Overview
overview
10Static
static
3xshell软...cx.lnk
windows7-x64
3xshell软...cx.lnk
windows10-2004-x64
10xshell软...cs.vbs
windows7-x64
10xshell软...cs.vbs
windows10-2004-x64
10xshell软...mc.dll
windows7-x64
10xshell软...mc.dll
windows10-2004-x64
10xshell软....xlsx
windows7-x64
1xshell软....xlsx
windows10-2004-x64
1Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 14:08
Static task
static1
Behavioral task
behavioral1
Sample
xshell软件排查结果反馈/xshell软件排查结果反馈.docx.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
xshell软件排查结果反馈/xshell软件排查结果反馈.docx.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/cs.vbs
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/cs.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/mc.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
xshell软件排查结果反馈/其他材料/.__MACOSX__/.__MACOS__/._MACOS_/mc.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
xshell软件排查结果反馈/其他材料/附件-xshell软件排查结果反馈表.xlsx
Resource
win7-20240319-en
Behavioral task
behavioral8
Sample
xshell软件排查结果反馈/其他材料/附件-xshell软件排查结果反馈表.xlsx
Resource
win10v2004-20240226-en
General
-
Target
xshell软件排查结果反馈/xshell软件排查结果反馈.docx.lnk
-
Size
1KB
-
MD5
dcf3d59f84590bf4195d3e42d1f229be
-
SHA1
f219a6fbb04f2513e109e22269f839121c072fc7
-
SHA256
82bf7ba9e947c1dc93032278c52f32b20a026cd05f3195ef08cf9a31be75a5b2
-
SHA512
724d3225699af65b645b2c0ed7e8116f5a392c77018acbe2da0901cc76b4341546bf8f629325916fa6980e8054775c7160c6abce58c6c9637e927a2ece769a5c
Malware Config
Extracted
cobaltstrike
100000
http://consumer-img.huawei.com:80/lib/v2/wcp-consent.js
-
access_type
512
-
host
consumer-img.huawei.com,/lib/v2/wcp-consent.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAaSG9zdDogc3RhdGljLm1pY3Jvc29mdC5jb20AAAAKAAAAJlJlZmVyZXI6IGh0dHBzOi8vc3RhdGljLm1pY3Jvc29mdC5jb20vAAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAHAAAAAAAAAA0AAAACAAAACF9fbXMtY3Y9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAABAAAAAVSG9zdDogY2RuLmJvb3Rjc3MuY29tAAAACgAAACBSZWZlcmVyOiBodHRwOi8vY2RuLmJvb3Rjc3MuY29tLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAABQAAAAdfX21zLWN2AAAABwAAAAEAAAANAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
30000
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJKQv1XF4Cmh2xywEarCa/bP0HPP+UFEQJHMOo5NsyVYvAVfHd59D4LmvVhtB6dvdqdkLUunc6NQljbO4D42xMOrFI41rqlbFibjEJQYX58RbZvjS1bhHVKa9XdQIQRpuk3eWO4Pk+iGyM1gHKjyZT+PV5lhUp1aBwAUirc7UnEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.448416512e+09
-
unknown2
AAAABAAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/lib/v2/recaptcha__en.js
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 6 2240 rundll32.exe 7 2240 rundll32.exe 39 2240 rundll32.exe 40 2240 rundll32.exe 50 2240 rundll32.exe 51 2240 rundll32.exe 56 2240 rundll32.exe 57 2240 rundll32.exe 60 2240 rundll32.exe 59 2240 rundll32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exeexplorer.exeWScript.exedescription pid process target process PID 4284 wrote to memory of 4300 4284 cmd.exe explorer.exe PID 4284 wrote to memory of 4300 4284 cmd.exe explorer.exe PID 1528 wrote to memory of 2388 1528 explorer.exe WScript.exe PID 1528 wrote to memory of 2388 1528 explorer.exe WScript.exe PID 2388 wrote to memory of 2240 2388 WScript.exe rundll32.exe PID 2388 wrote to memory of 2240 2388 WScript.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\xshell软件排查结果反馈\xshell软件排查结果反馈.docx.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" ".\其他材料\.__MACOSX__\.__MACOS__\._MACOS_\cs.vbs"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xshell软件排查结果反馈\其他材料\.__MACOSX__\.__MACOS__\._MACOS_\cs.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\xshell软件排查结果反馈\其他材料\.__MACOSX__\.__MACOS__\._MACOS_\mc.dll,Test3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2240-0-0x000001C383780000-0x000001C3837C1000-memory.dmpFilesize
260KB
-
memory/2240-5-0x000001C383780000-0x000001C3837CF000-memory.dmpFilesize
316KB
-
memory/2240-4-0x000001C3A9330000-0x000001C3A937F000-memory.dmpFilesize
316KB
-
memory/2240-6-0x000001C383780000-0x000001C3837C1000-memory.dmpFilesize
260KB
-
memory/2240-7-0x00000000712A0000-0x00000000717A6000-memory.dmpFilesize
5.0MB
-
memory/2240-9-0x000001C383780000-0x000001C3837C1000-memory.dmpFilesize
260KB