Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
03-11-2023 05:39
Static task
static1
Behavioral task
behavioral1
Sample
b471ee5e875003b428faf848e504643e10187b7fb6f95be55010060538add906.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
b471ee5e875003b428faf848e504643e10187b7fb6f95be55010060538add906.exe
Resource
win10v2004-20231020-en
General
-
Target
b471ee5e875003b428faf848e504643e10187b7fb6f95be55010060538add906.exe
-
Size
48KB
-
MD5
c88cd660c9814edb7573b69b02db3ba3
-
SHA1
34ced1c3603badcf4ffddc97621fe4810f4f0807
-
SHA256
b471ee5e875003b428faf848e504643e10187b7fb6f95be55010060538add906
-
SHA512
6ba69d96d868a151a882e3175951d48bda63b2e1bb71f7a9d7ded129cbb6b4eefb877bc88938baad27577b738766730c140c3136c4a428c3c614cfb99d45fc06
-
SSDEEP
768:ndV0MxpFjIRc7Yu+4O36YO+eNfcF4Soker6qQ4HyWOPHxT+scX2v:ndV0MssVPYOjNfcqJgqxOZcG
Malware Config
Extracted
cobaltstrike
http://78.141.230.99:443/FtPS
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Extracted
cobaltstrike
0
-
watermark
0
Extracted
cobaltstrike
100000
http://78.141.230.99:443/dot.gif
-
access_type
512
-
beacon_type
2048
-
host
78.141.230.99,/dot.gif
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDohWpPN9dK5Iaq3j5MARwhwXxMD+LZJY92SEg755tH3cbGJDwjAjae+Cq14PUO5w33EpPbdmLoEfwZmXv2Zz/AYj0O8mNmRw35sEPhPXGKj1Snqz4qS1EVBYgJOSMLEUCg7LBwHQtvsGnoZjszjkVqf9Hi9INcnBF8qLyh4JrKQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3596 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
EXCEL.EXEpid process 3596 EXCEL.EXE 3596 EXCEL.EXE 3596 EXCEL.EXE 3596 EXCEL.EXE 3596 EXCEL.EXE 3596 EXCEL.EXE 3596 EXCEL.EXE 3596 EXCEL.EXE 3596 EXCEL.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
b471ee5e875003b428faf848e504643e10187b7fb6f95be55010060538add906.execmd.exedescription pid process target process PID 4764 wrote to memory of 2344 4764 b471ee5e875003b428faf848e504643e10187b7fb6f95be55010060538add906.exe cmd.exe PID 4764 wrote to memory of 2344 4764 b471ee5e875003b428faf848e504643e10187b7fb6f95be55010060538add906.exe cmd.exe PID 2344 wrote to memory of 3596 2344 cmd.exe EXCEL.EXE PID 2344 wrote to memory of 3596 2344 cmd.exe EXCEL.EXE PID 2344 wrote to memory of 3596 2344 cmd.exe EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b471ee5e875003b428faf848e504643e10187b7fb6f95be55010060538add906.exe"C:\Users\Admin\AppData\Local\Temp\b471ee5e875003b428faf848e504643e10187b7fb6f95be55010060538add906.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start excel.exe Èý·½ÈËͳ¼ÆÄ£°å-20232202.xlsx2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE" Èý·½ÈËͳ¼ÆÄ£°å-20232202.xlsx3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3596-20-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-56-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-2-0x00007FF893BF0000-0x00007FF893C00000-memory.dmpFilesize
64KB
-
memory/3596-3-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-5-0x00007FF893BF0000-0x00007FF893C00000-memory.dmpFilesize
64KB
-
memory/3596-7-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-6-0x00007FF893BF0000-0x00007FF893C00000-memory.dmpFilesize
64KB
-
memory/3596-4-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-8-0x00007FF893BF0000-0x00007FF893C00000-memory.dmpFilesize
64KB
-
memory/3596-10-0x00007FF893BF0000-0x00007FF893C00000-memory.dmpFilesize
64KB
-
memory/3596-9-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-11-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-12-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-22-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-14-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-17-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-18-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-19-0x00007FF891B90000-0x00007FF891BA0000-memory.dmpFilesize
64KB
-
memory/3596-57-0x00007FF893BF0000-0x00007FF893C00000-memory.dmpFilesize
64KB
-
memory/3596-59-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-13-0x00007FF891B90000-0x00007FF891BA0000-memory.dmpFilesize
64KB
-
memory/3596-23-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-24-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-58-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-26-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-55-0x00007FF893BF0000-0x00007FF893C00000-memory.dmpFilesize
64KB
-
memory/3596-34-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-35-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-36-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-54-0x00007FF893BF0000-0x00007FF893C00000-memory.dmpFilesize
64KB
-
memory/3596-38-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-21-0x00007FF8D3B70000-0x00007FF8D3D65000-memory.dmpFilesize
2.0MB
-
memory/3596-53-0x00007FF893BF0000-0x00007FF893C00000-memory.dmpFilesize
64KB
-
memory/4764-42-0x00007FF6B5FF0000-0x00007FF6B6000000-memory.dmpFilesize
64KB
-
memory/4764-37-0x0000020BE9100000-0x0000020BE914F000-memory.dmpFilesize
316KB
-
memory/4764-27-0x0000020BEAF70000-0x0000020BEB370000-memory.dmpFilesize
4.0MB
-
memory/4764-25-0x0000020BE9100000-0x0000020BE914F000-memory.dmpFilesize
316KB
-
memory/4764-0-0x00007FF6B5FF0000-0x00007FF6B6000000-memory.dmpFilesize
64KB
-
memory/4764-1-0x0000020BE8EC0000-0x0000020BE8EC1000-memory.dmpFilesize
4KB