Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 19:59

General

  • Target

    2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe

  • Size

    3.2MB

  • MD5

    959a98c1d7297b74acad201200c3e1c0

  • SHA1

    b553f80aaa6d0a93a1a0b0e80578477fe32ad2b4

  • SHA256

    2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7

  • SHA512

    909b9579c513ff2567dcf8cd63758fd41608cc3e3e7484bc41401900acb6d5e45a8e8f0d730c13aebc1ff0613baa3b61f685184affd22bf091d4d19c0c54b732

  • SSDEEP

    49152:JD58zz6b/ke1dA25FqLGpV9c88gcTZ9OCQd3bCAIr:1+zz63CAI

Malware Config

Extracted

Family

cobaltstrike

C2

http://104.194.78.37:8778/QMuJ

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/5.0)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe
    "C:\Users\Admin\AppData\Local\Temp\2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\SysWOW64\cmd.exe
      cmd " /c " C:\Users\Admin\AppData\Local\Temp\话术.txt
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\话术.txt
        3⤵
          PID:3300
      • C:\Users\Public\telegrem.exe
        C:\Users\Public\telegrem.exe
        2⤵
        • Executes dropped EXE
        PID:2400

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\话术.txt

            Filesize

            9KB

            MD5

            dc22393c30676fb41bacc431d6f8da69

            SHA1

            1dce0be16f8d8eb07be016fa3308452c61414fcd

            SHA256

            814bcf9b3bb012c9e395201f40d8dcd8b0226afb234cbbb5a1da4ada63932d6b

            SHA512

            ca2ff87a7da43aa3b922a5498f58ca02c5bf924a8c8c577aadfca3f717362b69cef4c0d27e9c4e345911b018b94a32dbd0afa820a635b8718982398cc94f4022

          • C:\Users\Public\telegrem.exe

            Filesize

            1.3MB

            MD5

            9d20a9b72019c0af26ac31e616f8b0d9

            SHA1

            7a2e1d1eaa38dd9869717eb4c03f4e798899aa08

            SHA256

            c00ba42a5c9a8fe6a94a41dc39c0786d756dcb2fcc451125d854b650d9960711

            SHA512

            77141bc59fa9acba56b22c4f3974d6270a8f46f9c8aa03c21890a59270f889bec6da17b2f843c64322edaac423409a5d0877c324ef812339d7611ff6b8e26548

          • memory/228-5-0x0000000000400000-0x0000000000770000-memory.dmp

            Filesize

            3.4MB

          • memory/2400-6-0x000002C5839C0000-0x000002C5839C1000-memory.dmp

            Filesize

            4KB

          • memory/2400-9-0x000002C5CA8B0000-0x000002C5CACB0000-memory.dmp

            Filesize

            4.0MB