cobaltstrike | hxxps://bazaar[.]abuse[.]ch/sample/580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736/

Analysis

max time kernel
377s
max time network
379s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18-09-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736/

Score

10^/10

cobaltstrike backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

http://state-mgmt.us:443/amJE

Attributes

user_agent
User-Agent: Microsoft-CryptoAPI/6.1

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
2304	580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133711553913880391"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.zip:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4708	EXCEL.EXE
3132	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2248	chrome.exe
2248	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe
Token: SeShutdownPrivilege	2248	chrome.exe
Token: SeCreatePagefilePrivilege	2248	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
3760	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe
2248	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
4708	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE
3132	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2468	2248	chrome.exe	80
PID 2248 wrote to memory of 2468	2248	chrome.exe	80
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 1204	2248	chrome.exe	82
PID 2248 wrote to memory of 2052	2248	chrome.exe	83
PID 2248 wrote to memory of 2052	2248	chrome.exe	83
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84
PID 2248 wrote to memory of 1776	2248	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef3c5cc40,0x7ffef3c5cc4c,0x7ffef3c5cc58
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1380,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2192 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4364,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4700,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4440,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3120 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3096,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3100 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3180,i,9124928126576513489,12024653309904015086,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4704

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1164

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap14002:190:7zEvent31765
1⤵
- Suspicious use of FindShellTrayWindow
PID:3760

C:\Users\Admin\Downloads\580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe
"C:\Users\Admin\Downloads\580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe"
1⤵
- Executes dropped EXE
PID:2304
- C:\Windows\SYSTEM32\svchost.exe
  svchost.exe
  2⤵
  PID:2688

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\NewRepair.xla"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\OpenGrant.ods"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
3cb871e061b14b077b0f408df48a0db8

SHA1
26dceda5fe9e720091ef1df48b15c54dde9dc8e7

SHA256
533a60f1d865de24cf966deb3d33bc569b5fd0b8cd9993bd1ffeb489bb5a5fc9

SHA512
25046c5ffbc54d216e9d315f63c8caabb41576b769704a239d6662db8961ae2652c80ff7114d449ef5f96f218bee99d95c6c6c0ed6c6546e145c4369d948b8cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
531c1220619cc1d83efc149f405040fb

SHA1
cb30c57c2eb1dde60c86560438c8acf5cf242d4b

SHA256
3efbe78579fee2e1018fc21a1235ed431d2e332d1ac4b689e406029ee4cfe43c

SHA512
c3191c720943ff46469f2ff21ab307f74ebbc6891c2a79f05f86a53756c7fd1fde432198229c5e7f5b3ae0bc3c04db23d5540b2e5051d243a87d03f7b9e47927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5342ca57f6a0f724a526cac1b4be540d

SHA1
4e800a74395431d6a1f7138b805200feda328ef6

SHA256
526db29e47fc915d1cf4f5dd86915a07414875800f03747f4599feac49bd3b77

SHA512
f1e0dd6385e1032f1de729157a86f954813322c852a54475d83ad3a144ff07ef4b31e46394d5079b1f4e01f90a49b1647d393d7bd847e11cc2e541ef463593a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
312B

MD5
c971709fb885f5754c23749525afad9d

SHA1
8b4c0e7a6d1990dbf0918cf42fac41434668a816

SHA256
76d94326e0d5c2a95e9f7736d21d3b69c60984fbd8a409627d84b55208dfed02

SHA512
c0e73023341a816ce022e0da5470415744d76d748a27cc60807cf59287d1d73875b90e35660862603d18d1f98b0ca533630c6159cb61a75ebd05ee3a0d0ed9eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
03d835ec05acd1496d99eb8c983bde93

SHA1
8eb2f291a3df4856540bed3c5ef857874c658f13

SHA256
aa0aae7f0d09c004b8ea18e2161c3813380b49f013da328abfd6f9a16cfca139

SHA512
2250f437c1d9378a22af4b5465ef41ee1311ff59727bfd801bf695f277ac88d54fe4ee038811d3a656aeccb89d7469d32b9c4aa3e77896237c46d9086d3075d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ea111850cf3279d7277453997f710b82

SHA1
28d9bfd23e22a21130b12a862ee20664ccceadb1

SHA256
0ded60a9d1d9607dc933ca3ba67c8c359e052be453a33e6acced9104b877ef32

SHA512
be643e7c781f0e3688e5763ff0035f73378dac4a3b9e018256275af6ba97f6cfe040680422aba013a43c653728ad842998f201bf5934a6cfbf23d8a9a4b721a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
198580c2dcfe6e32c1890223173132cc

SHA1
cce8a35c3998a321a9aa91ce53456d6d6d706095

SHA256
0b1b7f93a80863c26043b3ca346c4e9d03a53e277fdf8738d51a9dfcacc81b2d

SHA512
1ac98b180d79c19072bb6ecffd2fe5f3df722fc22b1173025c67537e97f52a87fefee30f424f5e9c356f18301d975e99f6ca259d16d69f68f5c0ee28890f802e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
511b74e4b9bce32e0719d741bf17ac45

SHA1
68608c34c6c682fc9375bf56f174075d5e2e6abd

SHA256
f7790a9e5efddc5f85bf294ee5bf29f7ae53c576c5302e64abbfdbb5bc51a080

SHA512
91be029f08bd7c69487cb15218f2650cdad2b1d20d9e63cc80b60d1a8253dc7b18da9be7f7c9b82c500308c3603871cd1e3622d185b92e0fa669c7c26451f973

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dad7c12ae5e875db442d711eef777257

SHA1
ff00e704f26ab0cf52ee1c669d3ab28855bde3cc

SHA256
f8aa2449a9d9c95355771954d9802af7e8bf5b0234ae8551b3ab68263ca5456a

SHA512
b4a6dc2456a704676fa5913063476f74f3432d044299ce2e0019bea402dbeb999638d478a413d310d9daa3ac2a019db0b8e03c1c78d6e06b77dae3d476a080d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a4600249de683b62032b4160854c7edf

SHA1
cec5dd6b5626df042122eab76ad672076e819198

SHA256
dd8b9dae9ce3097dd753d5e931c744abfd8a9ae9a9dc3a2699e22acd002f3d96

SHA512
1bbcf141c97e2c4bff79174f6493511fbc38b011f0dea36127b08f03c4f41a3d2418d1b0fc0ef4f47277fe5f85cbe30ad895e216bb182a0419865dd077b33ecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
144cb6e3261bac6a9240105c78055142

SHA1
1a580d703e54a27a88fc7d6b6f21441391967645

SHA256
8759d8e9abd0e291ddf84e433a7533cfa0077203eaa393a227e8f54c49923ae9

SHA512
ea389a478f46be1b17bc321cacec4ae606a3713367f97ec8e4cc80c0f04cabc8b83bf2245e3ff274e59122972c57298ac0ae49958159d21c80ea8191f538a28a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3fa9f596ddd65716f4f1db6e55e2e02a

SHA1
2af50560dc202ac5bfa9a920df6bb59dadd21c24

SHA256
35899eb2318ed7e63781a6c50a583c67296a5c3310571a26b74cf18a0f674b83

SHA512
24bfd635849c414c58af6193b00204b2c654be0baa75baf6fdaaa2cedccca2ef35c67fbe2a2e5e1a409b0e01c7a47e0f9dde44d8bb9790e0dd9f92124fb4869c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
68e8f485cbaade33dc5c22e52eb5d17c

SHA1
bb043132692132c8ca67cee14057d4388d21d2e6

SHA256
286096a4e242e886b0fe6c243b28d33421562757f4ceb3e0974bb10fa0eee2c7

SHA512
7956f48fe93e597443bb26e6104ef4f416a3ce3c5255b449af3940e858802a7318ef9267ca6ce558c2d61f3d0ab5938486cc0ddb384ca63a5844520f38a0d8e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
e53ae76e4ecbde5d83846ad385d2176f

SHA1
581046206ae927c01ad3e3f8ca2495f998678411

SHA256
54b94c010bac260afe2ca20819104e26e95e234c5a467706960f9a1d0e9d4acc

SHA512
b5a74076c883f4b91beb90545f92e31381580eb8ea890c5447265f10fa97cd7872dd72a764b1ff274d2944f428c7cea8d9f398cfc02b9573bb1734e6a9443b40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
b4c63e2581648837fff0368a5e90c1e6

SHA1
2953e3d191b5e05139acbf7064c91312f35e48a5

SHA256
279d8d2a7b41fe657db1ca2c17707cb6a2e7d25c5090940878feba70353e8c2b

SHA512
3a9d8d6c1b56d2d551a6e8c34c743602be9ef0308e403c536f180da9e19cf1cbc50f94bea2c0fd24abf0413a88521fc19ee1108a12c7c4009e40b74d1018f0b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
30b188399cdb5f1ce0c990c61977c669

SHA1
c76a0af0b59e236f2e2508059f2fa7bda763504a

SHA256
149b9713c139aceb604410bb8500a706d07860b49f5e65e515eec98389a8bb51

SHA512
6698630e259746bb5f295b93d4f00058c920dc23b168436f5fe47b9dc6919273e07d3c0b7ec9e373643ccad53ef00fc8a80b1f36750624de8068f66ef0e1f1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\774A9BE1-7D68-420D-98D2-837A77CBE94A

Filesize
171KB

MD5
267e29470890bc334b13b918a6c246e4

SHA1
07c394e24658b1da48d1d88c25d04031efb286df

SHA256
19746b46b345db63f883be94a2adcbf1a8baca71b626928d190e472267f1cd7e

SHA512
220e60f9d755894cefce6db64e988411c2aa8fbb7f44c9c74336578b06abb22bdd4e0edff2b2d49594445417479e60d136ad6a2f8d61ca146e2859f690dff09e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
320KB

MD5
d356e2cd5f911b7f0eae0e36b1ca5169

SHA1
5da8e4450b716defce43e473b3c9d8f7d45c0ace

SHA256
bbc44b490dffb69bb837f401b06413104ee084bceef80483dbe414a9b59be275

SHA512
31b8e195fed86e2e1cb2000ca54500e6d7304d88bbf3f05a928ae8e1234c911723257a637d1ec087951d6fb2753eb57ec91f3bb1a912ff43455521c890e52220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\Downloads\580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe

Filesize
262KB

MD5
22db6458c458b402831e8b74621e8a1d

SHA1
d4f1438bc1d39eef7fe39bd9ee5e21e988930b1f

SHA256
580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736

SHA512
7291d1c9d25ae6ef0372dbec1e07fb742acc8e3ce0798161915c5bbe21c163684f02a7f070cde74b0e6d8fa63f99a6e1ab212e9dd8383f9f8080d2d487340c03

Download Submit
C:\Users\Admin\Downloads\580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.zip

Filesize
86KB

MD5
8df3cf24d29b14cc93df9a91cab4d5a6

SHA1
a293c8706417d1f39c5f29a34db9bf12fb82abc6

SHA256
44cf5649a5b26e96e9c3e2018567e1b231db8dfd984948aa30e253709635975c

SHA512
0c0d3cd2b6d2a65e083eb1d6fde338df5ead7838191e2a85796b31a7969a9a4a7fe101b43cb6c66c2efeb373c4f4be7a14f50e525ff5614e631b26416fec6804

Download Submit
C:\Users\Admin\Downloads\580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.zip:Zone.Identifier

Filesize
202B

MD5
17775c321eb400abc0af224c0ff420cb

SHA1
44733946b205f58f9faf87e40f555e24ff2d8096

SHA256
54c855bc0aee711acbb7c1c54824921c5b617fd151c5e8201ef0257307518364

SHA512
e2ddccd923735ae1cb9f4603024c7e7dcf4a8f225278d27614500c54c70d396d9a5b56b27fb9df82bbe3d1f6ead5fec264e8ed50a41432004ffe03c86515a0ca

Download Submit
memory/2304-266-0x00007FF6416A0000-0x00007FF6416EE000-memory.dmp

Filesize
312KB

Download
memory/4708-297-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/4708-295-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/4708-298-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/4708-296-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/4708-273-0x00007FFEC2D60000-0x00007FFEC2D70000-memory.dmp

Filesize
64KB

Download
memory/4708-272-0x00007FFEC2D60000-0x00007FFEC2D70000-memory.dmp

Filesize
64KB

Download
memory/4708-267-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/4708-268-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/4708-271-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/4708-269-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download
memory/4708-270-0x00007FFEC51B0000-0x00007FFEC51C0000-memory.dmp

Filesize
64KB

Download