Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2024, 04:19

General

  • Target

    b67d52bf30515f2537b0a3a076ee60dd.exe

  • Size

    2.0MB

  • MD5

    b67d52bf30515f2537b0a3a076ee60dd

  • SHA1

    b1c9f57fc7f1ff921a54e0924a1d7bd9c1edb68b

  • SHA256

    6bbabed7b0f11e304b0cb97013c9095d51fa330aee3a966b5626088e92a0dfeb

  • SHA512

    8a4b887fe795231f2dd9fd3150cd098f375c7f0d83536ff06268036208ce8be6ee72a2fda8a1b6db81ad7b79c59b96d53bc89710f1f04d4d90df9adcdd8b994a

  • SSDEEP

    24576:8vD/8Oxqy4G3a1/0RtrlrAmTOflhrXOqOUrD2xxD1vJPX:8jyyZ3a1/0RtrlrAbtVKhxD1hPX

Malware Config

Extracted

Family

cobaltstrike

C2

http://47.100.48.157:8787/jquery-3.3.2.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe
    "C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3712
    • C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c "start 7月网格自主发展情况通报0725.txt"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt
        3⤵
          PID:4512

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt

            Filesize

            442B

            MD5

            2d0cd72ef9e2bbb91af9aa3e2a269fa6

            SHA1

            8537cef926f6af02f5cebf470fd5629b9314c24f

            SHA256

            cd83d993a216b269a62c3678394b8500162c259a35d36b4000ea165028080c43

            SHA512

            3e5f610e841312524a248508fc1c8b4b0bf205367132831f6983bff178002fa63defa1ec9777633f588be2369a647d9ee81a537016f733224608e40951279d6e

          • memory/3712-3-0x000001A1EBC50000-0x000001A1EBC51000-memory.dmp

            Filesize

            4KB