Analysis
-
max time kernel
151s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 10:49
Static task
static1
Behavioral task
behavioral1
Sample
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exe
Resource
win10v2004-20240319-en
General
-
Target
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exe
-
Size
724KB
-
MD5
bde91a78424fd430ff76a35e0f13b261
-
SHA1
f30cd68daf082becf0eac8efaaeb4bfe14396144
-
SHA256
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d
-
SHA512
465df8a1e6878c1bcc886db6cd194d535e9f4db27c1cc197b4708b331d0d02dbe06a78e0c2394f0f2c7550ccf84ad9fecc9c55d88129ce68a486d3f4027e0f9a
-
SSDEEP
12288:PqhYIofbUkXpagXo2+S+TRclgcPyxXAMr7GzC8tnfESG9W1SOkOWZm2SZYiZBKPX:PO50YkW2+NTRiqxwpzdZsSVsOmmR3Zk3
Malware Config
Extracted
cobaltstrike
426352781
http://pypi.python.org:443/latest/pip-check
-
access_type
512
-
beacon_type
2048
-
host
pypi.python.org,/latest/pip-check
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5weXRob24ub3JnLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAANAAAAAgAAAAdfX3V0bXo9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfUmVmZXJlcjogaHR0cDovL3d3dy5weXRob24ub3JnLwAAAAoAAAAeQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlAAAABwAAAAAAAAAPAAAADQAAAAUAAAAGX191dG16AAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
1000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmV0fCtMxIXtGF3+FyYKSiU1yVjtm3FlG6Mej3iMRBgSTd45Sa41JLXaoOjKxePWNN4wyUUInzIPEYA6fdx4N/+zwru33xzNAdipcbN3RLZg8v3s8Zu6vVXoj7apcBJy2ObQsYhoYAialaTKe4dWOVnbUJK46Ve8gDPeudH52IRQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.733629184e+09
-
unknown2
AAAABAAAAAEAAAACAAAAAgAAAAoAAAACAAAAAAAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/latest/check
-
user_agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
-
watermark
426352781
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2964 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2964 WINWORD.EXE 2964 WINWORD.EXE 2964 WINWORD.EXE 2964 WINWORD.EXE 2964 WINWORD.EXE 2964 WINWORD.EXE 2964 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exedescription pid process target process PID 1048 wrote to memory of 2964 1048 4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exe WINWORD.EXE PID 1048 wrote to memory of 2964 1048 4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exe WINWORD.EXE PID 1048 wrote to memory of 2964 1048 4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exe WINWORD.EXE PID 1048 wrote to memory of 2964 1048 4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exe"C:\Users\Admin\AppData\Local\Temp\4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.doc"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1Filesize
867B
MD5c5dfb849ca051355ee2dba1ac33eb028
SHA1d69b561148f01c77c54578c10926df5b856976ad
SHA256cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
SHA51288289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1Filesize
242B
MD5bd5b87e9507ca88695cbc70a5c4c47d4
SHA17e4f44177522515ba4f8add85b4f17a1ee3f8f77
SHA25696f450291666d7a2dff0d7882c6d3e2826840301decd19274e7f0597d6cb707e
SHA5127521cec10ce9da29c4598fd8a55f694cea88b216aa014acac9dceaa5ff84b27e143fa5384e6fcc61784c767f46227d18e1c3eaf128df74f97557fca9ce13f6b4
-
C:\Users\Admin\AppData\Local\Temp\4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d.docFilesize
276KB
MD55a4fdb2646076d704d740327a6a88030
SHA19126f323d106423f7f7a70a42718ff0256ebdba7
SHA256c7ea88d6c634b9e01735d62bd272997183e217b1929000bc723c4e052a970e45
SHA512dad0355d1ddf50f23fab77991a1d0e926396b70976c2c23ced2cc417ae935ddae37cd9eab280b2174a139a67f58005311753290b156ac94d175977117b409014
-
C:\Users\Admin\AppData\Local\Temp\TarE335.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
memory/1048-8-0x00000000021D0000-0x0000000002250000-memory.dmpFilesize
512KB
-
memory/1048-9-0x00000000021D0000-0x0000000002250000-memory.dmpFilesize
512KB
-
memory/1048-10-0x0000000002150000-0x000000000219E000-memory.dmpFilesize
312KB
-
memory/1048-1062-0x0000000002150000-0x000000000219E000-memory.dmpFilesize
312KB
-
memory/2964-6-0x000000007190D000-0x0000000071918000-memory.dmpFilesize
44KB
-
memory/2964-1-0x000000002F951000-0x000000002F952000-memory.dmpFilesize
4KB
-
memory/2964-3-0x000000007190D000-0x0000000071918000-memory.dmpFilesize
44KB
-
memory/2964-2-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB