Analysis
-
max time kernel
157s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2023 05:06
Static task
static1
Behavioral task
behavioral1
Sample
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe
Resource
win10v2004-20231020-en
General
-
Target
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe
-
Size
651KB
-
MD5
aba2b3ab5fefecbab8b28a8fdce0c0d0
-
SHA1
5ac23d773992a2b6564583bc9622c3d56ec7d526
-
SHA256
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a
-
SHA512
5270e517b5f6ad94239808a09b2f07115a399db19c1cfe207b874bdff9b571cd5251ec8d92b02a6eb9efa9d5735818ba2dc9c2b38b3e786c55af31a4e6ac6a25
-
SSDEEP
12288:BubsNSOetfARQAPyXUzX+tLfLzE3h6aRyaGt2:BubsnafAPykyfLYEiGc
Malware Config
Extracted
cobaltstrike
1234567890
http://59.42.194.18:7777/pixel
-
access_type
512
-
host
59.42.194.18,/pixel
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
7777
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJBl3JeZjFQGCzw3ZcefRHfn6pHEp+iRk4bh00wquUQwUGTjd6Ll2I61mHcfa97MjSS0LRsq6+Os3du6P6i79Q54x2IE++G5ptyJGl89HPNj4IF2j9jIrDqoCIrwf09JPz/Zd+PbB0lcsaXsH6CiLsdSk/zw35Czm/wjUkfQUS/wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
-
watermark
1234567890
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation 07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe -
Executes dropped EXE 1 IoCs
Processes:
notepd.exepid process 2224 notepd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings 07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2856 WINWORD.EXE 2856 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exedescription pid process target process PID 1812 wrote to memory of 2224 1812 07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe notepd.exe PID 1812 wrote to memory of 2224 1812 07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe notepd.exe PID 1812 wrote to memory of 2856 1812 07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe WINWORD.EXE PID 1812 wrote to memory of 2856 1812 07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe"C:\Users\Admin\AppData\Local\Temp\07a719365b6fbb229c1e95c81c760721b1ee9894e572004a47c35ff2cec7c72a.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\notepd.exe"C:\Users\Public\notepd.exe"2⤵
- Executes dropped EXE
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Public\体检表.docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
215B
MD5dc162c68216d436a73b30694cf71770e
SHA13fe2cca295fc062de690455405b5a6c3fa785cbe
SHA2564b491b95a3701955f55a266f82264a227e7a97876bbea35a392ea677a609848b
SHA5124c937bf8bfbdc1e3d01d32b9240767e93de1a589709939ab4af78e5574319355461ee42a1fa33af6e92125a0d7de64e2ea14230212956b4f5e85b9d2c6a41647
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5f07452bee06c2edfbf28e93c2f9a3e94
SHA18d19bbae45bb29492ea50f39e08bfec05cee4f1e
SHA256d7d3532ea7eacfbc66948d761f0d3deeceb0df58d97a52412460181186a663ac
SHA5129cb6030cd2afd9cffadb3a815becccaa507f88158b3b267cec76978abbb331bfeb6100dad51690f0300eee0dca91b7de842efbf09051f808d86a6c96d758be0a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD5ae0c8f6592c18003c8487063c38ad851
SHA1543efcf1f02dcc8c3e559747f206f761625deba1
SHA256a384f63d35caecdb0f337c73f277791eb60902b6747e11343b3dcddbf4438538
SHA5121e947791909df3b6391d451e9209e41bac134d0b325fa3bcd656bf70400366e92470e135b504f5844061293d78f2f7729cbafa4481d3d628957ce5130894e6eb
-
C:\Users\Public\notepd.exeFilesize
281KB
MD54a1f0da992ae0f3b1e9ddf53fa8dfc1a
SHA1eef6892c9946545f0d66b4dfe9a744ba6c503b19
SHA256f8a9baa5f5ec6da0bae2e778094622caabc8836e692a2d0d05c5ccb6df1deb19
SHA51233ddd5eb9548c64f68e0588c3f8091b9fef99416b09894e8b9e67da83b19d7e91dfd51234d48018e3085ff345739ba89c6100f761c1b84a4644736a839765e75
-
C:\Users\Public\notepd.exeFilesize
281KB
MD54a1f0da992ae0f3b1e9ddf53fa8dfc1a
SHA1eef6892c9946545f0d66b4dfe9a744ba6c503b19
SHA256f8a9baa5f5ec6da0bae2e778094622caabc8836e692a2d0d05c5ccb6df1deb19
SHA51233ddd5eb9548c64f68e0588c3f8091b9fef99416b09894e8b9e67da83b19d7e91dfd51234d48018e3085ff345739ba89c6100f761c1b84a4644736a839765e75
-
C:\Users\Public\notepd.exeFilesize
281KB
MD54a1f0da992ae0f3b1e9ddf53fa8dfc1a
SHA1eef6892c9946545f0d66b4dfe9a744ba6c503b19
SHA256f8a9baa5f5ec6da0bae2e778094622caabc8836e692a2d0d05c5ccb6df1deb19
SHA51233ddd5eb9548c64f68e0588c3f8091b9fef99416b09894e8b9e67da83b19d7e91dfd51234d48018e3085ff345739ba89c6100f761c1b84a4644736a839765e75
-
memory/2224-26-0x0000000000750000-0x0000000000791000-memory.dmpFilesize
260KB
-
memory/2224-67-0x00000000007A0000-0x00000000007EE000-memory.dmpFilesize
312KB
-
memory/2224-51-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2224-31-0x00000000007A0000-0x00000000007EE000-memory.dmpFilesize
312KB
-
memory/2856-15-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmpFilesize
64KB
-
memory/2856-22-0x00007FFF59C30000-0x00007FFF59C40000-memory.dmpFilesize
64KB
-
memory/2856-19-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-18-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-20-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-21-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-23-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-24-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-25-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-27-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-17-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-28-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-29-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-16-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-30-0x00007FFF59C30000-0x00007FFF59C40000-memory.dmpFilesize
64KB
-
memory/2856-12-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-14-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-13-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmpFilesize
64KB
-
memory/2856-11-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmpFilesize
64KB
-
memory/2856-10-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmpFilesize
64KB
-
memory/2856-65-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-66-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-9-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmpFilesize
64KB
-
memory/2856-94-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmpFilesize
64KB
-
memory/2856-95-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmpFilesize
64KB
-
memory/2856-96-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmpFilesize
64KB
-
memory/2856-97-0x00007FFF5C370000-0x00007FFF5C380000-memory.dmpFilesize
64KB
-
memory/2856-98-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB
-
memory/2856-99-0x00007FFF9C2F0000-0x00007FFF9C4E5000-memory.dmpFilesize
2.0MB