Overview
overview
10Static
static
10sample.zip
windows7-x64
1sample.zip
windows10-2004-x64
1temp/1.c
windows7-x64
3temp/1.c
windows10-2004-x64
3temp/1.exe
windows7-x64
10temp/1.exe
windows10-2004-x64
10temp/123
ubuntu-24.04-amd64
1temp/CS4.9/CS.lnk
windows7-x64
3temp/CS4.9/CS.lnk
windows10-2004-x64
3temp/CS4.9...ke.bat
windows7-x64
1temp/CS4.9...ke.bat
windows10-2004-x64
1temp/CS4.9...at.lnk
windows7-x64
6temp/CS4.9...at.lnk
windows10-2004-x64
7temp/CS4.9...ke.vbs
windows7-x64
1temp/CS4.9...ke.vbs
windows10-2004-x64
7temp/CS4.9...bs.lnk
windows7-x64
3temp/CS4.9...bs.lnk
windows10-2004-x64
7temp/CS4.9...rImage
ubuntu-22.04-amd64
4temp/CS4.9/c2lint
ubuntu-18.04-amd64
1temp/CS4.9/c2lint
debian-9-armhf
1temp/CS4.9/c2lint
debian-9-mips
temp/CS4.9/c2lint
debian-9-mipsel
1temp/CS4.9...nt.jar
windows7-x64
1temp/CS4.9...nt.jar
windows10-2004-x64
1temp/CS4.9/uHook.jar
windows7-x64
1temp/CS4.9/uHook.jar
windows10-2004-x64
1temp/CS4.9...78.zip
windows7-x64
1temp/CS4.9...78.zip
windows10-2004-x64
1WiFi驱动...��.exe
windows7-x64
1WiFi驱动...��.exe
windows10-2004-x64
10temp/CS4.9...Fi.exe
windows7-x64
1temp/CS4.9...Fi.exe
windows10-2004-x64
10Analysis
-
max time kernel
121s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 11:13
Behavioral task
behavioral1
Sample
sample.zip
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
sample.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
temp/1.c
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
temp/1.c
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
temp/1.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
temp/1.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
temp/123
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral8
Sample
temp/CS4.9/CS.lnk
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral9
Sample
temp/CS4.9/CS.lnk
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
temp/CS4.9/Cobalt_Strike.bat
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral11
Sample
temp/CS4.9/Cobalt_Strike.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
temp/CS4.9/Cobalt_Strike.bat.lnk
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral13
Sample
temp/CS4.9/Cobalt_Strike.bat.lnk
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
temp/CS4.9/Cobalt_Strike.vbs
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral15
Sample
temp/CS4.9/Cobalt_Strike.vbs
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
temp/CS4.9/Cobalt_Strike.vbs.lnk
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral17
Sample
temp/CS4.9/Cobalt_Strike.vbs.lnk
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
temp/CS4.9/TeamServerImage
Resource
ubuntu2204-amd64-20240729-en
ubuntu-22.04-amd64
Behavioral task
behavioral19
Sample
temp/CS4.9/c2lint
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral20
Sample
temp/CS4.9/c2lint
Resource
debian9-armhf-20240418-en
debian-9-armhf
Behavioral task
behavioral21
Sample
temp/CS4.9/c2lint
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral22
Sample
temp/CS4.9/c2lint
Resource
debian9-mipsel-20240729-en
debian-9-mipsel
Behavioral task
behavioral23
Sample
temp/CS4.9/cobaltstrike-client.jar
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
temp/CS4.9/cobaltstrike-client.jar
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
temp/CS4.9/uHook.jar
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
temp/CS4.9/uHook.jar
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
temp/CS4.9/uploads/CVE-2024-30078.zip
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
temp/CS4.9/uploads/CVE-2024-30078.zip
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
WiFi驱动高危漏洞补丁.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral30
Sample
WiFi驱动高危漏洞补丁.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
temp/CS4.9/uploads/WiFi.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
temp/CS4.9/uploads/WiFi.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
temp/1.c
-
Size
15KB
-
MD5
e6d7a29c5f5224235a7bdfff35ab6200
-
SHA1
9a3e74303efeadca49bb8e7884a48782ca0fa9a9
-
SHA256
0babb210b3a252364147366546f398f4715b7d1816c0389567f235dc68a971d5
-
SHA512
8bb6c59d07145d932d772849f697b858226bbad4bd7d23bf20c5931f458c704408bf3ecd2291d742fa66bdd04229fc763af7b26c9de7b43d2401e2ecc7c92b12
-
SSDEEP
192:adZ8LZBJ6HolAUgVfaRp8X/4f4yJ9EDB8jCYfJL4c09FyQXTG02yA:aIL/UHPX/KrwB8jCYRL4cCrG6A
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\c_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.c rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\c_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\c_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\c_auto_file\shell\open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\c_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\c_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.c\ = "c_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\c_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\c_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\c_auto_file\shell\open\command rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2768 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2084 2632 cmd.exe 32 PID 2632 wrote to memory of 2084 2632 cmd.exe 32 PID 2632 wrote to memory of 2084 2632 cmd.exe 32 PID 2084 wrote to memory of 2768 2084 rundll32.exe 33 PID 2084 wrote to memory of 2768 2084 rundll32.exe 33 PID 2084 wrote to memory of 2768 2084 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\temp\1.c1⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\temp\1.c2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\temp\1.c3⤵
- Opens file in notepad (likely ransom note)
PID:2768
-
-