Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2024 11:58
Static task
static1
Behavioral task
behavioral1
Sample
adobe update.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
adobe update.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$TEMP/Foreign.ps1
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$TEMP/Foreign.ps1
Resource
win10v2004-20240226-en
General
-
Target
adobe update.exe
-
Size
606KB
-
MD5
6d15502f7965eb86b7e3ef22415df950
-
SHA1
5607d53d6f679f8ea6c8e5a1225d97cc0c36fed2
-
SHA256
074020d2d88544c1747e8b8d51eedd460305f6c2c529d548d993f1816b93c702
-
SHA512
12d73774636e0fcccfb2ef75bfca94888d7b15806a80c1e5a8292b23baf6d6cbda1cba41f9817f1bf37c29fda9a349bd3a8989e7962b977d53091b942bea8028
-
SSDEEP
12288:JNZum6aVKx6SIIRYz6Y9IwDGDYPG76bR220oRnWDg7sK:JNZDV6IIRCRI5UbR2EF2oL
Malware Config
Extracted
cobaltstrike
http://flogpasteapp.top:443/jquery-3.3.2.slim.min.js
-
user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
adobe update.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation adobe update.exe -
Executes dropped EXE 3 IoCs
Processes:
Wanting.pifWanting.pifWanting.pifpid process 2204 Wanting.pif 4472 Wanting.pif 1704 Wanting.pif -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Wanting.pifdescription pid process target process PID 2204 set thread context of 4472 2204 Wanting.pif Wanting.pif PID 2204 set thread context of 1704 2204 Wanting.pif Wanting.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3496 schtasks.exe 4380 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2244 tasklist.exe 3236 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
Wanting.pifpid process 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2244 tasklist.exe Token: SeDebugPrivilege 3236 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Wanting.pifpid process 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Wanting.pifpid process 2204 Wanting.pif 2204 Wanting.pif 2204 Wanting.pif -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
adobe update.execmd.exeWanting.pifcmd.exedescription pid process target process PID 2528 wrote to memory of 4236 2528 adobe update.exe cmd.exe PID 2528 wrote to memory of 4236 2528 adobe update.exe cmd.exe PID 2528 wrote to memory of 4236 2528 adobe update.exe cmd.exe PID 4236 wrote to memory of 2244 4236 cmd.exe tasklist.exe PID 4236 wrote to memory of 2244 4236 cmd.exe tasklist.exe PID 4236 wrote to memory of 2244 4236 cmd.exe tasklist.exe PID 4236 wrote to memory of 5108 4236 cmd.exe findstr.exe PID 4236 wrote to memory of 5108 4236 cmd.exe findstr.exe PID 4236 wrote to memory of 5108 4236 cmd.exe findstr.exe PID 4236 wrote to memory of 3236 4236 cmd.exe tasklist.exe PID 4236 wrote to memory of 3236 4236 cmd.exe tasklist.exe PID 4236 wrote to memory of 3236 4236 cmd.exe tasklist.exe PID 4236 wrote to memory of 1560 4236 cmd.exe findstr.exe PID 4236 wrote to memory of 1560 4236 cmd.exe findstr.exe PID 4236 wrote to memory of 1560 4236 cmd.exe findstr.exe PID 4236 wrote to memory of 1968 4236 cmd.exe cmd.exe PID 4236 wrote to memory of 1968 4236 cmd.exe cmd.exe PID 4236 wrote to memory of 1968 4236 cmd.exe cmd.exe PID 4236 wrote to memory of 4420 4236 cmd.exe cmd.exe PID 4236 wrote to memory of 4420 4236 cmd.exe cmd.exe PID 4236 wrote to memory of 4420 4236 cmd.exe cmd.exe PID 4236 wrote to memory of 3620 4236 cmd.exe cmd.exe PID 4236 wrote to memory of 3620 4236 cmd.exe cmd.exe PID 4236 wrote to memory of 3620 4236 cmd.exe cmd.exe PID 4236 wrote to memory of 2204 4236 cmd.exe Wanting.pif PID 4236 wrote to memory of 2204 4236 cmd.exe Wanting.pif PID 4236 wrote to memory of 2912 4236 cmd.exe PING.EXE PID 4236 wrote to memory of 2912 4236 cmd.exe PING.EXE PID 4236 wrote to memory of 2912 4236 cmd.exe PING.EXE PID 2204 wrote to memory of 3496 2204 Wanting.pif schtasks.exe PID 2204 wrote to memory of 3496 2204 Wanting.pif schtasks.exe PID 2204 wrote to memory of 1856 2204 Wanting.pif cmd.exe PID 2204 wrote to memory of 1856 2204 Wanting.pif cmd.exe PID 1856 wrote to memory of 4380 1856 cmd.exe schtasks.exe PID 1856 wrote to memory of 4380 1856 cmd.exe schtasks.exe PID 2204 wrote to memory of 4472 2204 Wanting.pif Wanting.pif PID 2204 wrote to memory of 4472 2204 Wanting.pif Wanting.pif PID 2204 wrote to memory of 4472 2204 Wanting.pif Wanting.pif PID 2204 wrote to memory of 4472 2204 Wanting.pif Wanting.pif PID 2204 wrote to memory of 1704 2204 Wanting.pif Wanting.pif PID 2204 wrote to memory of 1704 2204 Wanting.pif Wanting.pif PID 2204 wrote to memory of 1704 2204 Wanting.pif Wanting.pif PID 2204 wrote to memory of 1704 2204 Wanting.pif Wanting.pif -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\adobe update.exe"C:\Users\Admin\AppData\Local\Temp\adobe update.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Translation Translation.bat & Translation.bat & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 267703⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 26770\Wanting.pif + Norton + Ear + Timeline + Cgi + Shoulder + Harm 26770\Wanting.pif3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Escape + Foreign + Understood 26770\G3⤵
-
C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pif26770\Wanting.pif 26770\G3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /create /tn "CreativeFlowX" /tr "wscript 'C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js'" /sc onlogon /F /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.execmd /c schtasks.exe /create /tn "So" /tr "wscript 'C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "So" /tr "wscript 'C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pifC:\Users\Admin\AppData\Local\Temp\26770\Wanting.pif4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pifC:\Users\Admin\AppData\Local\Temp\26770\Wanting.pif4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping -n 15 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\26770\GFilesize
472KB
MD53f8b8300896696055ec7b5289f0a3890
SHA18aaff557e1a42c6cefc0fedbd64978120d6076ba
SHA256bf52a5585e38b67ff461ef1ec8dd6244606bba0d07bf67fd5b48ae4716abe1a7
SHA512224e688329417949336e15caadc247f6267b2394243b1e01125938d5e18b75f8228186e59dc7d7ac9959279a3b127c3211fd04441dda482af183e5e8f184689f
-
C:\Users\Admin\AppData\Local\Temp\26770\Wanting.pifFilesize
1.0MB
MD5bfa84dbde0df8f1cad3e179bd46a6e34
SHA106ae3c38d4b2f8125656268925ebde9eca6a1f9e
SHA2566de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314
SHA512edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a
-
C:\Users\Admin\AppData\Local\Temp\CgiFilesize
178KB
MD5534ee60e70d3b0abd61ac8459bdd127c
SHA17ef481a80580f1e04940b09ac758f3b001eda14b
SHA2563fc1d87901701337978a133eaddbea0b314b5a49da2e46f21571e3294a2814ad
SHA512b7bb6370ef6314e8343580a4bca3d1f50f94d9a3f5d867c824871f7681ad5890d0d6159cff5e28506369652db41f840aff52fe6c84ae1a528566c98655bb90d8
-
C:\Users\Admin\AppData\Local\Temp\EarFilesize
151KB
MD597fe7c9cc9c4d96a8d7287e00a974f47
SHA1bb220295f53800aa797331993b19fbc81b8bc476
SHA256b0539b86d340f96c8644fac07107c7e84f1d77f1f56eec511eb66ee0a1e04a38
SHA5129a754051e46d9db3e046d3bff7df99a3d260023eedef07dc144d64fcc38919193e9388f29888198b07490961290c4606b3ba8781b4c37c229e4b6daa9044856d
-
C:\Users\Admin\AppData\Local\Temp\EscapeFilesize
205KB
MD5a4c033e1208a4560d3a72e0ba926f91c
SHA159886a1979421ee811ec33351dc52ad0f6d035f8
SHA2563eaedd3bf07da9f26e8d85ddd42e4b999ad1249af17e55f712ac328a199bc9e3
SHA512006736e8dcf8a98c46452fc7656c01c1d42df40dcbc97378e8dbb7311d3ce1442c10308892b92dff1547b23ff0e9f97da79c8bd1ecd1a6be95f8df5db5e9ed79
-
C:\Users\Admin\AppData\Local\Temp\ForeignFilesize
232KB
MD5d8637ced6059e011349fee2597d53313
SHA1d140570d9f3eeaa9c6d1b42d1a61fa0c6b7d9c0c
SHA2563d7201c97f506e1aba899ff67cf078b253d772b9af13721e9e67aa11535b50b7
SHA5124e4c124e48c4640ce9bf154ca618349aea0556431b1c8b5a150fced1e5fed4764fda845c98b965affe8399425c31b4bb902a813b4818adb6c2c90ab03bc61987
-
C:\Users\Admin\AppData\Local\Temp\HarmFilesize
157KB
MD5ea83f03d6eb011609f4b161e75bdde78
SHA1def461cc324b4fdeb5c5ce0fcb85d72f73042166
SHA256c61a3a8ebf5a46bc9c79cc34a1e0e5bf84d0028c6b9fd85de8e49e9985c0a813
SHA512310cbc5a6a8e58ae03c443a4f22ecb223da14046ae8a189bab0c0efeaebaed5e18ab81830ed02606d5a6e35d1597b5d716cdce7c1db79aed4962f40c56bff10d
-
C:\Users\Admin\AppData\Local\Temp\NortonFilesize
105KB
MD5582b11a7d90d126fec87cd1a727ad7bc
SHA1bfd7d212a870de2186f94740589aecf51fc9ca28
SHA256da6fa0aff26dddfd44428548df0668e02b9c239741a495474a2cb041d6bb58f5
SHA51250a5977fd3c2c2834e0cf414bfec3c18cde2dc7a03dec6437603253af9339063451c64c4393e609fd32f5e3b116c219acca67c34eb73e30f87aaf439418188c5
-
C:\Users\Admin\AppData\Local\Temp\ShoulderFilesize
283KB
MD51746f9f70c328815b41504b51f5b111c
SHA1090613e27969ca7178f9e165287cda3c79712506
SHA2564e5c39814a3ae06ce315498d05afb8534f4b0538812208926c099948086d5d6f
SHA5128eca1af761105695f4a7244b37c810986c4128f4501d890691605ef4082e5a5c102ea1b545cc24342d1ce0a2fd2d851d06958048778169c3bcaee814aa8dcac0
-
C:\Users\Admin\AppData\Local\Temp\TimelineFilesize
172KB
MD592d7c9f4d67c5e251c1811b44e1ec1b8
SHA160f62e59a18f567345d7b291eb540e6c6aecaea5
SHA256be38ee59c76d3eb0c641b3ad6123fcca557302be536cbe3a8461f757c99103e4
SHA512243df2c04d540acf21824c0181398f53dc239e3b449473f973dd28236e5360fd96a38102765d9cbdceb68cf97ea8382d3d83cb79e8b475a152e46bdb182644bc
-
C:\Users\Admin\AppData\Local\Temp\TranslationFilesize
13KB
MD51f9f8a2694d823688c51fe4f8d4e2ba8
SHA1c82063d4082d27742a10672885fe40b67716a2f6
SHA2566b7912c06da6c6a9859c6a773cecd85bb6f72fa746bcb1105795f8b32721857e
SHA512fdc8b3838aa5f2da335c1b4e7b35a45c9ace6f5914f3ec90a79f79f728f68976697cf19d3128196e4ce23b9a328fe1070aef03ce9eacd1115e2776ded76c888c
-
C:\Users\Admin\AppData\Local\Temp\UnderstoodFilesize
35KB
MD5f5f9398e85d10a4c0e8219057565d87a
SHA1d3540705389a05c15521f09fb3f9a316be0660d7
SHA25693872993b77c842bf2d75acc988ea451a408483a6c5c34007bceef01f5c6f73d
SHA512750a4129ae68e060a247506090450fe6ded89f521b26046c54f4daa3e4570abc765565e5c0fc8def189e18518270d89313f0e6cd67beb06df543e4260d9bb16b
-
memory/1704-45-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2204-31-0x000001DF55260000-0x000001DF55261000-memory.dmpFilesize
4KB
-
memory/4472-32-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4472-33-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4472-36-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4472-35-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4472-37-0x00000235E8C40000-0x00000235E8C41000-memory.dmpFilesize
4KB