Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13-10-2023 02:59
Static task
static1
Behavioral task
behavioral1
Sample
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe
Resource
win10v2004-20230915-en
General
-
Target
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe
-
Size
1.8MB
-
MD5
41b00fa23fb3b79db9203028ea9d03d4
-
SHA1
2bf0aedc99774acdff729b757ec057480cc004d3
-
SHA256
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409
-
SHA512
b4cacc9b3bef3a40335263ef24b49026f8b68e83fd685f6c5e397d2ee6846ea437fdca8888ef1677464d3c6026cd53c5fe1ddd0e1e4f36d4b565779c1881202d
-
SSDEEP
24576:LcGviP2CcmpREm3Tpj7juvMuY179aA82wlvCxVaIr7Fq5sMxn8ZiF35M8KD1vPl:L0rgDSw+sxPA8KD11
Malware Config
Extracted
cobaltstrike
100000
http://cache.jquerysource.co:443/jquery-3.3.0.min.js
-
access_type
512
-
beacon_type
2048
-
host
cache.jquerysource.co,/jquery-3.3.0.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAlUmVmZXJlcjogaHR0cHM6Ly9yZWxlYXNlcy5qcXVlcnkuY29tLwAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAkUmVmZXJlcjogaHR0cDovL3JlbGVhc2VzLmpxdWVyeS5jb20vAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
10000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmQEPSLVuoOihACFPRnPSA3ftXYZ5SROYUUuItwE4kyXr+Bf8AXVqBnXaGIG9WpHAq9W+MzS6EhuMVG3U2Od8d77hCK6QAEFRCBiVHE5/jyjCR0FbJyrmVm1Uzbfqae2vVQ+HwGRFQhdwFvj7upXuaEZmO+D0S5U7Rfo3p7eNozQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.16770176e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFMAAAACAAAPWwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.1.min.js
-
user_agent
Mozilla/5.0 (Windows NT) AppleWebKit/537.36 (KHTML, like Gecko, Efficiently) Safari/537.36
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
backdoor.exepid process 2624 backdoor.exe -
Loads dropped DLL 2 IoCs
Processes:
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exepid process 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2524 AcroRd32.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exepid process 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 2524 AcroRd32.exe 2524 AcroRd32.exe 2524 AcroRd32.exe 2524 AcroRd32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.execmd.exedescription pid process target process PID 2832 wrote to memory of 2172 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe cmd.exe PID 2832 wrote to memory of 2172 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe cmd.exe PID 2832 wrote to memory of 2172 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe cmd.exe PID 2832 wrote to memory of 2172 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe cmd.exe PID 2832 wrote to memory of 2624 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe backdoor.exe PID 2832 wrote to memory of 2624 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe backdoor.exe PID 2832 wrote to memory of 2624 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe backdoor.exe PID 2832 wrote to memory of 2624 2832 fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe backdoor.exe PID 2172 wrote to memory of 2524 2172 cmd.exe AcroRd32.exe PID 2172 wrote to memory of 2524 2172 cmd.exe AcroRd32.exe PID 2172 wrote to memory of 2524 2172 cmd.exe AcroRd32.exe PID 2172 wrote to memory of 2524 2172 cmd.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe"C:\Users\Admin\AppData\Local\Temp\fc815124dc2b846eb3215b2f91816f5d1c6f9a91ad34fda37dfee97b20f8f409.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\小林的简历.pdf2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\小林的简历.pdf"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\backdoor.exeC:\Users\Public\backdoor.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\小林的简历.pdfFilesize
130KB
MD5fc5f31eb71eb2020241657580845e3e3
SHA14de78818457a9d5049c7f5bbf03dc1837da62554
SHA2564b9f8b59ccaa105db2ea0e5c5601cbb4779e7ce286b90404f6dd1cfa76e78b32
SHA5127ff3f6be060a57058e4d4764075d44aee6aa94e7cff531a0ce988f312d00e8b1dbc9c4969171f5d71dd1d458ebb8788d515822fab39d77bf01cb6424c9fd6fed
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5ef798b2c25564fc5bcda24f6b9ee1043
SHA13db1d7a1890d8077e42466c7e1a64bff0dea8bde
SHA256417730444c08a212cd7dc63afc72f83218ec20700eedb3a6aec30a1ae5e77a2f
SHA512e72ea0a8e4eabff69496078d2a8fe7f5b373082aa5aaabfb47b3fc7f355cee7e3ba7a27fb619ad55d3d68260a14aec31ef6598be1a8f30ae74ba82259e43d9b8
-
C:\Users\Public\backdoor.exeFilesize
281KB
MD5d742c33d6497d614ded13df915c2fd91
SHA18075b81c6c08afec7ba00b1c78187d9db439c643
SHA2563ea45fb61da83cc278d27faf487c976af30e86fa5c3e3dccb4511e4ee82c9a06
SHA512397fd6cf5d1064fb6081bc35a71180bf3f3abcc106a511069db3e4b5afc95a912fad277201dba781272b77d0056cbcc5d6cc87bcda95199386a527e9069e164d
-
\Users\Public\backdoor.exeFilesize
281KB
MD5d742c33d6497d614ded13df915c2fd91
SHA18075b81c6c08afec7ba00b1c78187d9db439c643
SHA2563ea45fb61da83cc278d27faf487c976af30e86fa5c3e3dccb4511e4ee82c9a06
SHA512397fd6cf5d1064fb6081bc35a71180bf3f3abcc106a511069db3e4b5afc95a912fad277201dba781272b77d0056cbcc5d6cc87bcda95199386a527e9069e164d
-
\Users\Public\backdoor.exeFilesize
281KB
MD5d742c33d6497d614ded13df915c2fd91
SHA18075b81c6c08afec7ba00b1c78187d9db439c643
SHA2563ea45fb61da83cc278d27faf487c976af30e86fa5c3e3dccb4511e4ee82c9a06
SHA512397fd6cf5d1064fb6081bc35a71180bf3f3abcc106a511069db3e4b5afc95a912fad277201dba781272b77d0056cbcc5d6cc87bcda95199386a527e9069e164d
-
memory/2624-33-0x0000000000450000-0x0000000000491000-memory.dmpFilesize
260KB
-
memory/2624-34-0x0000000000A50000-0x0000000000EC2000-memory.dmpFilesize
4.4MB
-
memory/2624-36-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB