Analysis
-
max time kernel
136s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/03/2024, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
b67d52bf30515f2537b0a3a076ee60dd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b67d52bf30515f2537b0a3a076ee60dd.exe
Resource
win10v2004-20240226-en
General
-
Target
b67d52bf30515f2537b0a3a076ee60dd.exe
-
Size
2.0MB
-
MD5
b67d52bf30515f2537b0a3a076ee60dd
-
SHA1
b1c9f57fc7f1ff921a54e0924a1d7bd9c1edb68b
-
SHA256
6bbabed7b0f11e304b0cb97013c9095d51fa330aee3a966b5626088e92a0dfeb
-
SHA512
8a4b887fe795231f2dd9fd3150cd098f375c7f0d83536ff06268036208ce8be6ee72a2fda8a1b6db81ad7b79c59b96d53bc89710f1f04d4d90df9adcdd8b994a
-
SSDEEP
24576:8vD/8Oxqy4G3a1/0RtrlrAmTOflhrXOqOUrD2xxD1vJPX:8jyyZ3a1/0RtrlrAbtVKhxD1hPX
Malware Config
Extracted
cobaltstrike
http://47.100.48.157:8787/jquery-3.3.2.slim.min.js
-
user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1100 2240 b67d52bf30515f2537b0a3a076ee60dd.exe 28 PID 2240 wrote to memory of 1100 2240 b67d52bf30515f2537b0a3a076ee60dd.exe 28 PID 2240 wrote to memory of 1100 2240 b67d52bf30515f2537b0a3a076ee60dd.exe 28 PID 1100 wrote to memory of 2644 1100 cmd.exe 30 PID 1100 wrote to memory of 2644 1100 cmd.exe 30 PID 1100 wrote to memory of 2644 1100 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe"C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c "start 7月网格自主发展情况通报0725.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt3⤵PID:2644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442B
MD52d0cd72ef9e2bbb91af9aa3e2a269fa6
SHA18537cef926f6af02f5cebf470fd5629b9314c24f
SHA256cd83d993a216b269a62c3678394b8500162c259a35d36b4000ea165028080c43
SHA5123e5f610e841312524a248508fc1c8b4b0bf205367132831f6983bff178002fa63defa1ec9777633f588be2369a647d9ee81a537016f733224608e40951279d6e