Overview
overview
10Static
static
112493ec6b5...ba.exe
windows7-x64
1012493ec6b5...ba.exe
windows10-2004-x64
109e7d06f01a...47.exe
windows7-x64
109e7d06f01a...47.exe
windows10-2004-x64
10c5b25a24f7...om.exe
windows7-x64
1c5b25a24f7...om.exe
windows10-2004-x64
1ce8bface0c...aa.exe
windows7-x64
10ce8bface0c...aa.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 12:02
Static task
static1
Behavioral task
behavioral1
Sample
12493ec6b59188a080961436130f4cba.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
12493ec6b59188a080961436130f4cba.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
9e7d06f01a6535531b6e098f6dd3eb47.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
9e7d06f01a6535531b6e098f6dd3eb47.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
c5b25a24f7112f1ee9300986004c45d9.com.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
c5b25a24f7112f1ee9300986004c45d9.com.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral7
Sample
ce8bface0c9e56ab96d4bc06b76083aa.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
ce8bface0c9e56ab96d4bc06b76083aa.exe
Resource
win10v2004-20230220-en
General
-
Target
ce8bface0c9e56ab96d4bc06b76083aa.exe
-
Size
2.7MB
-
MD5
ce8bface0c9e56ab96d4bc06b76083aa
-
SHA1
67a648847de158f40ac710dfb90a17d2ff49b9a6
-
SHA256
635eec28f0b72fb0b6a1542766ec4773559579e37dd7949fa41f57e386c3adfd
-
SHA512
57a141fd8fff049dad91458d84755a909bb90ccd8c879ce1928897acada96cc06d5c6e63c6a936c8ac9314734acf4b6d28404f67beb0263c883215eb620dc1f9
-
SSDEEP
49152:hRkjGFXsl3Pza68rb/T3vO90d7HjmAFd4A64nsfJjAKhH4+stNms6zo0qYgNCUOG:Ol3PbstNms6zoSGppTOZ
Malware Config
Extracted
cobaltstrike
http://192.168.20.15:801/9Ekt
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
artifact.exepid process 364 artifact.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3600 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 3600 EXCEL.EXE 3600 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE 3600 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ce8bface0c9e56ab96d4bc06b76083aa.execmd.exedescription pid process target process PID 2020 wrote to memory of 2012 2020 ce8bface0c9e56ab96d4bc06b76083aa.exe cmd.exe PID 2020 wrote to memory of 2012 2020 ce8bface0c9e56ab96d4bc06b76083aa.exe cmd.exe PID 2020 wrote to memory of 364 2020 ce8bface0c9e56ab96d4bc06b76083aa.exe artifact.exe PID 2020 wrote to memory of 364 2020 ce8bface0c9e56ab96d4bc06b76083aa.exe artifact.exe PID 2012 wrote to memory of 3600 2012 cmd.exe EXCEL.EXE PID 2012 wrote to memory of 3600 2012 cmd.exe EXCEL.EXE PID 2012 wrote to memory of 3600 2012 cmd.exe EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce8bface0c9e56ab96d4bc06b76083aa.exe"C:\Users\Admin\AppData\Local\Temp\ce8bface0c9e56ab96d4bc06b76083aa.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd " /c " C:\Users\Public\202303141145服务器报备.xls2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Public\202303141145服务器报备.xls"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\artifact.exeC:\Users\Public\artifact.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
267B
MD5c1d6ae145462dc687b3b45a0036a68b6
SHA1ebd661672df2aa6d71c89a8b18053d9a2637e9a0
SHA2569ae9f1a85a410c0e6380c996deaa6dc21bde1cee26b027460b6193a7ed6f11dc
SHA512c02076ef5616c2fdef1e80c3fb62aeac15f5d58b85e129f2cf2cddb6440e1c1be113f52623e8236297c0bf67059d0b82ab2255d0a8aa0688724a021ded76f9fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msFilesize
24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msFilesize
975B
MD507fbebf7379c4874e32bfad6e6820613
SHA17516c77a3c6765098a17d6f3a01fba9f6921b44b
SHA25633840ee60749dc75f1fce1c520dc49f3e46950989e5fe5f5571102ec0879c65b
SHA512e2be53d08849b4c2c12e47af005d1d9ad19b48d487c7fc0a7dc33d65b91ad6b800d12e40bc4953c29d9eb81303cca2f2635b926e765979eddeda9401430ed0bb
-
C:\Users\Public\202303141145服务器报备.xlsFilesize
22KB
MD542c5a8424fba34b4156ffb3d46b2842e
SHA1b9fe363d1c4ef205d1600094834c14f47cdb224b
SHA256c68995eee773f8a9056e827ba8cc5105a500695568fee7076766dfd0d5ce6a43
SHA512a533423272399892bce2c4c2e165bedcaab250a73c3dff7d9742e27039dc9492b6e5d1c77561a9f80a3bc491696a5bab7ba256701ddf540c289e58c2a7ba68ab
-
C:\Users\Public\artifact.exeFilesize
17KB
MD573b99609558c5b59b5a8a1c1b395ac86
SHA1ed7cf719433928bf68664644e57047f2ca817978
SHA256ce10ad6ad10f8bab57fca84288487a0da754f63946bece5bea01cb36d83b7779
SHA512d1d2830ff1521a4c14f7357dd41be44b6c4d8fd8bd56582108d0d4583cf73ed1e5a667446929e1e44889e45e592cb5f4128b1b68010aca74f71a7db422a53c01
-
C:\Users\Public\artifact.exeFilesize
17KB
MD573b99609558c5b59b5a8a1c1b395ac86
SHA1ed7cf719433928bf68664644e57047f2ca817978
SHA256ce10ad6ad10f8bab57fca84288487a0da754f63946bece5bea01cb36d83b7779
SHA512d1d2830ff1521a4c14f7357dd41be44b6c4d8fd8bd56582108d0d4583cf73ed1e5a667446929e1e44889e45e592cb5f4128b1b68010aca74f71a7db422a53c01
-
memory/364-140-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/364-165-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3600-142-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmpFilesize
64KB
-
memory/3600-146-0x00007FFE7F730000-0x00007FFE7F740000-memory.dmpFilesize
64KB
-
memory/3600-147-0x00007FFE7F730000-0x00007FFE7F740000-memory.dmpFilesize
64KB
-
memory/3600-145-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmpFilesize
64KB
-
memory/3600-144-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmpFilesize
64KB
-
memory/3600-143-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmpFilesize
64KB
-
memory/3600-141-0x00007FFE81F90000-0x00007FFE81FA0000-memory.dmpFilesize
64KB