download: | Important_Changes_to_Form10_K.doc |
Full analysis: | https://app.any.run/tasks/1756b385-9b2e-4c4e-a842-7906a1391bf4 |
Verdict: | Malicious activity |
Threats: | Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks. |
Analysis date: | April 25, 2019, 04:32:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Pieter Ceelen, Template: Normal.dotm, Last Saved By: Anon Bluehat, Revision Number: 4, Name of Creating Application: Microsoft Office Word, Total Editing Time: 04:00, Last Printed: Tue Apr 19 11:07:00 2016, Create Time/Date: Wed Apr 24 09:27:00 2019, Last Saved Time/Date: Wed Apr 24 09:34:00 2019, Number of Pages: 1, Number of Words: 79, Number of Characters: 452, Security: 0 |
MD5: | 8E97FB9AE61276078D02A0F96796B53E |
SHA1: | 1EF4F6D7A8BF28E855458F55CCBAA322152FFFFD |
SHA256: | AEF703B3C0222FAE2AFDBDF558CFEF1AA327C06608D4C583A9C1A6DCAA169C47 |
SSDEEP: | 1536:8AFNU2ieWA0KTSclQdhJ7SzvYSD538zR+pek0cSWpXjybt4KK:8AFseWDclQdhYzvDz89K |
.doc | | | Microsoft Word document (35.9) |
---|---|---|
.xls | | | Microsoft Excel sheet (33.7) |
.doc | | | Microsoft Word document (old ver.) (21.3) |
CompObjUserType: | Microsoft Word 97-2003 Document |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CharCountWithSpaces: | 530 |
Paragraphs: | 1 |
Lines: | 3 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Characters: | 452 |
Words: | 79 |
Pages: | 1 |
ModifyDate: | 2019:04:24 08:34:00 |
CreateDate: | 2019:04:24 08:27:00 |
LastPrinted: | 2016:04:19 10:07:00 |
TotalEditTime: | 4.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 4 |
LastModifiedBy: | Anon Bluehat |
Template: | Normal.dotm |
Keywords: | - |
Author: | Pieter Ceelen |
Subject: | - |
Title: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3864 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Important_Changes_to_Form10_K.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2080 | C:\Windows\\System32\\rundll32.exe | C:\Windows\System32\rundll32.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR31FA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3864 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:E0A6D871DF9AF8A843020CC2FC70CA4E | SHA256:33FAFDD37700ECE853AC83901FBEAB68A9A8E725B6B27DF6C65EDBF64767BE47 | |||
3864 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO2057.acl | binary | |
MD5:F81F9B857B24F9299B257C0CD39ADC1C | SHA256:0818956D90A5472B13BF2637265753E6DF309A1CD82CAF7AE61091CFBD53CEE2 | |||
3864 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$portant_Changes_to_Form10_K.doc | pgc | |
MD5:56237A7B99F6D160C6A618625E141AC5 | SHA256:852E078FE66DAAAE8DEDCBFE3A1322551C43BC8B356185B5C7E51A0BE47B5EF5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/TRAINING-BEACON | US | binary | 207 Kb | malicious |
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/TRAINING-BEACON | US | binary | 48 b | malicious |
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/TRAINING-BEACON | US | binary | 48 b | malicious |
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/TRAINING-BEACON | US | binary | 48 b | malicious |
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/TRAINING-BEACON | US | binary | 48 b | malicious |
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/TRAINING-BEACON | US | binary | 48 b | malicious |
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/TRAINING-BEACON | US | binary | 48 b | malicious |
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/TRAINING-BEACON | US | binary | 48 b | malicious |
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/TRAINING-BEACON | US | binary | 48 b | malicious |
2080 | rundll32.exe | GET | 200 | 165.22.71.42:80 | http://165.22.71.42/aU1u | US | binary | 207 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2080 | rundll32.exe | 165.22.71.42:80 | — | — | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2080 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Cobalt |
2080 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Cobalt Strike Beacon Observed |
2080 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Cobalt Strike Beacon Observed |
2080 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Cobalt Strike send output by POST binary |
2080 | rundll32.exe | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |
2080 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Cobalt Strike Beacon Observed |
2080 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Cobalt Strike Beacon Observed |
2080 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Cobalt Strike Beacon Observed |
2080 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Cobalt Strike Beacon Observed |
2080 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Cobalt Strike Beacon Observed |