Overview
overview
10Static
static
72023年11�...��.exe
windows7-x64
92023年11�...��.exe
windows10-2004-x64
9Due invoic...be.ps1
windows7-x64
1Due invoic...be.ps1
windows10-2004-x64
1tools-读�...��.exe
windows7-x64
1tools-读�...��.exe
windows10-2004-x64
10信息收�...cr.exe
windows7-x64
1信息收�...cr.exe
windows10-2004-x64
10公司资料.exe
windows7-x64
9公司资料.exe
windows10-2004-x64
9安全检�...cr.exe
windows7-x64
1安全检�...cr.exe
windows10-2004-x64
10提交材料.exe
windows7-x64
9提交材料.exe
windows10-2004-x64
9李志-账...16.exe
windows7-x64
10李志-账...16.exe
windows10-2004-x64
10陈力-病例.exe
windows7-x64
6陈力-病例.exe
windows10-2004-x64
6Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
16-11-2023 07:41
Behavioral task
behavioral1
Sample
2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
2023年11月新发布-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
Due invoices Mazaya_pdf_pdf.vbe.ps1
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
Due invoices Mazaya_pdf_pdf.vbe.ps1
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
tools-读取浏览器敏感信息.exe
Resource
win7-20231020-en
Behavioral task
behavioral6
Sample
tools-读取浏览器敏感信息.exe
Resource
win10v2004-20231025-en
Behavioral task
behavioral7
Sample
信息收集模板.scr.exe
Resource
win7-20231023-en
Behavioral task
behavioral8
Sample
信息收集模板.scr.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
公司资料.exe
Resource
win7-20231023-en
Behavioral task
behavioral10
Sample
公司资料.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral11
Sample
安全检查资产上报收集表-20231103-___xlsx.scr.exe
Resource
win7-20231020-en
Behavioral task
behavioral12
Sample
安全检查资产上报收集表-20231103-___xlsx.scr.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral13
Sample
提交材料.exe
Resource
win7-20231025-en
Behavioral task
behavioral14
Sample
提交材料.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral15
Sample
李志-账号密码记录-解压密码-20231116.exe
Resource
win7-20231023-en
Behavioral task
behavioral16
Sample
李志-账号密码记录-解压密码-20231116.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral17
Sample
陈力-病例.exe
Resource
win7-20231023-en
Behavioral task
behavioral18
Sample
陈力-病例.exe
Resource
win10v2004-20231023-en
General
-
Target
李志-账号密码记录-解压密码-20231116.exe
-
Size
13.4MB
-
MD5
2c8fb8705dbce5899bf596163a9b077a
-
SHA1
7233623d12b409760193c0be6fbb4b330fc74788
-
SHA256
ec799e2ed133c709d9eb321b3876c8c3167314ff14ea407f2bffea51322e1ad3
-
SHA512
22a63989d76dfc48c59f91196759b724ec7ff50bd41f61f5a590381e1563cc1059003e4087a6d65bcd95d50cc3991364d255343658b074193fcc8a949df21f40
-
SSDEEP
98304:83Xn/gtuU2ICoM6f465FjjnrZ/cfMKpSw6Z5Vc1EboPkywplb:MX/gtuU2IY6PBcfMbN5VcGbo8Z
Malware Config
Extracted
cobaltstrike
100000
http://service-ho26i50l-1306669097.bj.apigw.tencentcs.com:443/assets/code-3d7b701fc6eb.css
-
access_type
512
-
beacon_type
2048
-
host
service-ho26i50l-1306669097.bj.apigw.tencentcs.com,/assets/code-3d7b701fc6eb.css
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1MYW5ndWFnZTogZGUtREUsIGVuLUNBAAAABwAAAAAAAAADAAAAAgAAAApTRVNTSU9OSUQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeQ29udGVudC1MYW5ndWFnZTogZGUtREUsIGVuLUNBAAAABwAAAAAAAAADAAAAAgAAAAlKU0VTU0lPTj0AAAAGAAAABkNvb2tpZQAAAAcAAAABAAAAAwAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
5
-
port_number
443
-
sc_process32
%windir%\syswow64\esentutl.exe
-
sc_process64
%windir%\sysnative\esentutl.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAjLA3M+TgpQGM45UvhVjbFFxsA/w5baPizJxsN/CASGrNAwDXLRXCu1MHpgNtbbHqHlkqnavFZUT71H1FIeyPxKQz+0CqnrBJuFWXSGn0QTBxjYUUhx2aAcf7BqeLzQ1OgbOg/SahLDHGR6G5XRXQLVj8zXEUj/+3/46p0MqHXwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
2.702512128e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/qiyi
-
user_agent
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 2 IoCs
Processes:
win.exepid process 1944 win.exe 1224 -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2356 cmd.exe 1224 -
Processes:
win.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 win.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde win.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
李志-账号密码记录-解压密码-20231116.exepid process 2984 李志-账号密码记录-解压密码-20231116.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
李志-账号密码记录-解压密码-20231116.execmd.exedescription pid process target process PID 2984 wrote to memory of 2356 2984 李志-账号密码记录-解压密码-20231116.exe cmd.exe PID 2984 wrote to memory of 2356 2984 李志-账号密码记录-解压密码-20231116.exe cmd.exe PID 2984 wrote to memory of 2356 2984 李志-账号密码记录-解压密码-20231116.exe cmd.exe PID 2356 wrote to memory of 1944 2356 cmd.exe win.exe PID 2356 wrote to memory of 1944 2356 cmd.exe win.exe PID 2356 wrote to memory of 1944 2356 cmd.exe win.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\李志-账号密码记录-解压密码-20231116.exe"C:\Users\Admin\AppData\Local\Temp\李志-账号密码记录-解压密码-20231116.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\cmd.execmd /c start C:\ProgramData\win.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\ProgramData\win.exeC:\ProgramData\win.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1944
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405KB
MD5ac7d9cbf94a9e1ed5cbe640639a488f4
SHA11d0baedcb76ae27d62138d5dda11a6f69cb12511
SHA2566e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c
SHA512dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e
-
Filesize
405KB
MD5ac7d9cbf94a9e1ed5cbe640639a488f4
SHA11d0baedcb76ae27d62138d5dda11a6f69cb12511
SHA2566e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c
SHA512dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e
-
Filesize
405KB
MD5ac7d9cbf94a9e1ed5cbe640639a488f4
SHA11d0baedcb76ae27d62138d5dda11a6f69cb12511
SHA2566e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c
SHA512dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e
-
Filesize
405KB
MD5ac7d9cbf94a9e1ed5cbe640639a488f4
SHA11d0baedcb76ae27d62138d5dda11a6f69cb12511
SHA2566e35326ea33f4f17ce8a1be50d8b107044b0256b7e773d90746ce6b56552898c
SHA512dfd97b318ce7ba452d70d69d72a8093a7a5ce685757c490e806c571493a55a923b0d60039dab98193958d6aca0acc02d15502abc43becb32460daca29434c41e