Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2023 12:01
Static task
static1
Behavioral task
behavioral1
Sample
ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe
Resource
win10v2004-20231025-en
General
-
Target
ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe
-
Size
631KB
-
MD5
541e27b07599049d7cc41d475da51516
-
SHA1
f3f165f3a8c8d95c71b20f25d32aa034b54345ad
-
SHA256
ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972
-
SHA512
f26eaf65479e36b712f2ad7eeb80c785a0aed46758a890d84d6742f5083f930ff6178f656de998197582929c074025a25e7965c9b2bae49fad40441e9190dff6
-
SSDEEP
6144:WbdZngUq19UR+8+TbOv5LuyG1TjTYOPi706+qWQhteR5suavI5pkGo:4l+1CwPOvZOXt5VqDk5CITkGo
Malware Config
Extracted
cobaltstrike
http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q
-
user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
Extracted
cobaltstrike
100000
http://172.67.182.142:8443/messages/xV5GdE
http://104.21.35.254:8443/messages/xV5GdE
http://2606:4700:3032::6815:23fe:8443/messages/xV5GdE
http://2606:4700:3033::ac43:b68e:8443/messages/xV5GdE
-
access_type
512
-
beacon_type
2048
-
host
172.67.182.142,/messages/xV5GdE,104.21.35.254,/messages/xV5GdE,2606:4700:3032::6815:23fe,/messages/xV5GdE,2606:4700:3033::ac43:b68e,/messages/xV5GdE
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
10000
-
port_number
8443
-
sc_process32
%windir%\syswow64\esentutl.exe
-
sc_process64
%windir%\sysnative\esentutl.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.092976896e+09
-
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/messages/96OpFu
-
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3540 WINWORD.EXE 3540 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
WINWORD.EXEpid process 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.execmd.exedescription pid process target process PID 3272 wrote to memory of 4596 3272 ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe cmd.exe PID 3272 wrote to memory of 4596 3272 ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe cmd.exe PID 4596 wrote to memory of 3540 4596 cmd.exe WINWORD.EXE PID 4596 wrote to memory of 3540 4596 cmd.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe"C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" "/c start /b C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.doc"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ba41f895977f86c441013636d14fb1f501c05e41e936b8368cfbef07ae898972.docFilesize
9KB
MD5b9f7d2b5f0fbd9ebc1cd5aa73be0bac3
SHA114f463c3e784da7048891e8ef918616c961555ca
SHA256ff0fd5dce9b1b94ad8718994739f5d7b5391eaaa6f44da61d74d25a4dacfd9ee
SHA51207ef0af8e395d922e22dade0b2420f7b8f3011d3b73af01529a1bcd4d957f8423e434e77bd9fad00176b328822e2fd1771f5cc9bb00b69cb4cd861b82ca7d93c
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/3272-1-0x000001CFD49F0000-0x000001CFD49F1000-memory.dmpFilesize
4KB
-
memory/3272-50-0x000001CFD65D0000-0x000001CFD6732000-memory.dmpFilesize
1.4MB
-
memory/3272-29-0x000001CFD65D0000-0x000001CFD6732000-memory.dmpFilesize
1.4MB
-
memory/3272-25-0x000001CFD69D0000-0x000001CFD6A31000-memory.dmpFilesize
388KB
-
memory/3540-21-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-26-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-10-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-12-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmpFilesize
64KB
-
memory/3540-11-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-13-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-14-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-15-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-16-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-17-0x00007FF9FCAD0000-0x00007FF9FCAE0000-memory.dmpFilesize
64KB
-
memory/3540-18-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-20-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-6-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmpFilesize
64KB
-
memory/3540-19-0x00007FF9FCAD0000-0x00007FF9FCAE0000-memory.dmpFilesize
64KB
-
memory/3540-23-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-22-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-9-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmpFilesize
64KB
-
memory/3540-8-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-27-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-28-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-7-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-24-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-5-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmpFilesize
64KB
-
memory/3540-47-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-48-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-49-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-4-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmpFilesize
64KB
-
memory/3540-71-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmpFilesize
64KB
-
memory/3540-72-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmpFilesize
64KB
-
memory/3540-73-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmpFilesize
64KB
-
memory/3540-74-0x00007FF9FF430000-0x00007FF9FF440000-memory.dmpFilesize
64KB
-
memory/3540-76-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB
-
memory/3540-75-0x00007FFA3F3B0000-0x00007FFA3F5A5000-memory.dmpFilesize
2.0MB