Overview
overview
10Static
static
71/10月26�...��.exe
windows7-x64
71/10月26�...��.exe
windows10-2004-x64
71/2023年1...��.exe
windows7-x64
11/2023年1...��.exe
windows10-2004-x64
11/AggregatorHost.exe
windows7-x64
71/AggregatorHost.exe
windows10-2004-x64
71/PO202302...60.exe
windows7-x64
11/PO202302...60.exe
windows10-2004-x64
11/TIanagents.exe
windows7-x64
11/TIanagents.exe
windows10-2004-x64
11/c.exe
windows7-x64
101/c.exe
windows10-2004-x64
101/loader.exe
windows7-x64
11/loader.exe
windows10-2004-x64
11/【东�...10.exe
windows7-x64
101/【东�...10.exe
windows10-2004-x64
101/【企�...��.exe
windows7-x64
101/【企�...��.exe
windows10-2004-x64
101/【财�...��.exe
windows7-x64
71/【财�...��.exe
windows10-2004-x64
101/内容.exe
windows7-x64
31/内容.exe
windows10-2004-x64
31/外挂 �...xf.exe
windows7-x64
31/外挂 �...xf.exe
windows10-2004-x64
3Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2023 12:39
Behavioral task
behavioral1
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1/10月26日最新发布-财会人员薪资补贴所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
1/2023年10月新发-财会人员薪资补贴调整新政策所需材料.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
1/AggregatorHost.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
1/AggregatorHost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
1/PO20230225-13360.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
1/PO20230225-13360.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
1/TIanagents.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
1/TIanagents.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
1/c.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
1/c.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
1/loader.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
1/loader.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
1/【东莞信易贷平台】企业认证资料无法上传-文件大小不能超过5MB,请重新上传-202310.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
1/【企业认证资料】企业认证资料包含营业执照原件,身份证等信息等,已��.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
1/【财务部】关于工资调整通知.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
1/【财务部】关于工资调整通知.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
1/内容.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
1/内容.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
1/外挂 王者 吃鸡 绝地辅助链接可测试_xf.exe
Resource
win10v2004-20231215-en
General
-
Target
1/【财务部】关于工资调整通知.exe
-
Size
1.4MB
-
MD5
a6d9c8a9b440e3479dd3590d9bcde94f
-
SHA1
7a114ee63b4ce4bff0960cdd880155cb46579bde
-
SHA256
781a0adab936e9735b324e86cdfac0998c2411ee6e9830841c203510d487a850
-
SHA512
bcecb32072c263411be1e0852d92b5d9b43da11a849d980f19763a62d5e8e80e661131c99b4e607c56c7910a5a7e4de3deba31ed0044f47dac123aa9e2ff3f7f
-
SSDEEP
24576:OxY2ohZF25g1IrDSwYVYLncnEDBm8I/owIyPeNcI4rFq:OxY2225onnVLnEIp/UN
Malware Config
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
【财务部】关于工资调整通知.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 【财务部】关于工资调整通知.exe -
Executes dropped EXE 1 IoCs
Processes:
baiDun.exepid process 2952 baiDun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
【财务部】关于工资调整通知.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings 【财务部】关于工资调整通知.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3460 WINWORD.EXE 3460 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
baiDun.exeWINWORD.EXEpid process 2952 baiDun.exe 2952 baiDun.exe 3460 WINWORD.EXE 3460 WINWORD.EXE 3460 WINWORD.EXE 3460 WINWORD.EXE 3460 WINWORD.EXE 3460 WINWORD.EXE 3460 WINWORD.EXE 3460 WINWORD.EXE 3460 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
【财务部】关于工资调整通知.exedescription pid process target process PID 2920 wrote to memory of 2952 2920 【财务部】关于工资调整通知.exe baiDun.exe PID 2920 wrote to memory of 2952 2920 【财务部】关于工资调整通知.exe baiDun.exe PID 2920 wrote to memory of 3460 2920 【财务部】关于工资调整通知.exe WINWORD.EXE PID 2920 wrote to memory of 3460 2920 【财务部】关于工资调整通知.exe WINWORD.EXE PID 2920 wrote to memory of 2144 2920 【财务部】关于工资调整通知.exe cmd.exe PID 2920 wrote to memory of 2144 2920 【财务部】关于工资调整通知.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1\【财务部】关于工资调整通知.exe"C:\Users\Admin\AppData\Local\Temp\1\【财务部】关于工资调整通知.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
\??\c:\programdata\baiDun.exec:/programdata/baiDun.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1\附件.docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1\08FD~1.EXE >> NUL2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1\附件.docxFilesize
9KB
MD553b4b1af878da3dd53be95ff68fa8f05
SHA160f5c3be5a2f99f594015a39925a71142a0fe358
SHA25666999ec379c661a681aeaa18a4aabfc2b6cb221e5948dca9960eda48c224122c
SHA5124ee43a43d16630ae620d4cbf4b547906c16345cf18d094e4aae772067a5d5ceab640990b2582adbf0c4f554a58e7d9f18f3b905a3a27e0fc0c492aa287d0c153
-
\??\c:\programdata\baiDun.exeFilesize
829KB
MD53823006c7e1f815b2e36a49b969a4a52
SHA13b137ae62df91c1489dd3f631f97bd31803f649a
SHA2562a24baed4f0d411d3b51d1b5fde4d6f81fbc222e04b697aa8ebfc5b736eda84a
SHA512a917c5107607983fe3ac9fe4aaf1027b53a832a2d27175be8d82de1773f3b35c92d79c58151969746e698f3746b9d6b9cda352fc6af1b6cb38e3329963735079
-
memory/2952-5-0x00000232BA190000-0x00000232BA290000-memory.dmpFilesize
1024KB
-
memory/2952-6-0x00000232BA290000-0x00000232BA2DE000-memory.dmpFilesize
312KB
-
memory/2952-47-0x00000232BA290000-0x00000232BA2DE000-memory.dmpFilesize
312KB
-
memory/2952-46-0x00000232BA190000-0x00000232BA290000-memory.dmpFilesize
1024KB
-
memory/3460-16-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-30-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-15-0x00007FFA57370000-0x00007FFA57380000-memory.dmpFilesize
64KB
-
memory/3460-11-0x00007FFA57370000-0x00007FFA57380000-memory.dmpFilesize
64KB
-
memory/3460-17-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-18-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-19-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-20-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-21-0x00007FFA55020000-0x00007FFA55030000-memory.dmpFilesize
64KB
-
memory/3460-22-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-23-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-24-0x00007FFA55020000-0x00007FFA55030000-memory.dmpFilesize
64KB
-
memory/3460-25-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-26-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-27-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-29-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-28-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-14-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-31-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-32-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-34-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-13-0x00007FFA57370000-0x00007FFA57380000-memory.dmpFilesize
64KB
-
memory/3460-12-0x00007FFA57370000-0x00007FFA57380000-memory.dmpFilesize
64KB
-
memory/3460-10-0x00007FFA57370000-0x00007FFA57380000-memory.dmpFilesize
64KB
-
memory/3460-48-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-49-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-70-0x00007FFA57370000-0x00007FFA57380000-memory.dmpFilesize
64KB
-
memory/3460-71-0x00007FFA57370000-0x00007FFA57380000-memory.dmpFilesize
64KB
-
memory/3460-72-0x00007FFA57370000-0x00007FFA57380000-memory.dmpFilesize
64KB
-
memory/3460-73-0x00007FFA57370000-0x00007FFA57380000-memory.dmpFilesize
64KB
-
memory/3460-74-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-75-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB
-
memory/3460-76-0x00007FFA972F0000-0x00007FFA974E5000-memory.dmpFilesize
2.0MB