Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 19:59
Static task
static1
Behavioral task
behavioral1
Sample
2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe
Resource
win10v2004-20240508-en
General
-
Target
2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe
-
Size
3.2MB
-
MD5
959a98c1d7297b74acad201200c3e1c0
-
SHA1
b553f80aaa6d0a93a1a0b0e80578477fe32ad2b4
-
SHA256
2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7
-
SHA512
909b9579c513ff2567dcf8cd63758fd41608cc3e3e7484bc41401900acb6d5e45a8e8f0d730c13aebc1ff0613baa3b61f685184affd22bf091d4d19c0c54b732
-
SSDEEP
49152:JD58zz6b/ke1dA25FqLGpV9c88gcTZ9OCQd3bCAIr:1+zz63CAI
Malware Config
Extracted
cobaltstrike
http://104.194.78.37:8778/QMuJ
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/5.0)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2400 telegrem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 228 2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 228 wrote to memory of 448 228 2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe 83 PID 228 wrote to memory of 448 228 2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe 83 PID 228 wrote to memory of 448 228 2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe 83 PID 228 wrote to memory of 2400 228 2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe 85 PID 228 wrote to memory of 2400 228 2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe 85 PID 448 wrote to memory of 3300 448 cmd.exe 86 PID 448 wrote to memory of 3300 448 cmd.exe 86 PID 448 wrote to memory of 3300 448 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe"C:\Users\Admin\AppData\Local\Temp\2593feffdc915f5f024ee73e7787ccac8a8370916390567b09f7e4244a5d57c7.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\cmd.execmd " /c " C:\Users\Admin\AppData\Local\Temp\话术.txt2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\话术.txt3⤵PID:3300
-
-
-
C:\Users\Public\telegrem.exeC:\Users\Public\telegrem.exe2⤵
- Executes dropped EXE
PID:2400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5dc22393c30676fb41bacc431d6f8da69
SHA11dce0be16f8d8eb07be016fa3308452c61414fcd
SHA256814bcf9b3bb012c9e395201f40d8dcd8b0226afb234cbbb5a1da4ada63932d6b
SHA512ca2ff87a7da43aa3b922a5498f58ca02c5bf924a8c8c577aadfca3f717362b69cef4c0d27e9c4e345911b018b94a32dbd0afa820a635b8718982398cc94f4022
-
Filesize
1.3MB
MD59d20a9b72019c0af26ac31e616f8b0d9
SHA17a2e1d1eaa38dd9869717eb4c03f4e798899aa08
SHA256c00ba42a5c9a8fe6a94a41dc39c0786d756dcb2fcc451125d854b650d9960711
SHA51277141bc59fa9acba56b22c4f3974d6270a8f46f9c8aa03c21890a59270f889bec6da17b2f843c64322edaac423409a5d0877c324ef812339d7611ff6b8e26548