Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 12:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe
-
Size
583KB
-
MD5
e99ff56fe506975fa18cb1e7e775fdd6
-
SHA1
b1e43558e8e4850121c00e795488471f32b31dfe
-
SHA256
732fbb3f1c828c6f1cbe0492a35feaae4cb1b68d04d9b0e82e82deddc0c48d97
-
SHA512
3b0416ee6f91160a612baf995bbb7aa73f57937c2198b3dd0e4be4b56d0634e66c5756c7322c3f34859adaa12e4bdece043c48fb9f1d04a52a1a4792b3049dc1
-
SSDEEP
12288:12ye/RY4Lmil2eRM756/b5utNNTX5c6vSNNyh:My54T9/+X5cyh
Malware Config
Extracted
cobaltstrike
http://img.uioqwea.xyz:8443/messages/DALBNSFFT4Q
-
user_agent
Accept: text/html,application/*,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: img.uioqwea.xyz Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
Extracted
cobaltstrike
100000
http://img.uioqwea.xyz:8443/messages/xV5GdE
-
access_type
512
-
beacon_type
2048
-
host
img.uioqwea.xyz,/messages/xV5GdE
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAKU0VTU0lPTklEPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAcAAAAAAAAAAwAAAAIAAAAJSlNFU1NJT049AAAABgAAAAZDb29raWUAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
2560
-
polling_time
10000
-
port_number
8443
-
sc_process32
%windir%\syswow64\esentutl.exe
-
sc_process64
%windir%\sysnative\esentutl.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaQGOQzaqqQLDxqfNAdfZu7isKEAhtTHok92MhWQ6haLF6I92+W3zIHm5+FBWaPVxJ+LV5YaSDuXAwGrTKzYDu/MHzXYcuENLyL4dRuFbJBfJwRImaLDke8V2+zhN0vu0ZSNtDIE4xEKf/UzAj6i/Jdh0+Ha72abUlVMBRn37jLwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.092976896e+09
-
unknown2
AAAABAAAAAEAAATAAAAAAQAAAAwAAAACAAABlAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/messages/96OpFu
-
user_agent
Mozilla/6.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/7.0)
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3316 WINWORD.EXE 3316 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exepid process 1084 2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe 1084 2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exepid process 1084 2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE Token: SeShutdownPrivilege 3408 Explorer.EXE Token: SeCreatePagefilePrivilege 3408 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE 3408 Explorer.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
WINWORD.EXEpid process 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE 3316 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.execmd.exedescription pid process target process PID 1084 wrote to memory of 4364 1084 2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe cmd.exe PID 1084 wrote to memory of 4364 1084 2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe cmd.exe PID 4364 wrote to memory of 3316 4364 cmd.exe WINWORD.EXE PID 4364 wrote to memory of 3316 4364 cmd.exe WINWORD.EXE PID 1084 wrote to memory of 3408 1084 2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-12_e99ff56fe506975fa18cb1e7e775fdd6_cobalt-strike_ryuk.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /cd2J4Z2xjbm0.doc3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d2J4Z2xjbm0.doc" /o ""4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d2J4Z2xjbm0.docFilesize
93KB
MD5de72533ed8828182ad05d8e7f694548f
SHA106c86de28558b5cb22539a077e94884a97804f6a
SHA2563ae8dd53d8d97d71900ee8f194e6ce2aeab40b2f01ce01f756098facd249eda2
SHA512ce681b28fd2d3158788399d8c7f81e8b7e31eaceb8885bd4e3209c55b359afd64ef357ffe31c0114aea49ffea2dc7008e6437b863648f54be195edb5fb125c36
-
memory/3316-11-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmpFilesize
64KB
-
memory/3316-8-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-13-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-15-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-14-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-7-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmpFilesize
64KB
-
memory/3316-9-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmpFilesize
64KB
-
memory/3316-10-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-12-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-3-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmpFilesize
64KB
-
memory/3316-6-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-4-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-5-0x00007FFB558B0000-0x00007FFB558C0000-memory.dmpFilesize
64KB
-
memory/3316-16-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-18-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-17-0x00007FFB53330000-0x00007FFB53340000-memory.dmpFilesize
64KB
-
memory/3316-28-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3316-19-0x00007FFB53330000-0x00007FFB53340000-memory.dmpFilesize
64KB
-
memory/3316-27-0x00007FFB95830000-0x00007FFB95A25000-memory.dmpFilesize
2.0MB
-
memory/3408-20-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/3408-33-0x0000000002C10000-0x0000000002C71000-memory.dmpFilesize
388KB