Overview
overview
10Static
static
71/10月26�...��.exe
windows7-x64
71/10月26�...��.exe
windows10-2004-x64
71/2023年1...��.exe
windows7-x64
11/2023年1...��.exe
windows10-2004-x64
11/AggregatorHost.exe
windows7-x64
71/AggregatorHost.exe
windows10-2004-x64
71/PO202302...60.exe
windows7-x64
11/PO202302...60.exe
windows10-2004-x64
11/TIanagents.exe
windows7-x64
11/TIanagents.exe
windows10-2004-x64
11/c.exe
windows7-x64
101/c.exe
windows10-2004-x64
101/loader.exe
windows7-x64
11/loader.exe
windows10-2004-x64
11/【东�...10.exe
windows7-x64
101/【东�...10.exe
windows10-2004-x64
101/【企�...��.exe
windows7-x64
101/【企�...��.exe
windows10-2004-x64
101/【财�...��.exe
windows7-x64
71/【财�...��.exe
windows10-2004-x64
101/内容.exe
windows7-x64
31/内容.exe
windows10-2004-x64
31/外挂 �...xf.exe
windows7-x64
31/外挂 �...xf.exe
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 12:39
Behavioral task
behavioral1
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
1/AggregatorHost.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
1/AggregatorHost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
1/PO20230225-13360.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
1/PO20230225-13360.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
1/TIanagents.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
1/TIanagents.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
1/c.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
1/c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
1/loader.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
1/loader.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
1/【财务部】关于工资调整通知.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
1/【财务部】关于工资调整通知.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
1/内容.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
1/内容.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win10v2004-20231215-en
General
-
Target
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
-
Size
1.2MB
-
MD5
ceffa8c757a03596a372f84e733edd16
-
SHA1
be9898e4cae87a46ca6a9148d36d6bdcf62bb0bc
-
SHA256
99ee17d3cb68ae7ab2641974c43bf9e78e0dc4ab2bec159fd730abe8386098fd
-
SHA512
67d56d82ddd0783288ed32c21da5c5f248f3341d6b779c31b930e2a0a54e4849e537ab24e6a00d557fabb3f38288adbfb6e7e7a37885ab21082d7c29fc71e569
-
SSDEEP
24576:9iIWFSjg4fvUNP4MNaMmMCsmsqMmMCsA7eXcJB5R1gsVtub8R7IevpU4jKXhdk:qEo3I9PRUFs
Malware Config
Extracted
cobaltstrike
http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q
-
user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
Extracted
cobaltstrike
100000
http://img.uioqwea.xyz:8443/messages/xV5GdE
-
access_type
512
-
beacon_type
2048
-
host
img.uioqwea.xyz,/messages/xV5GdE
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
10000
-
port_number
8443
-
sc_process32
%windir%\syswow64\esentutl.exe
-
sc_process64
%windir%\sysnative\esentutl.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.092976896e+09
-
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/messages/96OpFu
-
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2604 WINWORD.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
WINWORD.EXEpid process 2604 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exepid process 2540 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe 2540 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exepid process 2540 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 1252 Explorer.EXE Token: SeShutdownPrivilege 1252 Explorer.EXE Token: SeShutdownPrivilege 1252 Explorer.EXE Token: SeShutdownPrivilege 1252 Explorer.EXE Token: SeShutdownPrivilege 1252 Explorer.EXE Token: SeShutdownPrivilege 1252 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEpid process 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE 2604 WINWORD.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.execmd.exedescription pid process target process PID 2540 wrote to memory of 2904 2540 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe cmd.exe PID 2540 wrote to memory of 2904 2540 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe cmd.exe PID 2540 wrote to memory of 2904 2540 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe cmd.exe PID 2540 wrote to memory of 1252 2540 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe Explorer.EXE PID 2904 wrote to memory of 2604 2904 cmd.exe WINWORD.EXE PID 2904 wrote to memory of 2604 2904 cmd.exe WINWORD.EXE PID 2904 wrote to memory of 2604 2904 cmd.exe WINWORD.EXE PID 2904 wrote to memory of 2604 2904 cmd.exe WINWORD.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\1\【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe"C:\Users\Admin\AppData\Local\Temp\1\【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c4218087.doc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1\4218087.doc"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1\4218087.docFilesize
93KB
MD5de72533ed8828182ad05d8e7f694548f
SHA106c86de28558b5cb22539a077e94884a97804f6a
SHA2563ae8dd53d8d97d71900ee8f194e6ce2aeab40b2f01ce01f756098facd249eda2
SHA512ce681b28fd2d3158788399d8c7f81e8b7e31eaceb8885bd4e3209c55b359afd64ef357ffe31c0114aea49ffea2dc7008e6437b863648f54be195edb5fb125c36
-
memory/1252-18-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/1252-46-0x00000000040E0000-0x0000000004141000-memory.dmpFilesize
388KB
-
memory/1252-47-0x000000006FFA0000-0x0000000071180000-memory.dmpFilesize
17.9MB
-
memory/1252-49-0x000000006FFA0000-0x0000000071180000-memory.dmpFilesize
17.9MB
-
memory/2604-27-0x000000002F151000-0x000000002F152000-memory.dmpFilesize
4KB
-
memory/2604-28-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2604-29-0x0000000070F8D000-0x0000000070F98000-memory.dmpFilesize
44KB
-
memory/2604-48-0x0000000070F8D000-0x0000000070F98000-memory.dmpFilesize
44KB