Overview

overview

10

Static

static

championship.inf.dll

windows7_x64

10

championship.inf.dll

windows10_x64

10

Resubmissions

15-09-2021 06:42

210915-hgtlhadaer 10

14-09-2021 08:06

210914-jzwz1sacfj 10

10-09-2021 11:57

210910-n4w8ssdbdp 10

08-09-2021 11:10

210908-m965hshefk 10

Analysis

  • max time kernel
    44s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    08-09-2021 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    championship.inf.dll

  • Size

    2.0MB

  • MD5

    0b7da6388091ff9d696a18c95d41b587

  • SHA1

    6c10d7d88606ac1afd30b4e61bf232329a276cdc

  • SHA256

    6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b

  • SHA512

    45b26e8f9885dca6f4e1984fc39cb4c2a5b5988c970f35dde987b7a5a8417acbe5e972a6602071e903425f91a9095c7c289e574c3bad3039324185ad85d06a9a

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://dodefoh.com:443/static-directory/media.gif

Attributes
  • user_agent

    Host: microsoft.com Connection: close Accept-Encoding: br Accept-Language: en-US User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\championship.inf.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4688
  • C:\Program Files\Windows Mail\wabmig.exe
    "C:\Program Files\Windows Mail\wabmig.exe"
    1⤵
    • Process spawned unexpected child process
    PID:3396
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3396 -s 1012
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3356
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c "Sleep 5 ; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\championship.inf.dll" -Force
    1⤵
    • Process spawned unexpected child process
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/744-121-0x000001FD5E7A0000-0x000001FD5E7A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/744-126-0x000001FD5E950000-0x000001FD5E951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/744-132-0x000001FD5C793000-0x000001FD5C795000-memory.dmp

    Filesize

    8KB

    Download

  • memory/744-131-0x000001FD5C790000-0x000001FD5C792000-memory.dmp

    Filesize

    8KB

    Download

  • memory/744-142-0x000001FD5C798000-0x000001FD5C799000-memory.dmp

    Filesize

    4KB

    Download

  • memory/744-141-0x000001FD5C796000-0x000001FD5C798000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3396-115-0x000002C9B9E00000-0x000002C9B9E01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4688-144-0x00007FF8BE080000-0x00007FF8BE082000-memory.dmp

    Filesize

    8KB

    Download