Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-03-2024 15:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe
-
Size
509KB
-
MD5
58c7935adc93f3c3859ebe408938d706
-
SHA1
448b54408eb942cc2745daf8f914d6b96d0a1325
-
SHA256
8e45d8b087d7044079cc90c5087e7060734043ea74ab93a1165314338aacaeb1
-
SHA512
b9c1757f2c36c3c5d24708d7d43447d2f4263dcf57f4335ea6a87a6a9b230fe2e112fb9d5d672d737a741e6e43bd2380ada3518809ec433c244b4f6a06c992e0
-
SSDEEP
12288:y2ye/RY4Lmil2eRM756/bKMc0cg77ZSyyQU5w:Ly54T9/LLU5w
Malware Config
Extracted
cobaltstrike
http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q
-
user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
Extracted
cobaltstrike
100000
http://img.uioqwea.xyz:8443/messages/xV5GdE
-
access_type
512
-
beacon_type
2048
-
host
img.uioqwea.xyz,/messages/xV5GdE
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
10000
-
port_number
8443
-
sc_process32
%windir%\syswow64\esentutl.exe
-
sc_process64
%windir%\sysnative\esentutl.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.092976896e+09
-
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/messages/96OpFu
-
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2608 WINWORD.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
WINWORD.EXEpid process 2608 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exepid process 1044 2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exepid process 1044 2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 1312 Explorer.EXE Token: SeShutdownPrivilege 1312 Explorer.EXE Token: SeShutdownPrivilege 1312 Explorer.EXE Token: SeShutdownPrivilege 1312 Explorer.EXE Token: SeShutdownPrivilege 1312 Explorer.EXE Token: SeShutdownPrivilege 1312 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEpid process 2608 WINWORD.EXE 2608 WINWORD.EXE 2608 WINWORD.EXE 2608 WINWORD.EXE 2608 WINWORD.EXE 2608 WINWORD.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.execmd.exedescription pid process target process PID 1044 wrote to memory of 2376 1044 2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe cmd.exe PID 1044 wrote to memory of 2376 1044 2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe cmd.exe PID 1044 wrote to memory of 2376 1044 2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe cmd.exe PID 1044 wrote to memory of 1312 1044 2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe Explorer.EXE PID 2376 wrote to memory of 2608 2376 cmd.exe WINWORD.EXE PID 2376 wrote to memory of 2608 2376 cmd.exe WINWORD.EXE PID 2376 wrote to memory of 2608 2376 cmd.exe WINWORD.EXE PID 2376 wrote to memory of 2608 2376 cmd.exe WINWORD.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-20_58c7935adc93f3c3859ebe408938d706_cobalt-strike_ryuk.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /cd2J4Z2xjbm0.doc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d2J4Z2xjbm0.doc"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d2J4Z2xjbm0.docFilesize
93KB
MD5de72533ed8828182ad05d8e7f694548f
SHA106c86de28558b5cb22539a077e94884a97804f6a
SHA2563ae8dd53d8d97d71900ee8f194e6ce2aeab40b2f01ce01f756098facd249eda2
SHA512ce681b28fd2d3158788399d8c7f81e8b7e31eaceb8885bd4e3209c55b359afd64ef357ffe31c0114aea49ffea2dc7008e6437b863648f54be195edb5fb125c36
-
memory/1312-14-0x0000000002EF0000-0x0000000002EF1000-memory.dmpFilesize
4KB
-
memory/1312-46-0x0000000003360000-0x00000000033C1000-memory.dmpFilesize
388KB
-
memory/1312-47-0x0000000009110000-0x0000000009266000-memory.dmpFilesize
1.3MB
-
memory/1312-49-0x0000000009110000-0x0000000009266000-memory.dmpFilesize
1.3MB
-
memory/2608-27-0x000000002F871000-0x000000002F872000-memory.dmpFilesize
4KB
-
memory/2608-28-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2608-29-0x00000000713CD000-0x00000000713D8000-memory.dmpFilesize
44KB
-
memory/2608-48-0x00000000713CD000-0x00000000713D8000-memory.dmpFilesize
44KB