Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 16:02
Static task
static1
Behavioral task
behavioral1
Sample
ƽ&ַʥ100Ԫĵ/˵/.res/ProcComm.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ƽ&ַʥ100Ԫĵ/˵/.res/ProcComm.dll
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
ƽ&ַʥ100Ԫĵ/˵/.res/wps.scr
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
ƽ&ַʥ100Ԫĵ/˵/.res/wps.scr
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
ƽ&ַʥ100Ԫĵ/˵/�.docx
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
ƽ&ַʥ100Ԫĵ/˵/�.docx
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
ƽ&ַʥ100Ԫĵ/ƽ��.lnk
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
ƽ&ַʥ100Ԫĵ/ƽ��.lnk
Resource
win10v2004-20231215-en
General
-
Target
ƽ&ַʥ100Ԫĵ/˵/.res/wps.scr
-
Size
779KB
-
MD5
d8fc52d9042e6bf1cbd7611976c0a534
-
SHA1
14243ddd2b76aa05e800304f2d3b65d9fcbb382e
-
SHA256
9bdac7b0a22a59a5fbab3460c2b05503e248b4a3517b542724d672906861c410
-
SHA512
e15e2944261020fdb47298eb945c1eb935ec116eac67d2326bdf0f2a8ad99a5c681ad050e6a960503789b8272bab8426f2c800a9b95a352a2924c9afd8cd9e3c
-
SSDEEP
12288:A5y7EG88YqzELNGqN27LcsHdYkM2ypXUh97rVDoNpCQW37dwS7ndg:gyIoYq17LcYdYkSK97rp2p3W3Ha
Malware Config
Extracted
cobaltstrike
100000
http://222.186.131.95:39443/api/auth/v1/log
-
access_type
512
-
beacon_type
2048
-
host
222.186.131.95,/api/auth/v1/log
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAJUFjY2VwdC1MYW5ndWFnZTogZW4tR0I7cT0wLjksICo7cT0wLjcAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9984
-
polling_time
18016
-
port_number
39443
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk8TDQPDxrtDGQd+EZF7en9yNcmEcpX9f9OG5xoAdUEd50W7ip+X1tDdewzxxRp3HdfrK0OxB9cI7NBCKXHDdV+bT6cvTx7EJ0LylxrbclEAMSV6IiSGP9x8bq5ydLNO+IuyT/APMdnUhZYRB9OQ7iwt09O+atIh1E+R/cPkSwTwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.481970944e+09
-
unknown2
AAAABAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/api/baidu/auth
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).