General
-
Target
1485507e6b61175e2ea04d4866ee932620251b5ce895d78a959b7c4c5a2de18d
-
Size
1.9MB
-
Sample
250107-x3kcaavmb1
-
MD5
5332ac75c30c607e4b811a58baaa2069
-
SHA1
f1bada65a298ab4cf3c34dc9d9d425e4f94fdea2
-
SHA256
1485507e6b61175e2ea04d4866ee932620251b5ce895d78a959b7c4c5a2de18d
-
SHA512
e25015ca966a19f41f2330fe1df5ab5fc682f7c1ead6709489a9baa529b6ef629cf90be117090017cd57916e9e8529d57c6fc1e3ed613def4999b222a44a2c0e
-
SSDEEP
49152:VfaFUi5zWV33HXboEuQuBlWbAjI+CoZc1LaHDcI4CFezOEK:VEU0W1MEeBlW0woZqyYIiOEK
Malware Config
Extracted
cobaltstrike
http://cs.xiaojingjingaihuifeng.xyz:443/wqerqwersdgfx64.jpg
-
user_agent
Host: cs.xiaojingjingaihuifeng.xyz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1
Extracted
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
css/1.bat
-
Size
66B
-
MD5
c644ff75d62bc34a768e47aecdaeceea
-
SHA1
5ca202464b346b424c48922b45ea0f0b181409a3
-
SHA256
824732ef73db4846b8270f325f2c7d925791d9bdf73ba546f3aa9c5615cabbfc
-
SHA512
0eb61811df09f763efc321556b70085dae4b284fb38e21ca62efa7197c47852805ed87277b1e594331755ce318db254e3b7d099abebfa7d5e099f08cf5eff677
Score1/10 -
-
-
Target
css/2.bat
-
Size
63B
-
MD5
ea98e2e88c2fd4c6c10854fa944892d2
-
SHA1
9a359bd5144cb5d96c08f62fe09e963fe1a8cfdd
-
SHA256
6f2f005670b10e681d8a2c132917146ad69214018e14a6d850a7592a658f6076
-
SHA512
bd70d7666f90517bf4618219097cf7fd889d3849992ade574940def3f73cae3bc89708fa6e952b4b20288c7b08fd285f53ff8ebd75c4efa76b89058fe892fcb5
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
-
-
Target
css/d.bak
-
Size
1.8MB
-
MD5
2698d20741e70dd169a307778685c083
-
SHA1
422a5dcf9e4a52d35d7de830879f3d9417fed263
-
SHA256
103398cd38586819bdb93a1d4a95ead155becc718c2ba96764598eafb073d79b
-
SHA512
95d1d428f6f18c393fbe1bfe182b16c97728fd55a6c6b9d76fd6f13a1feffc4ddf01d8ee0ad80061e48cdf519eaf0d5e82396b6386bb995c05a7ec430fd55434
-
SSDEEP
24576:lSX7P1/EmHZI9KLoYghoHmH7GKjU+oJRQoY3Y5w2FYp4b:lk7ZEmHZdL0KHmyKjuw2t
Score10/10-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
-
-
Target
css/goto.7z
-
Size
2.6MB
-
MD5
5d994ed0be59ab5f2f0242706b8b3b55
-
SHA1
b7787d1050691e9dbc5ef6dadc80c36761ae9697
-
SHA256
74533489c6609b07b00e578d98af29dd6250ddd800e5ecf5743cd9af2e2f24f3
-
SHA512
86c9e160b7b9015c790254857526aa554a020888383638eb4787a4f700b299cd16e26c08e4dac823be8832274eb3bc74421932e9bb880e44062053fc49f1de27
-
SSDEEP
49152:dJp9NvSqm1wFE5eBe0/4tmsHfK99IvS0mmvQDTGJt0P:AqsevwIN9Wn0
Score10/10-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1File Deletion
1Modify Registry
4Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1