Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 05:52
Static task
static1
Behavioral task
behavioral1
Sample
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe
Resource
win10v2004-20240412-en
General
-
Target
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe
-
Size
1.8MB
-
MD5
69359444b4d6c20a5d35760c4e398e72
-
SHA1
b18cafef685055e4bdbe34a090d0cf11028b5d86
-
SHA256
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61
-
SHA512
eec44f156cfd811b638c85da9a5c5b2f03d3e3ec621e4229cf7d2361e72296e23e1dd5f4a0d78ab02ce390e70aae54c068cbf3b491120d671069098c26342070
-
SSDEEP
24576:VhQYeEDa/vWCcFbPzvTtfO6BgCf5ekB1ovK+am89fnK4X9ZNYd1MV1FdKD1vWk+p:VS0k69FXpKD1LpIYDrcp2fS/XTl
Malware Config
Extracted
cobaltstrike
http://43.142.193.86:80/sIp1
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSE)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
fdp.exepid process 3732 fdp.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exepid process 4192 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exedescription pid process target process PID 4192 wrote to memory of 2656 4192 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe cmd.exe PID 4192 wrote to memory of 2656 4192 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe cmd.exe PID 4192 wrote to memory of 2656 4192 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe cmd.exe PID 4192 wrote to memory of 3732 4192 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe fdp.exe PID 4192 wrote to memory of 3732 4192 c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe fdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe"C:\Users\Admin\AppData\Local\Temp\c16a2a2f422fe378a8b4a65ce9c47139764277682cf113ff6564046dc19d9f61.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\中国计量大学现代科技学院关于10月9日施行临时封闭管理措施(1).docx2⤵
-
C:\Users\Public\fdp.exeC:\Users\Public\fdp.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\fdp.exeFilesize
19KB
MD585ca4c24b93dde56321e62ce71aa8bb2
SHA14eab75f775686e0bc73227158a1efa432aa462e9
SHA256d477d9fdfd2da88396a21f277c066635d34c6ed17c570b740364d7e04d3618eb
SHA512135775dab2dd24b345e33ac6a026e72d8b37b63a2f4156921c8995dd5e1cf2a8219571f29de4ded832d4d4cc8a6235449f962e797065ad6094ba1b622eb5aec6
-
memory/3732-5-0x00007FF677E30000-0x00007FF677E38000-memory.dmpFilesize
32KB
-
memory/3732-6-0x0000021A6A440000-0x0000021A6A442000-memory.dmpFilesize
8KB