Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
Resource
win10v2004-20240508-en
General
-
Target
92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe
-
Size
2.6MB
-
MD5
146bbdff9871cfc484839ed59b994a2f
-
SHA1
ff44b337bd1ee4439f7d5330d426b1e510113351
-
SHA256
92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82
-
SHA512
faf3ab3ec5ef9a4f43299937060764940a8f1b6c01309bfda52942dfd9ae9c45e909ed67b0cdbeee8f3c8c9cd88f9d34557427e9c2359dca06c37fe95b565d31
-
SSDEEP
49152:uB7HRCcJmv2aLv6xXV1/+/P3bhu2elmHPOcFl1Co/QeJe1MxtIP44V/ySQ0:W7+2gv6v1ihGcHPFi6pPGh
Malware Config
Extracted
cobaltstrike
http://116.204.24.189:8888/MqQN
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Executes dropped EXE 1 IoCs
Processes:
artifact.exepid process 2648 artifact.exe -
Loads dropped DLL 2 IoCs
Processes:
92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exepid process 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2600 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2600 AcroRd32.exe 2600 AcroRd32.exe 2600 AcroRd32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exedescription pid process target process PID 2368 wrote to memory of 2648 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe artifact.exe PID 2368 wrote to memory of 2648 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe artifact.exe PID 2368 wrote to memory of 2648 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe artifact.exe PID 2368 wrote to memory of 2648 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe artifact.exe PID 2368 wrote to memory of 2600 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe AcroRd32.exe PID 2368 wrote to memory of 2600 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe AcroRd32.exe PID 2368 wrote to memory of 2600 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe AcroRd32.exe PID 2368 wrote to memory of 2600 2368 92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe"C:\Users\Admin\AppData\Local\Temp\92ed635d64ccf7f45c6be415da330781a714d2a50cd28a76665e3590e5a52c82.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\artifact.exe"C:\Windows\Temp\artifact.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\Temp\健身房管理系统的设计与实现_孙梦成.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5410cd779ebc93144f915d7f1d6ac99e1
SHA17eb999b1f1f55ffb78be73c1aad79f6c4421d8b1
SHA25647858c0e73eab9550ae9bedc37f27eea90bbd1a34e60f65b2be1a37a22d64d25
SHA512ce4bd10c90239fb16cb2dae575d382fa0c44d165399894fd062f7f9ce3e0fe4ccf142e95f43d9f7fd34df5301dbd57521664826ffa2774fe9b5a3334d17d5831
-
C:\Windows\Temp\artifact.exeFilesize
19KB
MD5baf284515fd1e008de905653576ba26a
SHA16c8ab2c8be44d39d84ab1a6d9a5bdc0079ba96f1
SHA256ea4f06ccea1219dc39299afeb22eea3a2e2cbf8ca13b4d22bbcf3e5dde91d780
SHA51274e1a31698488439978a3f06487634626a4a581532cf4db58af9a87a08cc4824d2e8a08e2fb023637b4ff65dfdbad6acab69cc78786e18c4d7e3d413dd5ffd6b
-
C:\Windows\Temp\健身房管理系统的设计与实现_孙梦成.pdfFilesize
2.3MB
MD5b4d255b6390bf346e1ba34d9f4f609c4
SHA11ea8820f614ac72386f2fe30139ddefe75507033
SHA256a6fa60973c1045048b5e2e906f18ec40dfe4183302afb74bfbab7450e1d80306
SHA512fbf6e97bbecdb263066f481a20257e0900d36d0d76ef96e5f56b95771839c27456d2aa9a57da74811ea67433f27ddabce2fa51e6567e2488f0bbf2c969309fec
-
memory/2600-14-0x0000000004030000-0x00000000040A6000-memory.dmpFilesize
472KB
-
memory/2648-15-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2648-32-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB