Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 19:15
Static task
static1
Behavioral task
behavioral1
Sample
87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe
Resource
win10v2004-20240226-en
General
-
Target
87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe
-
Size
1.7MB
-
MD5
e4f7f869fb843fb9bacab49a68c531ae
-
SHA1
75e9f6901eb40d25944be820602e903262f25c2b
-
SHA256
87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304
-
SHA512
a5c8688766a2a6ac32be8f8d44b890b834cd0f869d648f913f6ce2ad40fe984e9914169adee7d154e5963d33e3200273e007648e0f359be14c8e50c5c9faf3f4
-
SSDEEP
24576:LrMkmmLHo7qXzHd6xGWjrtJf/zKuoZz6h/q7dS2hHem:Lm4HoGAxBf7DLzhS7
Malware Config
Extracted
cobaltstrike
http://47.97.41.107:443/static/js/libs/masonry.pkgd.min.js
-
user_agent
Accept: */* Accept-Language: en-US,en;q=0.9 Referer: https://www.python.org/ Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.140 Safari/537.36
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
mspdf.exepid process 5108 mspdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 724 WINWORD.EXE 724 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE 724 WINWORD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.execmd.exedescription pid process target process PID 2116 wrote to memory of 1032 2116 87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe cmd.exe PID 2116 wrote to memory of 1032 2116 87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe cmd.exe PID 1032 wrote to memory of 724 1032 cmd.exe WINWORD.EXE PID 1032 wrote to memory of 724 1032 cmd.exe WINWORD.EXE PID 2116 wrote to memory of 5108 2116 87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe mspdf.exe PID 2116 wrote to memory of 5108 2116 87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe mspdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe"C:\Users\Admin\AppData\Local\Temp\87e6efd951d8828980ce97054108b3c78e765a333ae0422e6735b2e586ca8304.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c start C:\Users\Admin\AppData\Local\Temp\docxfile273120836\投稿.docx2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\docxfile273120836\投稿.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\docxfile273120836\mspdf.exeC:\Users\Admin\AppData\Local\Temp\docxfile273120836\mspdf.exe2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\docxfile273120836\mspdf.exeFilesize
115KB
MD522527af9403af6d2cae89d7f066057bb
SHA145db7cbc3a31dda3aa5dc4f9e3b2f57d27c64459
SHA25615149b0fa15fe27b6cafc0088080b67ad2125eeafb29d0fe0dc9f819d694c1c3
SHA51271a080cc9821482d09898776d1f515763434306dbe67a04d1db5e4209e49af1778a16be123fbf2986dc1a22ce2de897dd71903f287b55cd73891dd6c637596f6
-
memory/724-30-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-66-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-18-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmpFilesize
64KB
-
memory/724-7-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmpFilesize
64KB
-
memory/724-9-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmpFilesize
64KB
-
memory/724-8-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-10-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-15-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-14-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmpFilesize
64KB
-
memory/724-16-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-13-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-12-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-11-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmpFilesize
64KB
-
memory/724-17-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmpFilesize
64KB
-
memory/724-6-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-31-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-5-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmpFilesize
64KB
-
memory/724-32-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-33-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-34-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-35-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-38-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-58-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmpFilesize
64KB
-
memory/724-59-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmpFilesize
64KB
-
memory/724-61-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-60-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmpFilesize
64KB
-
memory/724-63-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-64-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/724-62-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmpFilesize
64KB
-
memory/724-65-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmpFilesize
2.0MB
-
memory/5108-4-0x0000015F22CF0000-0x0000015F22CF1000-memory.dmpFilesize
4KB