Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
26-08-2023 10:17
Static task
static1
Behavioral task
behavioral1
Sample
344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe
Resource
win10v2004-20230824-en
General
-
Target
344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe
-
Size
1.9MB
-
MD5
198c5c9a3adf296031a79fbb7f541482
-
SHA1
12bdf8053f0d5f992eb4707246bf57b137c58118
-
SHA256
344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b
-
SHA512
4bedd0c34d841d02741b9700754892cebbf90b5126f290696067f515b4546028f1310f1fc8360d33c1bfd132e0cad69fa1d058c9b928c00d818bb3c3456b5cf5
-
SSDEEP
49152:3yiyM4/Q34urb/TdvO90dL3BmAFd4A64nsfJ9PaCN3gqpVK7ljID1O:Ci73Q9Y7b
Malware Config
Extracted
cobaltstrike
http://yuiko.xyz:2096/GAof
-
user_agent
User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08 Host: yuiko.xyz
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2688 WINWORD.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2688 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2688 WINWORD.EXE 2688 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2652 2208 344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe 29 PID 2208 wrote to memory of 2652 2208 344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe 29 PID 2208 wrote to memory of 2652 2208 344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe 29 PID 2652 wrote to memory of 2688 2652 cmd.exe 30 PID 2652 wrote to memory of 2688 2652 cmd.exe 30 PID 2652 wrote to memory of 2688 2652 cmd.exe 30 PID 2652 wrote to memory of 2688 2652 cmd.exe 30 PID 2688 wrote to memory of 2832 2688 WINWORD.EXE 33 PID 2688 wrote to memory of 2832 2688 WINWORD.EXE 33 PID 2688 wrote to memory of 2832 2688 WINWORD.EXE 33 PID 2688 wrote to memory of 2832 2688 WINWORD.EXE 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe"C:\Users\Admin\AppData\Local\Temp\344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\cmd.execmd /c .\关于windows邮件客户端升级的通知.docx2⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\关于windows邮件客户端升级的通知.docx"3⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:2832
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5e8a5d99d14ab493fdb8d3cf6709e6c09
SHA194c5d2a9fe81b98a3516063999a79b48d38dcb0f
SHA2569597aad4fe103931c6bfc2ff03bd9eea4a8aa590b72be55f05e0459b0fb1dfab
SHA51268e399f94d8c3f6264f5b5c6b78c28bd7acec5146ee7ed355dff72b26837e3ff3a8da68702f07ee2d651c56b2631b2d0d503f829122e435d10833a0ef4e71cec
-
Filesize
20KB
MD5e11a1f3811217da52867c4054afb9260
SHA1cbf5766e79f16b1fb014739ee75f2c3aaae9380e
SHA25683427f1f5e997aeaf7478bdfc8e7a622b7d93f8cf7c3fe89b771fd3baec99eaa
SHA5129ef76b19ab58b1892a36228ec402b319e2ec6152ce181b9c0370b4a13dea0ba643657c3db6650fc2b4d4eb8daa557e34d935bbac26e09d8e80077e823afba3dc
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84