Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 14:18
Static task
static1
Behavioral task
behavioral1
Sample
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe
Resource
win10v2004-20240508-en
General
-
Target
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe
-
Size
1.5MB
-
MD5
6af1015805cee45d24566eee7431103c
-
SHA1
e4b02689e876cf59a0b93fa9b32d410fd89b4cea
-
SHA256
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8
-
SHA512
fa6555e53a9ba85747d3926de2fdc7e132635597c75b4e7f7004917eb6ff7cfa50d4c0c71a978582153584c0615bdfefbcaef151a83abce2a0470baec94411a7
-
SSDEEP
24576:I062cSEk8zN/E/F7KcdIw+80zIGwTxgLUX6JyzARFErCX1maX5Vwn9+P7k9:r6PaFF7KcdIw+8UPyaLUXe/bI9
Malware Config
Extracted
cobaltstrike
391144938
http://update.office365update.cn:443/mall_100_100.html
-
access_type
512
-
beacon_type
2048
-
host
update.office365update.cn,/mall_100_100.html
-
http_header1
AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAj0FjY2VwdDogdGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45AAAACgAAABxVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxAAAACgAAABpSZWZlcmVyOiBodHRwczovLzEwMDg2LmNuLwAAAAcAAAAAAAAADQAAAAIAAAAFQU5JRD0AAAACAAAAGV9fU2VjdXJlLTNQQVBJU0lEPW5vc2tpbjsAAAABAAAAIztDT05TRU5UPVlFUytDTi56aC1DTisyMDIxMDkxNy0wOS0wAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAD5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAMFJlZmVyZXI6IGh0dHBzOi8vc2hvcC4xMDA4Ni5jbi9tYWxsXzEwMF8xMDAuaHRtbAAAAAcAAAAAAAAADQAAAAUAAAAIX19mb3JtaWQAAAAJAAAAFHNyY2hmcm9tPW5SS2p4elpSUnh4AAAACQAAABJmaWVsZG5hbWU9Q3pMdUV4S2wAAAAJAAAAFHNlYXJjaHNvcnRpZD1NYnpTRW5CAAAABwAAAAEAAAANAAAAAgAAACphaWRfPTUyMjAwNTcwNSZhY2N2ZXI9MSZzaG93dHlwZT1lbWJlZCZ1YT0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
30000
-
port_number
443
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwG1R55+sOREfylofqBeaqAvF24HTL2Zygd7+BdNUEql/sCXhTpUVcXJUaxSDZvZkozlmta5SxWWMUKiGlzWeXO41sFUL5wo3LGr8BTn+YEdQ3AW8e42ZTNsqAXbAxRUQNhAyYakslZs9N8LMr1S7sqkNnghIJIxh/+o3ZHQ0kHwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.03243264e+08
-
unknown2
AAAABAAAAAEAAAglAAAAAgAACCUAAAACAAACyAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ajax/recharge/recharge.json
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4044.62 Safari/537.36
-
watermark
391144938
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe -
Executes dropped EXE 1 IoCs
Processes:
360update.exepid process 1576 360update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
360update.exepid process 1576 360update.exe 1576 360update.exe 1576 360update.exe 1576 360update.exe 1576 360update.exe 1576 360update.exe 1576 360update.exe 1576 360update.exe 1576 360update.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exedescription pid process target process PID 4140 wrote to memory of 1576 4140 cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe 360update.exe PID 4140 wrote to memory of 1576 4140 cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe 360update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe"C:\Users\Admin\AppData\Local\Temp\cc94f49acdd8741c94263ec4d79b3cf929ae811cd12802c960e4eedb74581bc8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\360update.exe"C:\Windows\Temp\360update.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\360update.exeFilesize
2.7MB
MD55b6af1b2deba7f9b7b154799d0d3b54a
SHA125650a8d7e9c4830e3f0837e8139721b289993b7
SHA2568b7fdc3f0a18ceec91dc327896fe69032b1d5270cb044e8e55cf077ef46ee23f
SHA51285d4c8b063694f5eba1e3430ecb56c168d81f34a060d97a70c985132994455ae3c57c65a864f5418ed7cff460f7aaf8903c4e9d6d0c679e7c95ff782a75bbfd7
-
memory/1576-11-0x000001DB5F840000-0x000001DB5F892000-memory.dmpFilesize
328KB
-
memory/1576-12-0x000001DB60130000-0x000001DB60338000-memory.dmpFilesize
2.0MB
-
memory/1576-13-0x000001DB60700000-0x000001DB60702000-memory.dmpFilesize
8KB
-
memory/1576-14-0x000001DB60130000-0x000001DB60338000-memory.dmpFilesize
2.0MB