Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 05:22
Static task
static1
Behavioral task
behavioral1
Sample
10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe
Resource
win10v2004-20240226-en
General
-
Target
10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe
-
Size
1.4MB
-
MD5
7852d19ca1efd7a26644980df3ba01d3
-
SHA1
18cfdd421415f819d833a10c994d8d3fc31ec484
-
SHA256
10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae
-
SHA512
f69f1ec58acab14a6bf4d122649422f694c1ed4c6a992f30da5b93a717efc50360d0cba737efa1f0529ea8e21a012c6e786156d1fedad57a7940aa886e71e14c
-
SSDEEP
24576:0Hyi0YRzZgx/jtTObFtURiRQkzRQD9ZkdxTu5iZpUHLQfRRNa:HIIhTObMbIItrya
Malware Config
Extracted
cobaltstrike
http://49.233.48.44:443/Rpc
-
user_agent
Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
notepad.exedescription pid process target process PID 3736 created 3332 3736 notepad.exe Explorer.EXE -
Executes dropped EXE 1 IoCs
Processes:
notepad.exepid process 3736 notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
notepad.exepid process 3736 notepad.exe 3736 notepad.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
notepad.exepid process 3736 notepad.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.execmd.exenotepad.exedescription pid process target process PID 4076 wrote to memory of 4440 4076 10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe cmd.exe PID 4076 wrote to memory of 4440 4076 10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe cmd.exe PID 4076 wrote to memory of 4184 4076 10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe cmd.exe PID 4076 wrote to memory of 4184 4076 10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe cmd.exe PID 4076 wrote to memory of 4316 4076 10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe cmd.exe PID 4076 wrote to memory of 4316 4076 10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe cmd.exe PID 4184 wrote to memory of 3736 4184 cmd.exe notepad.exe PID 4184 wrote to memory of 3736 4184 cmd.exe notepad.exe PID 3736 wrote to memory of 5004 3736 notepad.exe explorer.exe PID 3736 wrote to memory of 5004 3736 notepad.exe explorer.exe PID 3736 wrote to memory of 5004 3736 notepad.exe explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe"C:\Users\Admin\AppData\Local\Temp\10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /k start ÈÎìÇ-Öйú´«Ã½´óѧ.docx3⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c C:\Windows\Temp\notepad.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\notepad.exeC:\Windows\Temp\notepad.exe4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /k del ÈÎìÇ-Öйú´«Ã½´óѧ.exe3⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\notepad.exeFilesize
831KB
MD5eaa16e9789f182de10c482e26b374304
SHA1b53763f592b24ff14b15e1662917c41722299957
SHA256281a624fcdf4a1c2593a44c436f3523550f31b66ff756f73f1d7e5ebf03d5717
SHA512c7b1d24b537b63a4ed786f4763dbf287e6c1d5233e36048433ca7ff235f4feeefb68b4ff1d5f7c6763e5993371540f8b6bb373c681bc7b193ba466b647e508e0
-
memory/3736-6-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3736-13-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4076-2-0x0000000000400000-0x0000000000583000-memory.dmpFilesize
1.5MB
-
memory/5004-12-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB