Analysis
-
max time kernel
0s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:38
Static task
static1
Behavioral task
behavioral1
Sample
ab75f4edb052dbb0ec99f5f8308c8202.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ab75f4edb052dbb0ec99f5f8308c8202.exe
Resource
win10v2004-20231215-en
General
-
Target
ab75f4edb052dbb0ec99f5f8308c8202.exe
-
Size
7.1MB
-
MD5
ab75f4edb052dbb0ec99f5f8308c8202
-
SHA1
7f885b74a03bafc5a8349837d140214f75023d78
-
SHA256
051243b7e0082007493c576d3b896cbf3eeec3cf9572ee669ee0f4d7dca0570d
-
SHA512
6b0fb6c41e396f939d7aac04753b330eb6625f6098178c17ba96ed23d3a3c10b829c5cc4451d4c4acb5ca714672ca75beeeeca8d2af3e59d7ef8595091c2ddf5
-
SSDEEP
196608:BAnCVyaEDb+C6OIVnctApt4X/dNT7J8EkuY+IfpzOj8XB01:uCVn6yCZIGSjENXJQBtt+8XBu
Malware Config
Extracted
cobaltstrike
http://8.136.4.131:6666/NsLP
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; BTRS125526)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation ab75f4edb052dbb0ec99f5f8308c8202.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab75f4edb052dbb0ec99f5f8308c8202.exe"C:\Users\Admin\AppData\Local\Temp\ab75f4edb052dbb0ec99f5f8308c8202.exe"1⤵
- Checks computer location settings
PID:2384 -
C:\Windows\Temp\OTC一键注入.exe"C:\Windows\Temp\OTC一键注入.exe"2⤵PID:1104
-
-
C:\Windows\Temp\Direct_Load.exe"C:\Windows\Temp\Direct_Load.exe"2⤵PID:3224
-