Overview
overview
10Static
static
71/10月26�...��.exe
windows7-x64
71/10月26�...��.exe
windows10-2004-x64
71/2023年1...��.exe
windows7-x64
11/2023年1...��.exe
windows10-2004-x64
11/AggregatorHost.exe
windows7-x64
71/AggregatorHost.exe
windows10-2004-x64
71/PO202302...60.exe
windows7-x64
11/PO202302...60.exe
windows10-2004-x64
11/TIanagents.exe
windows7-x64
11/TIanagents.exe
windows10-2004-x64
11/c.exe
windows7-x64
101/c.exe
windows10-2004-x64
101/loader.exe
windows7-x64
11/loader.exe
windows10-2004-x64
11/【东�...10.exe
windows7-x64
101/【东�...10.exe
windows10-2004-x64
101/【企�...��.exe
windows7-x64
101/【企�...��.exe
windows10-2004-x64
101/【财�...��.exe
windows7-x64
71/【财�...��.exe
windows10-2004-x64
101/内容.exe
windows7-x64
31/内容.exe
windows10-2004-x64
31/外挂 �...xf.exe
windows7-x64
31/外挂 �...xf.exe
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2023 12:39
Behavioral task
behavioral1
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
1/AggregatorHost.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
1/AggregatorHost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
1/PO20230225-13360.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
1/PO20230225-13360.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
1/TIanagents.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
1/TIanagents.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
1/c.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
1/c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
1/loader.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
1/loader.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
1/【财务部】关于工资调整通知.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
1/【财务部】关于工资调整通知.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
1/内容.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
1/内容.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win10v2004-20231215-en
General
-
Target
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
-
Size
1.2MB
-
MD5
ceffa8c757a03596a372f84e733edd16
-
SHA1
be9898e4cae87a46ca6a9148d36d6bdcf62bb0bc
-
SHA256
99ee17d3cb68ae7ab2641974c43bf9e78e0dc4ab2bec159fd730abe8386098fd
-
SHA512
67d56d82ddd0783288ed32c21da5c5f248f3341d6b779c31b930e2a0a54e4849e537ab24e6a00d557fabb3f38288adbfb6e7e7a37885ab21082d7c29fc71e569
-
SSDEEP
24576:9iIWFSjg4fvUNP4MNaMmMCsmsqMmMCsA7eXcJB5R1gsVtub8R7IevpU4jKXhdk:qEo3I9PRUFs
Malware Config
Extracted
cobaltstrike
http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q
-
user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
Extracted
cobaltstrike
100000
http://img.uioqwea.xyz:8443/messages/xV5GdE
-
access_type
512
-
beacon_type
2048
-
host
img.uioqwea.xyz,/messages/xV5GdE
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
10000
-
port_number
8443
-
sc_process32
%windir%\syswow64\esentutl.exe
-
sc_process64
%windir%\sysnative\esentutl.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.092976896e+09
-
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/messages/96OpFu
-
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 620 WINWORD.EXE 620 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exepid process 2936 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe 2936 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe 2936 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe 2936 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exepid process 2936 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE Token: SeShutdownPrivilege 3596 Explorer.EXE Token: SeCreatePagefilePrivilege 3596 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3596 Explorer.EXE 3596 Explorer.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE 620 WINWORD.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3596 Explorer.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.execmd.exedescription pid process target process PID 2936 wrote to memory of 2172 2936 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe cmd.exe PID 2936 wrote to memory of 2172 2936 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe cmd.exe PID 2172 wrote to memory of 620 2172 cmd.exe WINWORD.EXE PID 2172 wrote to memory of 620 2172 cmd.exe WINWORD.EXE PID 2936 wrote to memory of 3596 2936 【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\1\【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe"C:\Users\Admin\AppData\Local\Temp\1\【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c4218087.doc3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1\4218087.doc" /o ""4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1\4218087.docFilesize
93KB
MD5de72533ed8828182ad05d8e7f694548f
SHA106c86de28558b5cb22539a077e94884a97804f6a
SHA2563ae8dd53d8d97d71900ee8f194e6ce2aeab40b2f01ce01f756098facd249eda2
SHA512ce681b28fd2d3158788399d8c7f81e8b7e31eaceb8885bd4e3209c55b359afd64ef357ffe31c0114aea49ffea2dc7008e6437b863648f54be195edb5fb125c36
-
memory/620-10-0x00007FFF11150000-0x00007FFF11160000-memory.dmpFilesize
64KB
-
memory/620-16-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-5-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-3-0x00007FFF11150000-0x00007FFF11160000-memory.dmpFilesize
64KB
-
memory/620-7-0x00007FFF11150000-0x00007FFF11160000-memory.dmpFilesize
64KB
-
memory/620-9-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-8-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-13-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-29-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-12-0x00007FFF11150000-0x00007FFF11160000-memory.dmpFilesize
64KB
-
memory/620-11-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-14-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-15-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-6-0x00007FFF11150000-0x00007FFF11160000-memory.dmpFilesize
64KB
-
memory/620-17-0x00007FFF0EFF0000-0x00007FFF0F000000-memory.dmpFilesize
64KB
-
memory/620-18-0x00007FFF0EFF0000-0x00007FFF0F000000-memory.dmpFilesize
64KB
-
memory/620-28-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/620-4-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmpFilesize
2.0MB
-
memory/3596-20-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/3596-27-0x00000000027D0000-0x0000000002831000-memory.dmpFilesize
388KB