Overview

overview

10

Static

static

9ed5007030...0e.dll

windows7_x64

10

9ed5007030...0e.dll

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    25-11-2021 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ed5007030c018feaaba6c9e7f668b9c296652ef29d6f4bd39703421ec769b0e.dll

  • Size

    652KB

  • MD5

    9b24c5978918a68a8682c6526ca48a7b

  • SHA1

    2fd14cc60f99a4a53838f284b847c4df5b1b651c

  • SHA256

    9ed5007030c018feaaba6c9e7f668b9c296652ef29d6f4bd39703421ec769b0e

  • SHA512

    417cb8a22c34afef0ad2b478f2cf0fa4d04c1c58e69e9082d3738c015bf6d9e16ec6601643d80021849e382ebba760fc62656f96290b9179bb40d78071adea1e

Score
10/10
cobaltstrikeflawedgraceratbackdoorpersistencerattrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • FlawedGraceRAT

    FlawedGrace is a full-featured RAT written in C++.

    ratflawedgracerat
  • Registers COM server for autorun 1 TTPs
    persistence
  • FlawedGraceRat Backdoor 2 IoCs

    Detects FlawedGraceRat x64 backdoor in memory.

    backdoor
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:480
  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:412
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1300
    • C:\Windows\system32\regsvr32.exe
      regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9ed5007030c018feaaba6c9e7f668b9c296652ef29d6f4bd39703421ec769b0e.dll
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1120

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/412-63-0x0000000000780000-0x00000000007E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/412-70-0x0000000003250000-0x0000000003351000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/412-69-0x0000000002BD0000-0x0000000002CD3000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/412-66-0x0000000000BC0000-0x0000000000C22000-memory.dmp

    Filesize

    392KB

    Download

  • memory/412-65-0x0000000000780000-0x00000000007E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/412-60-0x00000000015B0000-0x000000000164F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/480-59-0x0000000000A60000-0x0000000000B03000-memory.dmp

    Filesize

    652KB

    Download

  • memory/480-62-0x00000000015F0000-0x000000000168F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/480-61-0x0000000000A60000-0x0000000000B03000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1120-55-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1120-58-0x0000000000680000-0x0000000000699000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1120-57-0x0000000000640000-0x000000000065C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1120-56-0x0000000001EB0000-0x0000000001F4F000-memory.dmp

    Filesize

    636KB

    Download

  • memory/1300-67-0x00000000025F0000-0x0000000002656000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1300-68-0x0000000003FC0000-0x0000000004022000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1300-71-0x0000000006610000-0x0000000006713000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1300-72-0x00000000070D0000-0x00000000071D1000-memory.dmp

    Filesize

    1.0MB

    Download