Overview

overview

10

Static

static

9ed5007030...0e.dll

windows7_x64

10

9ed5007030...0e.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    25-11-2021 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ed5007030c018feaaba6c9e7f668b9c296652ef29d6f4bd39703421ec769b0e.dll

  • Size

    652KB

  • MD5

    9b24c5978918a68a8682c6526ca48a7b

  • SHA1

    2fd14cc60f99a4a53838f284b847c4df5b1b651c

  • SHA256

    9ed5007030c018feaaba6c9e7f668b9c296652ef29d6f4bd39703421ec769b0e

  • SHA512

    417cb8a22c34afef0ad2b478f2cf0fa4d04c1c58e69e9082d3738c015bf6d9e16ec6601643d80021849e382ebba760fc62656f96290b9179bb40d78071adea1e

Score
10/10
cobaltstrikeflawedgraceratbackdoorpersistencerattrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • FlawedGraceRAT

    FlawedGrace is a full-featured RAT written in C++.

    ratflawedgracerat
  • Registers COM server for autorun 1 TTPs
    persistence
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • FlawedGraceRat Backdoor 2 IoCs

    Detects FlawedGraceRat x64 backdoor in memory.

    backdoor
  • Program crash 1 IoCs
  • Modifies registry class 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:628
  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:576
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:3016
    • C:\Windows\system32\regsvr32.exe
      regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9ed5007030c018feaaba6c9e7f668b9c296652ef29d6f4bd39703421ec769b0e.dll
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2620 -s 476
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3884
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
    1⤵
      PID:2564
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localservice -s W32Time
      1⤵
        PID:3052

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/576-125-0x0000013EB3C10000-0x0000013EB3C72000-memory.dmp

        Filesize

        392KB

        Download

      • memory/576-124-0x0000013EB1FE0000-0x0000013EB2046000-memory.dmp

        Filesize

        408KB

        Download

      • memory/576-131-0x0000013EB4080000-0x0000013EB4181000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/576-121-0x0000013EB2280000-0x0000013EB231F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/576-129-0x0000013EB44A0000-0x0000013EB45A3000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/628-122-0x000001CEC6540000-0x000001CEC65E3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/628-123-0x000001CEC6E00000-0x000001CEC6E9F000-memory.dmp

        Filesize

        636KB

        Download

      • memory/2620-119-0x0000000000920000-0x000000000093C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2620-118-0x0000000002410000-0x00000000024AF000-memory.dmp

        Filesize

        636KB

        Download

      • memory/2620-120-0x00000000023F0000-0x0000000002409000-memory.dmp

        Filesize

        100KB

        Download

      • memory/3016-128-0x0000000003570000-0x0000000003673000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3016-127-0x00000000032C0000-0x0000000003322000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3016-126-0x00000000014F0000-0x0000000001556000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3016-130-0x0000000006C20000-0x0000000006D21000-memory.dmp

        Filesize

        1.0MB

        Download