Analysis Overview
SHA256
6bbabed7b0f11e304b0cb97013c9095d51fa330aee3a966b5626088e92a0dfeb
Threat Level: Known bad
The file b67d52bf30515f2537b0a3a076ee60dd was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-06 04:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-06 04:19
Reported
2024-03-06 04:21
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
158s
Command Line
Signatures
Cobaltstrike
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings | C:\Windows\System32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3712 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe | C:\Windows\System32\cmd.exe |
| PID 3712 wrote to memory of 1616 | N/A | C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe | C:\Windows\System32\cmd.exe |
| PID 1616 wrote to memory of 4512 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 1616 wrote to memory of 4512 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe
"C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "start 7月网格自主发展情况通报0725.txt"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| CN | 47.100.48.157:8787 | tcp | |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| CN | 47.100.48.157:8787 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| CN | 47.100.48.157:8787 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| CN | 47.100.48.157:8787 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| CN | 47.100.48.157:8787 | tcp | |
| CN | 47.100.48.157:8787 | tcp | |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt
| MD5 | 2d0cd72ef9e2bbb91af9aa3e2a269fa6 |
| SHA1 | 8537cef926f6af02f5cebf470fd5629b9314c24f |
| SHA256 | cd83d993a216b269a62c3678394b8500162c259a35d36b4000ea165028080c43 |
| SHA512 | 3e5f610e841312524a248508fc1c8b4b0bf205367132831f6983bff178002fa63defa1ec9777633f588be2369a647d9ee81a537016f733224608e40951279d6e |
memory/3712-3-0x000001A1EBC50000-0x000001A1EBC51000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-06 04:19
Reported
2024-03-06 04:21
Platform
win7-20240221-en
Max time kernel
136s
Max time network
145s
Command Line
Signatures
Cobaltstrike
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe | C:\Windows\System32\cmd.exe |
| PID 2240 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe | C:\Windows\System32\cmd.exe |
| PID 2240 wrote to memory of 1100 | N/A | C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe | C:\Windows\System32\cmd.exe |
| PID 1100 wrote to memory of 2644 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 1100 wrote to memory of 2644 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 1100 wrote to memory of 2644 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe
"C:\Users\Admin\AppData\Local\Temp\b67d52bf30515f2537b0a3a076ee60dd.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c "start 7月网格自主发展情况通报0725.txt"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt
Network
| Country | Destination | Domain | Proto |
| CN | 47.100.48.157:8787 | tcp | |
| CN | 47.100.48.157:8787 | tcp | |
| CN | 47.100.48.157:8787 | tcp | |
| CN | 47.100.48.157:8787 | tcp | |
| CN | 47.100.48.157:8787 | tcp | |
| CN | 47.100.48.157:8787 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7月网格自主发展情况通报0725.txt
| MD5 | 2d0cd72ef9e2bbb91af9aa3e2a269fa6 |
| SHA1 | 8537cef926f6af02f5cebf470fd5629b9314c24f |
| SHA256 | cd83d993a216b269a62c3678394b8500162c259a35d36b4000ea165028080c43 |
| SHA512 | 3e5f610e841312524a248508fc1c8b4b0bf205367132831f6983bff178002fa63defa1ec9777633f588be2369a647d9ee81a537016f733224608e40951279d6e |
memory/2240-24-0x0000000002AE0000-0x0000000002AE1000-memory.dmp