Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2024 12:11
Static task
static1
Behavioral task
behavioral1
Sample
CRYPTSP.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CRYPTSP.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
csc.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
csc.exe
Resource
win10v2004-20240802-en
General
-
Target
csc.exe
-
Size
56KB
-
MD5
0d26d99bd550e9b08c9c9d4ce3636df6
-
SHA1
9de4dc9e25a14b8fa6c199cf6bfa1df66b19a81b
-
SHA256
965bb8e7822d62e4355362aee29031737ab83b22eeb620814e9e3fd7e0f6672a
-
SHA512
9448c0c17d7bf78019302c4f62eee591785f5ba5e870f9e0f73f2e82206a2000cfca33ed319f7732ac6ad1373795be94d119363de91d07e4f73a0952694b339b
-
SSDEEP
768:FpdhYE3ClRJdWgSH+uXK52qRl2wwH2jsBMtDqxmheMnS1yWbEj:L3ClftSH5w2qXQ2oMtDqxmQMnS8mY
Malware Config
Extracted
cobaltstrike
http://service-61oc67uo-1327454768.gz.tencentapigw.com.cn:443/Content/js/cookie/jquery.cookie.js
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings calc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1768 OpenWith.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2188 wrote to memory of 4088 2188 csc.exe 83 PID 2188 wrote to memory of 4088 2188 csc.exe 83 PID 4088 wrote to memory of 4532 4088 cmd.exe 84 PID 4088 wrote to memory of 4532 4088 cmd.exe 84 PID 2188 wrote to memory of 4756 2188 csc.exe 86 PID 2188 wrote to memory of 4756 2188 csc.exe 86 PID 2188 wrote to memory of 4756 2188 csc.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\csc.exe"C:\Users\Admin\AppData\Local\Temp\csc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c calc2⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\system32\calc.execalc3⤵
- Modifies registry class
PID:4532
-
-
-
C:\Windows\SysTem32\notepad.exeC:\Windows\SysTem32\notepad.exe2⤵PID:4756
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1768