Overview
overview
10Static
static
7-服务端.exe
windows10-2004-x64
81.exe
windows10-2004-x64
1360tray.exe
windows10-2004-x64
7Loader/专...31.exe
windows10-2004-x64
10Microsoft.exe
windows10-2004-x64
1a.exe
windows10-2004-x64
1check-2023-08-01.exe
windows10-2004-x64
1flashcente...cn.exe
windows10-2004-x64
7muyyuvd.exe
windows10-2004-x64
7pdf安装.exe
windows10-2004-x64
1东方有�...��.exe
windows10-2004-x64
10关于部�...��.exe
windows10-2004-x64
10国家电�...��.exe
windows10-2004-x64
7广东省�...��.exe
windows10-2004-x64
10广东省�...07.exe
windows10-2004-x64
1录屏精�...��.exe
windows10-2004-x64
7火绒网�...��.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2023 14:19
Behavioral task
behavioral1
Sample
-服务端.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral3
Sample
360tray.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral4
Sample
Loader/专项查杀工具-信息中心20230831.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral5
Sample
Microsoft.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral6
Sample
a.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral7
Sample
check-2023-08-01.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral8
Sample
flashcenter_install_cn.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral9
Sample
muyyuvd.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral10
Sample
pdf安装.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral11
Sample
东方有线网络有限公司岗位调整通知.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral12
Sample
关于部分人员违规收费、开具假发票、收取会议费、培训费等违法行为线索.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral13
Sample
国家电网有限公司企业负责人收入情况.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral14
Sample
广东省海洋综合执法辅助人员管理暂行规定的意见.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral15
Sample
广东省统计局智能普查代码API信息-20230907.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral16
Sample
录屏精灵-小方app-录制.exe
Resource
win10v2004-20230831-en
Behavioral task
behavioral17
Sample
火绒网络连接查询.exe
Resource
win10v2004-20230831-en
General
-
Target
火绒网络连接查询.exe
-
Size
2.6MB
-
MD5
6778f3dced1c151403900b0476611639
-
SHA1
9b60b0601e269628115ea851cd09e1f79c7b0bdb
-
SHA256
8debfe89f386834fc0553e65c3b827fc15bb96fc0c329058f818fe0db48dc624
-
SHA512
15187f442a7814af816d5d8aee6f663cf2fa006705dd4ebdb3a960d83065ebc1870370074f8168a9c65f5ca970c57b525ea5aa0462627d8e1d0454f457b3e72d
-
SSDEEP
49152:SFXWYr6RKkRu97UW+OSmdjlTCTYaBDV2VO:MXV+DOS5P2VO
Malware Config
Extracted
cobaltstrike
391144938
http://38.147.172.99:443/load
http://103.214.168.86:443/ga.js
http://45.136.14.166:443/match
http://38.147.172.99:443/activity
http://134.122.167.72:443/visit.js
-
access_type
512
-
beacon_type
2048
-
host
38.147.172.99,/load,103.214.168.86,/ga.js,45.136.14.166,/match,38.147.172.99,/activity,134.122.167.72,/visit.js
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAiU0VTU0lPTklEPXdxZTQ1NHdxZTJkczE1ZHM0ZHNhNWRzNAAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi11cwAAAAoAAAAbQWNjZXB0LUVuY29kaW5nOiB0ZXh0L3BsYWluAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsdHJ5dHJ5ZAAAAAcAAAAAAAAAAwAAAAIAAAAjSlNFU1NJT049ZHNmNXNkNGY1ZTQ1ZmU0czY1ZDRmODU2ZTQAAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
polling_time
3000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLkw0kvfeugTUz0AmoVb/lE4jBMEVXSscLbqsILbLQbt0gXKVpDLWmw8u+ySk1wMPysDZiC7DSLdNEhH1tUiRNZfcKoe+OYofwP8EB7AJYsu1JZzVq3wlAzazE2wGXQqZNPPrdYvJUpVw7TijKATT9RT+Pk1mxbYYZqIhx+8TpwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/index.php
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
-
watermark
391144938
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
360se.exepid process 4784 360se.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3724 WINWORD.EXE 3724 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE 3724 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
火绒网络连接查询.execmd.execmd.exedescription pid process target process PID 4628 wrote to memory of 1776 4628 火绒网络连接查询.exe cmd.exe PID 4628 wrote to memory of 1776 4628 火绒网络连接查询.exe cmd.exe PID 4628 wrote to memory of 3976 4628 火绒网络连接查询.exe cmd.exe PID 4628 wrote to memory of 3976 4628 火绒网络连接查询.exe cmd.exe PID 4628 wrote to memory of 2360 4628 火绒网络连接查询.exe cmd.exe PID 4628 wrote to memory of 2360 4628 火绒网络连接查询.exe cmd.exe PID 2360 wrote to memory of 4784 2360 cmd.exe 360se.exe PID 2360 wrote to memory of 4784 2360 cmd.exe 360se.exe PID 1776 wrote to memory of 3724 1776 cmd.exe WINWORD.EXE PID 1776 wrote to memory of 3724 1776 cmd.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\火绒网络连接查询.exe"C:\Users\Admin\AppData\Local\Temp\火绒网络连接查询.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\system32\cmd.exe"cmd" /c netstat.docx2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\netstat.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3724 -
C:\Windows\system32\cmd.exe"cmd" /c "start C:\Users\Admin\360se.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\360se.exeC:\Users\Admin\360se.exe3⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\system32\cmd.exe"cmd" /c "del netstat.exe"2⤵PID:3976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\360se.exeFilesize
2.2MB
MD5d23ce0c784f1ca562a627d24c972d807
SHA1b2b6fb09a97151192c21476c34fb793db4082200
SHA25632a48bda3e80e47f46631c4be830b61fc0a28ca2534e0a526891506244367420
SHA51290a1908b0c7aa7c838f0f813ae01532f24abdd612ea31c0dc54da3406379341d0878831c1f1b8456378065858b9771d85752a3d2ff07f954dfdf99617925547b
-
C:\Users\Admin\360se.exeFilesize
2.2MB
MD5d23ce0c784f1ca562a627d24c972d807
SHA1b2b6fb09a97151192c21476c34fb793db4082200
SHA25632a48bda3e80e47f46631c4be830b61fc0a28ca2534e0a526891506244367420
SHA51290a1908b0c7aa7c838f0f813ae01532f24abdd612ea31c0dc54da3406379341d0878831c1f1b8456378065858b9771d85752a3d2ff07f954dfdf99617925547b
-
C:\Users\Admin\AppData\Local\Temp\netstat.docxFilesize
11KB
MD5591b8a7f1ecf457fae222c62d4a885fe
SHA1cf5492e70dedc3e04c04d9726f1e9d297f8bd1c4
SHA256f2258c40af6cddbe7a388157c9938e09d0ef3ae5cd89aa33c153c83cdc999eb2
SHA51224ebfa7fadff368be89eb00af64d308675032c4f701a4ba38398aa2db139fb5d969f6bd056daa8335b79f54874a7b60a74ba38815c2b53229e28361a0cb1e02c
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/3724-24-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-12-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-9-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-25-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-11-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmpFilesize
64KB
-
memory/3724-14-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-13-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmpFilesize
64KB
-
memory/3724-15-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-16-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-17-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-18-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-19-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-20-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-21-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-22-0x00007FFC4FAE0000-0x00007FFC4FAF0000-memory.dmpFilesize
64KB
-
memory/3724-23-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-10-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmpFilesize
64KB
-
memory/3724-26-0x00007FFC4FAE0000-0x00007FFC4FAF0000-memory.dmpFilesize
64KB
-
memory/3724-8-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmpFilesize
64KB
-
memory/3724-91-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-90-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-88-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmpFilesize
64KB
-
memory/3724-7-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmpFilesize
64KB
-
memory/3724-42-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-43-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-53-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-89-0x00007FFC91AF0000-0x00007FFC91CE5000-memory.dmpFilesize
2.0MB
-
memory/3724-87-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmpFilesize
64KB
-
memory/3724-86-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmpFilesize
64KB
-
memory/3724-85-0x00007FFC51B70000-0x00007FFC51B80000-memory.dmpFilesize
64KB
-
memory/4784-61-0x0000021C3A2C0000-0x0000021C3A2C2000-memory.dmpFilesize
8KB
-
memory/4784-60-0x0000021C3C1E0000-0x0000021C3C5E0000-memory.dmpFilesize
4.0MB
-
memory/4784-57-0x0000021C3BFA0000-0x0000021C3BFB0000-memory.dmpFilesize
64KB
-
memory/4784-34-0x0000021C3C1E0000-0x0000021C3C5E0000-memory.dmpFilesize
4.0MB
-
memory/4784-33-0x0000021C3A250000-0x0000021C3A2A2000-memory.dmpFilesize
328KB
-
memory/4784-30-0x0000021C3BFA0000-0x0000021C3BFB0000-memory.dmpFilesize
64KB