Analysis

  • max time kernel
    117s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    26-08-2023 10:17

General

  • Target

    344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe

  • Size

    1.9MB

  • MD5

    198c5c9a3adf296031a79fbb7f541482

  • SHA1

    12bdf8053f0d5f992eb4707246bf57b137c58118

  • SHA256

    344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b

  • SHA512

    4bedd0c34d841d02741b9700754892cebbf90b5126f290696067f515b4546028f1310f1fc8360d33c1bfd132e0cad69fa1d058c9b928c00d818bb3c3456b5cf5

  • SSDEEP

    49152:3yiyM4/Q34urb/TdvO90dL3BmAFd4A64nsfJ9PaCN3gqpVK7ljID1O:Ci73Q9Y7b

Malware Config

Extracted

Family

cobaltstrike

C2

http://yuiko.xyz:2096/GAof

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08 Host: yuiko.xyz

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe
    "C:\Users\Admin\AppData\Local\Temp\344de6a865e4cfb9937cd8b42deeb560aac1dfeae07a9746871b42a50afabf2b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\system32\cmd.exe
      cmd /c .\关于windows邮件客户端升级的通知.docx
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\关于windows邮件客户端升级的通知.docx"
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:2832

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\关于windows邮件客户端升级的通知.docx

      Filesize

      11KB

      MD5

      e8a5d99d14ab493fdb8d3cf6709e6c09

      SHA1

      94c5d2a9fe81b98a3516063999a79b48d38dcb0f

      SHA256

      9597aad4fe103931c6bfc2ff03bd9eea4a8aa590b72be55f05e0459b0fb1dfab

      SHA512

      68e399f94d8c3f6264f5b5c6b78c28bd7acec5146ee7ed355dff72b26837e3ff3a8da68702f07ee2d651c56b2631b2d0d503f829122e435d10833a0ef4e71cec

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      e11a1f3811217da52867c4054afb9260

      SHA1

      cbf5766e79f16b1fb014739ee75f2c3aaae9380e

      SHA256

      83427f1f5e997aeaf7478bdfc8e7a622b7d93f8cf7c3fe89b771fd3baec99eaa

      SHA512

      9ef76b19ab58b1892a36228ec402b319e2ec6152ce181b9c0370b4a13dea0ba643657c3db6650fc2b4d4eb8daa557e34d935bbac26e09d8e80077e823afba3dc

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • memory/2208-10-0x0000000027DC0000-0x0000000027DC1000-memory.dmp

      Filesize

      4KB

    • memory/2208-57-0x0000000029B40000-0x0000000029F40000-memory.dmp

      Filesize

      4.0MB

    • memory/2688-29-0x000000002F3D0000-0x000000002F52D000-memory.dmp

      Filesize

      1.4MB

    • memory/2688-30-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2688-31-0x00000000719ED000-0x00000000719F8000-memory.dmp

      Filesize

      44KB

    • memory/2688-53-0x000000002F3D0000-0x000000002F52D000-memory.dmp

      Filesize

      1.4MB

    • memory/2688-54-0x00000000719ED000-0x00000000719F8000-memory.dmp

      Filesize

      44KB

    • memory/2688-78-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2688-79-0x00000000719ED000-0x00000000719F8000-memory.dmp

      Filesize

      44KB