Overview

overview

10

Static

static

7

infected20...1).chm

windows7-x64

1

infected20...1).chm

windows10-2004-x64

7

infected20...df.exe

windows7-x64

7

infected20...df.exe

windows10-2004-x64

7

infected20...�1.exe

windows7-x64

1

infected20...�1.exe

windows10-2004-x64

1

infected20...ls.exe

windows7-x64

7

infected20...ls.exe

windows10-2004-x64

7

infected20...fo.exe

windows7-x64

7

infected20...fo.exe

windows10-2004-x64

7

infected20...od.exe

windows7-x64

7

infected20...od.exe

windows10-2004-x64

7

infected20...25.exe

windows7-x64

7

infected20...25.exe

windows10-2004-x64

7

infected20...��.exe

windows7-x64

1

infected20...��.exe

windows10-2004-x64

1

infected20...nd.exe

windows7-x64

1

infected20...nd.exe

windows10-2004-x64

1

infected20...eg.exe

windows7-x64

10

infected20...eg.exe

windows10-2004-x64

10

infected20...#r.exe

windows7-x64

7

infected20...#r.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    infected2023042501.rar

  • Size

    17.7MB

  • Sample

    230425-sxfppaba86

  • MD5

    72e4f3608ecfbb1098a5ff7ea171d541

  • SHA1

    995598c603e6f212005a8dd6f3150d780fac8ded

  • SHA256

    82b8d175292a3441624af910e61ef4c6abadbea2efe824e7883b145acdf18974

  • SHA512

    6d97d452505e48ccbd32a08ef9be803bbc6ef2781af06ad5917f80597ad3601ad09ff221105cd4e6f4caf3b2ae69356eb31837fc216b21802dde8fa823765224

  • SSDEEP

    393216:Y8Kw9H0QleuaUhxiC7DJxi9pOvjdd6KsDvDiMV3cMy:YcUQl8JaJ49wv3SDiMV3cJ

Score
10/10
cobaltstrikebackdoorpersistencepyinstallertrojanupx

Malware Config

Extracted

Family

cobaltstrike

C2

http://vip.oppo.cn.cdn.dnsv1.com.cn:443/js/jquery-3.4.1.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Host: vip.oppo.cn

Targets

    • Target

      infected2023042501/Downloads/-252871022_150(1).CHM

    • Size

      78KB

    • MD5

      e6b6f265fecbb8956d1a46468be423c5

    • SHA1

      d0d12176cfeb1e46d62fc8db4f87560fb99667ee

    • SHA256

      368e0d948abb28c10bc17598aaab22756c36848756c189e5964ab59e13f164ba

    • SHA512

      68efa6d9c21e23d2c396c3cf0c03d84808e15d6f874aaa3eea70fb2b283ff22281e3340b5cdf663aeb2cd162dda20d94da7feb27c4420fdeea848da61d5d4064

    • SSDEEP

      1536:8mdzn+Wc5r84m9R5AGxdlwEoM/Xis4XX9mJcfiQyvjamDDd8MGL:jR+Wc5IR5AGdwE9Pis49mifBWaCCLL

    Score
    7/10
    persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      infected2023042501/Downloads/2021-2022年度民航青年文明号拟命名集体名单.pdf .exe

    • Size

      2.8MB

    • MD5

      6c372539a592a1569029e61d7f5cbaa3

    • SHA1

      bd349cc828ea45a0264db64fd856110ae0332620

    • SHA256

      b24bc9659b4445a0581b4e14d62501a22f731f2525be01c65ca8c86b9d8310f3

    • SHA512

      c55659a57c5f8b8476c30cd2c27a505cca9d090b7e1d5adc122ad52cb04f9f4b839a34c6bc3594cbf1bce56d7d47e75496f70a768bfedc378edc2689bad69fe8

    • SSDEEP

      49152:cvYTjUP3QRrb/TJvO90d7HjmAFd4A64nsfJBbbFegmhVYgkJ7D/lUb1UeqU2hqYF:6Q6Z

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

    • Target

      infected2023042501/Downloads/2023企业个人最新版所得税缴纳标准1.exe

    • Size

      2.5MB

    • MD5

      d14a9b37ad635a9167381973a5b42271

    • SHA1

      a5836ea7760b36401e32223daade0a6de5d6276e

    • SHA256

      c56fc1011190aa878ed26be29e8a6f9a5f4d91f35a5e4adbab00f1fd941c5ba7

    • SHA512

      fbff0c3e9256ae7479fc7d6b9b939a80c68d5555c14ae839ba7b690dd56e3cdd54d983460ee92411b10ccb45128d9956ab9d9187dd9709b00a13740980b1c96e

    • SSDEEP

      49152:SJU24IKR63igl5DHMsSEADK4O77TEtuSxyyWvZNu:SJUtIm63BlmFEADKl77TWuSxyyWv7

    Score
    1/10
    behavioral5behavioral6

    • Target

      infected2023042501/Downloads/Quotation_copy_xls.exe

    • Size

      628KB

    • MD5

      36a23e46ba1e833c84e33f7501cd0f4b

    • SHA1

      6900ac5e88907e8b90f5b59841252df36b2b2676

    • SHA256

      a639434c17b727128c5ac246dc77417a27ad769f901979cd797cbd87ecf5fb30

    • SHA512

      56e66d18ed56dce55ff3724e296bdacaf9fd0aab1971c67137536248868e1c273423ede5df3665bbdb44c5f5422f1c26b1e1a171cd2d1b6c10fc90eab7007b5f

    • SSDEEP

      12288:jY6cc7i+L9CVZW4uJaRkBrPmD9NwjmgcpN2W33K6UGBWlZxe+15gwh:jY6c/QCVZaJPPY9+Tcpx66XB002

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      infected2023042501/Downloads/getsysteminfo.exe

    • Size

      8.5MB

    • MD5

      618e16575bbf22227bb8f59323eda412

    • SHA1

      5c037e937e79238124b847ff7e7eae4155d816fd

    • SHA256

      bbe86bfbad53a57373c9baf51af2b889a37bdc6ee116aa2ec23b746712e821fe

    • SHA512

      72eb0e0698ac896c5b4bb7da8759355a823f3b0dd05efb9d102a6a0ba748391ed003fb218becd053a6bc92e9a6ab0d3b8afbb7f7766f5542017ca1421f5f59d4

    • SSDEEP

      196608:oGvgVe/JN1gwVg5+iPpAxB8rQxeEXJqrWYDlJVuDHgSYszv:io/JAwVgsiPSxqrQcESWClJsDHgSYszv

    Score
    7/10
    upx

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

    • Target

      infected2023042501/Downloads/中航信移动科技有限公司〔2023〕7号.‮xcod.exe.exe

    • Size

      699KB

    • MD5

      81336d82d14908e742d76fd63bff2d79

    • SHA1

      4d71b666cbe82155909bea22a8024f32434628b3

    • SHA256

      4d906b97bb440e86a020c0769554b81a75cd976d530668fb3617eff70a909076

    • SHA512

      219f14c855b6d66ec211fa54eeef57caba240569299b24e83bfa4f04eb8fa08dc15a991fe0b7d449924237e4dd0f03a94f898653fbc74dfe7be32704dfd6cf68

    • SSDEEP

      12288:wm+wp/B49ZPekGdSYm58TiO2WFXG95ZyTDcKqr60d7nn5ASRMvXlY:wdH2kG8Ymdh0XG95kHarxTuSRMPK

    Score
    7/10
    upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      infected2023042501/Downloads/公积金信息_20230425.exe

    • Size

      2.4MB

    • MD5

      e68ce784cf743ecccff49fce52743e9c

    • SHA1

      a6db96d36931b875d21be0ff73e06415a02c03a0

    • SHA256

      d39bce6702d9594d5c2c5c625da227a00b1b7275e9e71257865dfc88fdac656f

    • SHA512

      cb0b93ece1538c3d122dd342b3f540bb8847446bbf05ce9ff83dba1a69a9d5bb84b8a9016bb6da20f4b35464fd4a2be78d155433a274e5f08b8124d0e1e8dbf4

    • SSDEEP

      49152:vuIgzYaNnT8MQy0fEx2ReT95lwmdQUe8HAZn:vutQy0MMoRw5J8Hmn

    Score
    7/10

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    behavioral13behavioral14

    • Target

      infected2023042501/Downloads/工号:YC01198-工作邮箱:[email protected]使用工位网口异常反馈.exe

    • Size

      2.4MB

    • MD5

      f5d9977926f741b620d41df9d4af6571

    • SHA1

      479351b0bdada7c6987d69e089986006a69f2f4d

    • SHA256

      a29ced89cb84082c6b57bcd71480afae802c96b45e2fb6014eceb017d9705e05

    • SHA512

      cf667183b4d91e48201af6f609310284ad3de1cf4b3c4d0e1ddc9aa97a11ad0c16293daf3aa426535e8653cf2aec5b586be9f351e3bb6423b2afe801e029f6f0

    • SSDEEP

      24576:mPhejyccjzG84VUVDyFt9gWanTzNL2Qy0fyooiqhg1J8ueg1Lhd/DOiwdJ40bxMn:9lOzc9JanTzAQy0fyox91J2gpDKZ2n

    Score
    1/10
    behavioral15behavioral16

    • Target

      infected2023042501/Downloads/永赢基金管理有限公司客户相关的投诉信件内容_maxwealthfund.com

    • Size

      7.1MB

    • MD5

      d4405b3a3ee04aa463f0c291c1db323a

    • SHA1

      2c2f05e53e18c3ce19e95282a7b791d3444d61a9

    • SHA256

      72afe9e6739c3690399fe52f87405ad5f69434f74271437bd84ccca0b05f8bce

    • SHA512

      4cacf2331b9a240ff3c7e372e5dfd661851ff1918162ab43e9f4d1f31508a79764aabfbcc3ae4d749ef3a3639f1ab1020de96073f31b0f999c1455a177c99e17

    • SSDEEP

      49152:9cSYCZej/3KdCrb/TXvO90d7HjmAFd4A64nsfJL198tEjogB6s/d0CbawQD6i89n:Q3KdFtEDsppf8IR8KE3c0/E/gNl

    Score
    1/10
    behavioral17behavioral18

    • Target

      infected2023042501/Downloads/深圳智园总部饭堂吃出小蟑螂食品安全事件图片证据jpeg.exe

    • Size

      32KB

    • MD5

      f17e58072430527e007ba8aabe74796f

    • SHA1

      e89edcdcc56796636261e3016be4a4ce4b6b2626

    • SHA256

      1af4c64c986d0bf5bd447614e312be9c2f802879f13a09f6b95f5a7d675d8231

    • SHA512

      f2ca0153d330d93ff4e1c1efaeee55c680bfffb562e0f38df318ba99043b515d8d4114bc311e588dcd3cf854b984cda816b87997eab639d0360bfd8ac67c8776

    • SSDEEP

      768:zsiqOLGC30C0FHMKV+WeY4FFYMWOX8eW:bG7sKMWiF/wx

    Score
    10/10
    cobaltstrikebackdoortrojan
    behavioral19behavioral20

    • Target

      infected2023042501/Downloads/资金账户对账单导出#r.com

    • Size

      1.2MB

    • MD5

      037c54de4d77c43cf266fb8a875983a5

    • SHA1

      7590bf881cdec559d273ab9f85ad1933171a991f

    • SHA256

      c9aafacbf1413f70a75dfbd25b4feeb7d35f369d40986f0ed44c5fd9fb0bd9aa

    • SHA512

      d14175c3b99d10329d2316b4c9a8d62523513f222cc8a05efb2bf75042d6300f9f27ec363d1d4bbe2aad9d636921121bda2a9f6c5d2171740be7828bf1267a87

    • SSDEEP

      24576:mIIUEfbRAXZKwQ5xILQw+qp7cnff+ghS/TkEKsxAYH2YHNEAL0xzn:mnIOxILQw3pwmWSYEKsa+2YtEcAzn

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral21behavioral22

MITRE ATT&CK Enterprise v6

Tasks