General
-
Target
12X.rar
-
Size
23.1MB
-
Sample
231122-rbb9psch45
-
MD5
d883906ad103ded4eab29bece4111c64
-
SHA1
d228d0709c536cc8dabab7cf5d6e01cb9d0bca82
-
SHA256
e9ece01a6eca9300135fb86e026d112f3a225ab7f7dc7ee3b84db5a7a09c6255
-
SHA512
aaeb82e3e1b2f7f79b0fc13440f496b3818f0f31acc3a2f693917fed0bc04cdf6898ce21927c9a4f6c06652b48d3efb08fe36b1497546581ace4afbc3fa54562
-
SSDEEP
393216:GtYt+BV9pUEGE8ginrE3uLygYL8G9cKK5R54BSMt0eN5J5xqlic1ejtoaAOg8TU3:GtYYwW8giI+eF9qR5US2J5xVcAt6cUv/
Malware Config
Extracted
cobaltstrike
0
-
watermark
0
Extracted
cobaltstrike
1234567890
http://static.appnews.proxy.baidu.com.cn.cdn.dnsv1.com:443/dequeue/discovery/HR72BBMIJ
-
access_type
512
-
beacon_type
2048
-
host
static.appnews.proxy.baidu.com.cn.cdn.dnsv1.com,/dequeue/discovery/HR72BBMIJ
-
http_header1
AAAACgAAAEBBY2NlcHQ6IGFwcGxpY2F0aW9uL3htbCwgYXBwbGljYXRpb24veGh0bWwreG1sLCBhcHBsaWNhdGlvbi9qc29uAAAACgAAABNBY2NlcHQtTGFuZ3VhZ2U6IGFmAAAACgAAABxBY2NlcHQtRW5jb2Rpbmc6ICosIGNvbXByZXNzAAAABwAAAAAAAAAPAAAADQAAAAIAAAArc2VjdXJlX2lkX0VaUlBaM0VMOTVQMjEzRVdUWVNNWlRFMzFQVDg2TFlIPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAADJBY2NlcHQ6IGltYWdlLyosIGFwcGxpY2F0aW9uL2pzb24sIGFwcGxpY2F0aW9uL3htbAAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1nYgAAAAoAAAAdQWNjZXB0LUVuY29kaW5nOiBiciwgY29tcHJlc3MAAAAHAAAAAAAAAA8AAAANAAAABQAAAAlfQ0FLTlJIUksAAAAHAAAAAQAAAA8AAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
12032
-
polling_time
20000
-
port_number
443
-
sc_process32
%windir%\syswow64\wbem\wmiprvse.exe -Embedding
-
sc_process64
%windir%\sysnative\wbem\wmiprvse.exe -Embedding
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdG2DPoB+1FGEpDDqMHM61I+Dpkj9J+NB57NbOQrArKNt5BMcH0x7U3ReHhqtHEkoErSvcVoosGSfWqNNcRr/cGpU46yoBcypBWzVYC17QfajlsxiyAHY2kxZDj8BcljyKXfIQN1DTDv43u4f16x/rh+nmQwnP2zPYmUroTsO+lwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
8.72947712e+08
-
unknown2
AAAABAAAAAEAAASeAAAAAgAAA44AAAAIAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/Derive/_vti_log/HRLUY8CQ62CE
-
user_agent
Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
-
watermark
1234567890
Targets
-
-
Target
[sus]MicrosoftOffice.exe.vir
-
Size
3.9MB
-
MD5
ada5630f85ca2226d5335e81f4d3f976
-
SHA1
378f136d0453a34280b8df29cf5d5246d91dc271
-
SHA256
cb423b98e439f5dbf05f1caeb00700724b32137006422be1a4d893da5ae07224
-
SHA512
24c73592abdd9600bf79649199dcb50adc02cbbfd709d3bda20c435480f8ff5be5872c4d0e1afb67c43abc52f30509748b60cc019205c1c40340954f59658125
-
SSDEEP
98304:2UvUNvbkNtNBs7rXwa7E0RPVF+2vbLhg1tuaK929veSURdzD2cFJz5:2UYvbkfNBs7WevR2cFJz5
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
-
-
Target
mal.exe.vir
-
Size
749KB
-
MD5
c56344077a831944c8af79be448c687c
-
SHA1
bbebd8e987007a6f69b00cef76db759276fde555
-
SHA256
e52ab8300f63f4267db1d512b6900999debede4c275cfec023a7ff2270d61dac
-
SHA512
bbb383d777e9d8775108d62094f244c30818cb4c9826809c5fbbf99892108b67a1ec12068ae3e92ce8ca81da0a51758d384f1f5f3f6e95d810d1512a9d78cebb
-
SSDEEP
6144:sZY2J9yM8RQtfzMmqyjRY2J9yM8RQtvzfTqyjM97:S9yMiY7Rpn9yMiYrLpe7
Score8/10-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
æ·˜å®é‡‡é›†ä¸‹å•VV28.exe.vir
-
Size
21.7MB
-
MD5
47664c6f22ecc22438161899f4bae933
-
SHA1
1cf558bbd8d8ff548391ee03606b1ce682580e30
-
SHA256
f5fb6410aa2151ceac5d1d9b70eb92e10f566d9a679fef0d420d8a656eb3c8f9
-
SHA512
5488a619a4b07e8423ab2381adb88a8bd657a9caf97c9a416a462890400ff601300ece8cff4a7b6c93fc58939a89b59de47acb987bb08058a892161da75fb8ec
-
SSDEEP
393216:O2ukHuBmX3Ek3RqUp9UBLu4GpD1rGpxO+bIo3xtptmVfwU40hKg+cuTBaUpFMUN:3uauAX393vUBS4G/GvOitptkfeyKg+FR
Score7/10-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
4Subvert Trust Controls
2Install Root Certificate
2