Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-03-2024 11:48
Static task
static1
Behavioral task
behavioral1
Sample
update-windows.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
update-windows.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$TEMP/Foreign.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$TEMP/Foreign.ps1
Resource
win10v2004-20240226-en
General
-
Target
update-windows.exe
-
Size
606KB
-
MD5
6d15502f7965eb86b7e3ef22415df950
-
SHA1
5607d53d6f679f8ea6c8e5a1225d97cc0c36fed2
-
SHA256
074020d2d88544c1747e8b8d51eedd460305f6c2c529d548d993f1816b93c702
-
SHA512
12d73774636e0fcccfb2ef75bfca94888d7b15806a80c1e5a8292b23baf6d6cbda1cba41f9817f1bf37c29fda9a349bd3a8989e7962b977d53091b942bea8028
-
SSDEEP
12288:JNZum6aVKx6SIIRYz6Y9IwDGDYPG76bR220oRnWDg7sK:JNZDV6IIRCRI5UbR2EF2oL
Malware Config
Extracted
cobaltstrike
http://flogpasteapp.top:443/jquery-3.3.2.slim.min.js
-
user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 4 IoCs
Processes:
Wanting.pifWanting.pifWanting.pifCreativeFlowX.pifpid process 2552 Wanting.pif 1260 Wanting.pif 540 Wanting.pif 1432 CreativeFlowX.pif -
Loads dropped DLL 4 IoCs
Processes:
cmd.exeWanting.pifwscript.EXEpid process 2928 cmd.exe 2552 Wanting.pif 2552 Wanting.pif 2236 wscript.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Wanting.pifdescription pid process target process PID 2552 set thread context of 1260 2552 Wanting.pif Wanting.pif PID 2552 set thread context of 540 2552 Wanting.pif Wanting.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 856 schtasks.exe 2168 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2924 tasklist.exe 2516 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Wanting.pifCreativeFlowX.pifpid process 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2924 tasklist.exe Token: SeDebugPrivilege 2516 tasklist.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Wanting.pifCreativeFlowX.pifpid process 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Wanting.pifCreativeFlowX.pifpid process 2552 Wanting.pif 2552 Wanting.pif 2552 Wanting.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif 1432 CreativeFlowX.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
update-windows.execmd.exeWanting.pifcmd.exetaskeng.exewscript.EXEdescription pid process target process PID 1948 wrote to memory of 2928 1948 update-windows.exe cmd.exe PID 1948 wrote to memory of 2928 1948 update-windows.exe cmd.exe PID 1948 wrote to memory of 2928 1948 update-windows.exe cmd.exe PID 1948 wrote to memory of 2928 1948 update-windows.exe cmd.exe PID 2928 wrote to memory of 2924 2928 cmd.exe tasklist.exe PID 2928 wrote to memory of 2924 2928 cmd.exe tasklist.exe PID 2928 wrote to memory of 2924 2928 cmd.exe tasklist.exe PID 2928 wrote to memory of 2924 2928 cmd.exe tasklist.exe PID 2928 wrote to memory of 2528 2928 cmd.exe findstr.exe PID 2928 wrote to memory of 2528 2928 cmd.exe findstr.exe PID 2928 wrote to memory of 2528 2928 cmd.exe findstr.exe PID 2928 wrote to memory of 2528 2928 cmd.exe findstr.exe PID 2928 wrote to memory of 2516 2928 cmd.exe tasklist.exe PID 2928 wrote to memory of 2516 2928 cmd.exe tasklist.exe PID 2928 wrote to memory of 2516 2928 cmd.exe tasklist.exe PID 2928 wrote to memory of 2516 2928 cmd.exe tasklist.exe PID 2928 wrote to memory of 2656 2928 cmd.exe findstr.exe PID 2928 wrote to memory of 2656 2928 cmd.exe findstr.exe PID 2928 wrote to memory of 2656 2928 cmd.exe findstr.exe PID 2928 wrote to memory of 2656 2928 cmd.exe findstr.exe PID 2928 wrote to memory of 2500 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2500 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2500 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2500 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2096 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2096 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2096 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2096 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2400 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2400 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2400 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2400 2928 cmd.exe cmd.exe PID 2928 wrote to memory of 2552 2928 cmd.exe Wanting.pif PID 2928 wrote to memory of 2552 2928 cmd.exe Wanting.pif PID 2928 wrote to memory of 2552 2928 cmd.exe Wanting.pif PID 2928 wrote to memory of 2552 2928 cmd.exe Wanting.pif PID 2928 wrote to memory of 2856 2928 cmd.exe PING.EXE PID 2928 wrote to memory of 2856 2928 cmd.exe PING.EXE PID 2928 wrote to memory of 2856 2928 cmd.exe PING.EXE PID 2928 wrote to memory of 2856 2928 cmd.exe PING.EXE PID 2552 wrote to memory of 2168 2552 Wanting.pif schtasks.exe PID 2552 wrote to memory of 2168 2552 Wanting.pif schtasks.exe PID 2552 wrote to memory of 2168 2552 Wanting.pif schtasks.exe PID 2552 wrote to memory of 1604 2552 Wanting.pif cmd.exe PID 2552 wrote to memory of 1604 2552 Wanting.pif cmd.exe PID 2552 wrote to memory of 1604 2552 Wanting.pif cmd.exe PID 1604 wrote to memory of 856 1604 cmd.exe schtasks.exe PID 1604 wrote to memory of 856 1604 cmd.exe schtasks.exe PID 1604 wrote to memory of 856 1604 cmd.exe schtasks.exe PID 2552 wrote to memory of 1260 2552 Wanting.pif Wanting.pif PID 2552 wrote to memory of 1260 2552 Wanting.pif Wanting.pif PID 2552 wrote to memory of 1260 2552 Wanting.pif Wanting.pif PID 2552 wrote to memory of 1260 2552 Wanting.pif Wanting.pif PID 2552 wrote to memory of 1260 2552 Wanting.pif Wanting.pif PID 2552 wrote to memory of 540 2552 Wanting.pif Wanting.pif PID 2552 wrote to memory of 540 2552 Wanting.pif Wanting.pif PID 2552 wrote to memory of 540 2552 Wanting.pif Wanting.pif PID 2552 wrote to memory of 540 2552 Wanting.pif Wanting.pif PID 2552 wrote to memory of 540 2552 Wanting.pif Wanting.pif PID 1864 wrote to memory of 2236 1864 taskeng.exe wscript.EXE PID 1864 wrote to memory of 2236 1864 taskeng.exe wscript.EXE PID 1864 wrote to memory of 2236 1864 taskeng.exe wscript.EXE PID 2236 wrote to memory of 1432 2236 wscript.EXE CreativeFlowX.pif PID 2236 wrote to memory of 1432 2236 wscript.EXE CreativeFlowX.pif -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\update-windows.exe"C:\Users\Admin\AppData\Local\Temp\update-windows.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Translation Translation.bat & Translation.bat & exit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 248863⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 24886\Wanting.pif + Norton + Ear + Timeline + Cgi + Shoulder + Harm 24886\Wanting.pif3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Escape + Foreign + Understood 24886\G3⤵
-
C:\Users\Admin\AppData\Local\Temp\24886\Wanting.pif24886\Wanting.pif 24886\G3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CreativeFlowX" /tr "wscript 'C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js'" /sc onlogon /F /RL HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c schtasks.exe /create /tn "So" /tr "wscript 'C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "So" /tr "wscript 'C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\24886\Wanting.pifC:\Users\Admin\AppData\Local\Temp\24886\Wanting.pif4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\24886\Wanting.pifC:\Users\Admin\AppData\Local\Temp\24886\Wanting.pif4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping -n 15 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {11D46431-430C-4691-B9D3-D8FD841E7EBA} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.EXEC:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.js"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.pif"C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.pif" "C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\I"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\FlowCraft Innovations Co\CreativeFlowX.jsFilesize
189B
MD5e53d7ab385f366a0843a375cbdd252eb
SHA169c90f73eb7c5a777c75d05b6af72f381af5df18
SHA256a3bcb20209adf7a5cdafc4c118a5e8e0b6a8152ea2b4c569f23120c3344c2b30
SHA512372b1302a73647459765efbf460e49b0f764d330ee16f54ed4ee71b25d0b40e6fad7ee06e8ad5291954f96a49c3a0aa84c6fae896f28d46d517e71abf58a2d3a
-
C:\Users\Admin\AppData\Local\Temp\24886\GFilesize
472KB
MD53f8b8300896696055ec7b5289f0a3890
SHA18aaff557e1a42c6cefc0fedbd64978120d6076ba
SHA256bf52a5585e38b67ff461ef1ec8dd6244606bba0d07bf67fd5b48ae4716abe1a7
SHA512224e688329417949336e15caadc247f6267b2394243b1e01125938d5e18b75f8228186e59dc7d7ac9959279a3b127c3211fd04441dda482af183e5e8f184689f
-
C:\Users\Admin\AppData\Local\Temp\24886\Wanting.pifFilesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Admin\AppData\Local\Temp\CgiFilesize
178KB
MD5534ee60e70d3b0abd61ac8459bdd127c
SHA17ef481a80580f1e04940b09ac758f3b001eda14b
SHA2563fc1d87901701337978a133eaddbea0b314b5a49da2e46f21571e3294a2814ad
SHA512b7bb6370ef6314e8343580a4bca3d1f50f94d9a3f5d867c824871f7681ad5890d0d6159cff5e28506369652db41f840aff52fe6c84ae1a528566c98655bb90d8
-
C:\Users\Admin\AppData\Local\Temp\EarFilesize
151KB
MD597fe7c9cc9c4d96a8d7287e00a974f47
SHA1bb220295f53800aa797331993b19fbc81b8bc476
SHA256b0539b86d340f96c8644fac07107c7e84f1d77f1f56eec511eb66ee0a1e04a38
SHA5129a754051e46d9db3e046d3bff7df99a3d260023eedef07dc144d64fcc38919193e9388f29888198b07490961290c4606b3ba8781b4c37c229e4b6daa9044856d
-
C:\Users\Admin\AppData\Local\Temp\EscapeFilesize
205KB
MD5a4c033e1208a4560d3a72e0ba926f91c
SHA159886a1979421ee811ec33351dc52ad0f6d035f8
SHA2563eaedd3bf07da9f26e8d85ddd42e4b999ad1249af17e55f712ac328a199bc9e3
SHA512006736e8dcf8a98c46452fc7656c01c1d42df40dcbc97378e8dbb7311d3ce1442c10308892b92dff1547b23ff0e9f97da79c8bd1ecd1a6be95f8df5db5e9ed79
-
C:\Users\Admin\AppData\Local\Temp\ForeignFilesize
232KB
MD5d8637ced6059e011349fee2597d53313
SHA1d140570d9f3eeaa9c6d1b42d1a61fa0c6b7d9c0c
SHA2563d7201c97f506e1aba899ff67cf078b253d772b9af13721e9e67aa11535b50b7
SHA5124e4c124e48c4640ce9bf154ca618349aea0556431b1c8b5a150fced1e5fed4764fda845c98b965affe8399425c31b4bb902a813b4818adb6c2c90ab03bc61987
-
C:\Users\Admin\AppData\Local\Temp\HarmFilesize
157KB
MD5ea83f03d6eb011609f4b161e75bdde78
SHA1def461cc324b4fdeb5c5ce0fcb85d72f73042166
SHA256c61a3a8ebf5a46bc9c79cc34a1e0e5bf84d0028c6b9fd85de8e49e9985c0a813
SHA512310cbc5a6a8e58ae03c443a4f22ecb223da14046ae8a189bab0c0efeaebaed5e18ab81830ed02606d5a6e35d1597b5d716cdce7c1db79aed4962f40c56bff10d
-
C:\Users\Admin\AppData\Local\Temp\NortonFilesize
105KB
MD5582b11a7d90d126fec87cd1a727ad7bc
SHA1bfd7d212a870de2186f94740589aecf51fc9ca28
SHA256da6fa0aff26dddfd44428548df0668e02b9c239741a495474a2cb041d6bb58f5
SHA51250a5977fd3c2c2834e0cf414bfec3c18cde2dc7a03dec6437603253af9339063451c64c4393e609fd32f5e3b116c219acca67c34eb73e30f87aaf439418188c5
-
C:\Users\Admin\AppData\Local\Temp\ShoulderFilesize
283KB
MD51746f9f70c328815b41504b51f5b111c
SHA1090613e27969ca7178f9e165287cda3c79712506
SHA2564e5c39814a3ae06ce315498d05afb8534f4b0538812208926c099948086d5d6f
SHA5128eca1af761105695f4a7244b37c810986c4128f4501d890691605ef4082e5a5c102ea1b545cc24342d1ce0a2fd2d851d06958048778169c3bcaee814aa8dcac0
-
C:\Users\Admin\AppData\Local\Temp\TimelineFilesize
172KB
MD592d7c9f4d67c5e251c1811b44e1ec1b8
SHA160f62e59a18f567345d7b291eb540e6c6aecaea5
SHA256be38ee59c76d3eb0c641b3ad6123fcca557302be536cbe3a8461f757c99103e4
SHA512243df2c04d540acf21824c0181398f53dc239e3b449473f973dd28236e5360fd96a38102765d9cbdceb68cf97ea8382d3d83cb79e8b475a152e46bdb182644bc
-
C:\Users\Admin\AppData\Local\Temp\TranslationFilesize
13KB
MD51f9f8a2694d823688c51fe4f8d4e2ba8
SHA1c82063d4082d27742a10672885fe40b67716a2f6
SHA2566b7912c06da6c6a9859c6a773cecd85bb6f72fa746bcb1105795f8b32721857e
SHA512fdc8b3838aa5f2da335c1b4e7b35a45c9ace6f5914f3ec90a79f79f728f68976697cf19d3128196e4ce23b9a328fe1070aef03ce9eacd1115e2776ded76c888c
-
C:\Users\Admin\AppData\Local\Temp\UnderstoodFilesize
35KB
MD5f5f9398e85d10a4c0e8219057565d87a
SHA1d3540705389a05c15521f09fb3f9a316be0660d7
SHA25693872993b77c842bf2d75acc988ea451a408483a6c5c34007bceef01f5c6f73d
SHA512750a4129ae68e060a247506090450fe6ded89f521b26046c54f4daa3e4570abc765565e5c0fc8def189e18518270d89313f0e6cd67beb06df543e4260d9bb16b
-
\Users\Admin\AppData\Local\Temp\24886\Wanting.pifFilesize
1.0MB
MD5bfa84dbde0df8f1cad3e179bd46a6e34
SHA106ae3c38d4b2f8125656268925ebde9eca6a1f9e
SHA2566de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314
SHA512edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a
-
memory/1260-39-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2552-32-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB