Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 10:34
Static task
static1
Behavioral task
behavioral1
Sample
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe
Resource
win10v2004-20240226-en
General
-
Target
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe
-
Size
565KB
-
MD5
11f483182a6d4f1a0dd2682e58b4eaf0
-
SHA1
57ebd92b2f0c2269a3aa1aea74498a44041ecc75
-
SHA256
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8
-
SHA512
028e321cf5bdde26660f98477fbbc23607f48a724ecbfd6041969828c09b10e0f0603c1551f63f998a9b6c4964363bbd6f4b4fbd2fea07bc2f42fe57fdaca144
-
SSDEEP
6144:8M1HMUCuFyhyGUKnjZ0dxuhUMA3eIJuMPJCVy+tPXbLE8x/RSI2SS:8MaUCAwUMZ0PRJZMBPbLE8x
Malware Config
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings 41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4668 WINWORD.EXE 4668 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 4668 WINWORD.EXE 4668 WINWORD.EXE 4668 WINWORD.EXE 4668 WINWORD.EXE 4668 WINWORD.EXE 4668 WINWORD.EXE 4668 WINWORD.EXE 4668 WINWORD.EXE 4668 WINWORD.EXE 4668 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exedescription pid process target process PID 4568 wrote to memory of 4668 4568 41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe WINWORD.EXE PID 4568 wrote to memory of 4668 4568 41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe WINWORD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe"C:\Users\Admin\AppData\Local\Temp\41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8.docxFilesize
113KB
MD566d160ab553ff1a90af31b851dc0a108
SHA1c39e723e18914280f5420573e58264e640e895ab
SHA256d868970f1f89fcd01c0ef7fcdeac90696e3248796cec927b39e0ea5f1db7001d
SHA512cdccca152014e1c0628e4af16979e9927940fecef940a1dcb370130c0906cb0826926e3084e450674475774bb546776026bd870f66f689530e724a88c98f5aca
-
memory/4568-50-0x000001532D070000-0x000001532D0BE000-memory.dmpFilesize
312KB
-
memory/4568-49-0x000001532D1E0000-0x000001532D2E0000-memory.dmpFilesize
1024KB
-
memory/4568-42-0x000001532D070000-0x000001532D0BE000-memory.dmpFilesize
312KB
-
memory/4568-41-0x000001532D1E0000-0x000001532D2E0000-memory.dmpFilesize
1024KB
-
memory/4568-40-0x00007FF7B20D0000-0x00007FF7B2166000-memory.dmpFilesize
600KB
-
memory/4568-30-0x00007FF7B20D0000-0x00007FF7B2166000-memory.dmpFilesize
600KB
-
memory/4668-16-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmpFilesize
64KB
-
memory/4668-14-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmpFilesize
64KB
-
memory/4668-17-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmpFilesize
2.0MB
-
memory/4668-12-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmpFilesize
64KB
-
memory/4668-18-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmpFilesize
2.0MB
-
memory/4668-19-0x00007FFCA9E50000-0x00007FFCA9E60000-memory.dmpFilesize
64KB
-
memory/4668-20-0x00007FFCA9E50000-0x00007FFCA9E60000-memory.dmpFilesize
64KB
-
memory/4668-15-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmpFilesize
2.0MB
-
memory/4668-35-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmpFilesize
2.0MB
-
memory/4668-36-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmpFilesize
2.0MB
-
memory/4668-13-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmpFilesize
2.0MB
-
memory/4668-9-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmpFilesize
2.0MB
-
memory/4668-10-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmpFilesize
64KB
-
memory/4668-11-0x00007FFCEBF30000-0x00007FFCEC125000-memory.dmpFilesize
2.0MB
-
memory/4668-8-0x00007FFCABFB0000-0x00007FFCABFC0000-memory.dmpFilesize
64KB