4d18cfea01a41adffae2d81a7be1bc65abf14f2b0cf16d99a00c60c3f6f71b2a48f9bcfe9736b6998b0cf0b893d2fdf510cccf3a08d14025cc23179304
Malware Config
Extracted
cobaltstrike
100000
http://bsupport.huawei.com:80/audiencemanager.js
-
access_type
512
-
host
bsupport.huawei.com,/audiencemanager.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCEhSlSrqe08fqi2sm/HDDQ/TULIO/SwoS+x4kBoCzrWo49EzP4g4IiU4V9blbEBfc48fOrI7vVMRHBnnibaOsgAgnfzQ7n2/jw3af65qHQSOgbt8SSfs36WfCbzPKMc1tGpgiqYG+hAFGu/snKl0iZSddRLL8csTaipueoauIGWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.435374848e+09
-
unknown2
AAAABAAAAAEAAAf+AAAAAgAAIUwAAAACAAAPtQAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/audiencemanager-v2.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exeexplorer.exeWScript.exedescription pid process target process PID 1944 wrote to memory of 2164 1944 cmd.exe explorer.exe PID 1944 wrote to memory of 2164 1944 cmd.exe explorer.exe PID 2276 wrote to memory of 2524 2276 explorer.exe WScript.exe PID 2276 wrote to memory of 2524 2276 explorer.exe WScript.exe PID 2524 wrote to memory of 2208 2524 WScript.exe NisSrv.exe PID 2524 wrote to memory of 2208 2524 WScript.exe NisSrv.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\顺丰2023年4月裁员名单\2023年4月裁员人员名单.doc.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" ".\清单列表\.__MACOSX__\闕ウ�ュ隴�\._MACOS_\apt.vbs"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\顺丰2023年4月裁员名单\清单列表\.__MACOSX__\闕ウ�ュ隴�\._MACOS_\apt.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\顺丰2023年4月裁员名单\清单列表\.__MACOSX__\闕ウ�ュ隴�\._MACOS_\NisSrv.exe"C:\Users\Admin\AppData\Local\Temp\顺丰2023年4月裁员名单\清单列表\.__MACOSX__\闕ウ�ュ隴�\._MACOS_\NisSrv.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2208-134-0x000001DAF7FD0000-0x000001DAF8011000-memory.dmpFilesize
260KB
-
memory/2208-137-0x000001DAF8020000-0x000001DAF806F000-memory.dmpFilesize
316KB
-
memory/2208-138-0x000001DAF7FD0000-0x000001DAF801F000-memory.dmpFilesize
316KB
-
memory/2208-139-0x00000000764D0000-0x0000000076CF2000-memory.dmpFilesize
8.1MB