Analysis
-
max time kernel
436s -
max time network
481s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-05-2022 16:42
Static task
static1
Behavioral task
behavioral1
Sample
rundll32.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
rundll32.exe
Resource
win10v2004-20220414-en
General
-
Target
rundll32.exe
-
Size
72KB
-
MD5
0ae6801746fc951ea748bd6fcebd7ea4
-
SHA1
154145167949420056d7a1566740ff99b2765199
-
SHA256
cbae182671c1d12bb0f548ff686b68101704751a1b592a12482a3526ae043558
-
SHA512
6bc8f76711f0a0a85327a4b57a50cd2cdc47de0419d7bd4971a0db7fedcb572b8bb698620367ee331a38a37345ec261ea1956e66f406eb64f4544fcf87454572
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies boot configuration data using bcdedit 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 308 bcdedit.exe 1960 bcdedit.exe 1940 bcdedit.exe 1556 bcdedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\SIAsvkREL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yzwQuAOjucJR.vbs" rundll32.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
whoami.exerundll32.exewhoami.exedescription pid process Token: SeDebugPrivilege 1640 whoami.exe Token: SeAssignPrimaryTokenPrivilege 1284 rundll32.exe Token: SeAuditPrivilege 1284 rundll32.exe Token: SeBackupPrivilege 1284 rundll32.exe Token: SeChangeNotifyPrivilege 1284 rundll32.exe Token: SeCreateGlobalPrivilege 1284 rundll32.exe Token: SeCreatePagefilePrivilege 1284 rundll32.exe Token: SeCreatePermanentPrivilege 1284 rundll32.exe Token: 35 1284 rundll32.exe Token: SeCreateTokenPrivilege 1284 rundll32.exe Token: SeDebugPrivilege 1284 rundll32.exe Token: SeEnableDelegationPrivilege 1284 rundll32.exe Token: SeImpersonatePrivilege 1284 rundll32.exe Token: SeIncBasePriorityPrivilege 1284 rundll32.exe Token: SeIncreaseQuotaPrivilege 1284 rundll32.exe Token: 33 1284 rundll32.exe Token: SeLoadDriverPrivilege 1284 rundll32.exe Token: SeLockMemoryPrivilege 1284 rundll32.exe Token: SeMachineAccountPrivilege 1284 rundll32.exe Token: SeManageVolumePrivilege 1284 rundll32.exe Token: SeProfSingleProcessPrivilege 1284 rundll32.exe Token: 32 1284 rundll32.exe Token: SeRemoteShutdownPrivilege 1284 rundll32.exe Token: SeRestorePrivilege 1284 rundll32.exe Token: SeSecurityPrivilege 1284 rundll32.exe Token: SeShutdownPrivilege 1284 rundll32.exe Token: SeSyncAgentPrivilege 1284 rundll32.exe Token: SeSystemEnvironmentPrivilege 1284 rundll32.exe Token: SeSystemProfilePrivilege 1284 rundll32.exe Token: SeSystemtimePrivilege 1284 rundll32.exe Token: SeTakeOwnershipPrivilege 1284 rundll32.exe Token: SeTcbPrivilege 1284 rundll32.exe Token: 34 1284 rundll32.exe Token: 31 1284 rundll32.exe Token: SeUndockPrivilege 1284 rundll32.exe Token: 0 1284 rundll32.exe Token: SeDebugPrivilege 1768 whoami.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
rundll32.execmd.execmd.exedescription pid process target process PID 1284 wrote to memory of 1928 1284 rundll32.exe cmd.exe PID 1284 wrote to memory of 1928 1284 rundll32.exe cmd.exe PID 1284 wrote to memory of 1928 1284 rundll32.exe cmd.exe PID 1284 wrote to memory of 1928 1284 rundll32.exe cmd.exe PID 1928 wrote to memory of 1640 1928 cmd.exe whoami.exe PID 1928 wrote to memory of 1640 1928 cmd.exe whoami.exe PID 1928 wrote to memory of 1640 1928 cmd.exe whoami.exe PID 1928 wrote to memory of 1640 1928 cmd.exe whoami.exe PID 1520 wrote to memory of 1768 1520 cmd.exe whoami.exe PID 1520 wrote to memory of 1768 1520 cmd.exe whoami.exe PID 1520 wrote to memory of 1768 1520 cmd.exe whoami.exe PID 1520 wrote to memory of 1648 1520 cmd.exe winlogon.exe PID 1520 wrote to memory of 1648 1520 cmd.exe winlogon.exe PID 1520 wrote to memory of 1648 1520 cmd.exe winlogon.exe PID 1520 wrote to memory of 308 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 308 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 308 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 1960 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 1960 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 1960 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 1940 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 1940 1520 cmd.exe bcdedit.exe PID 1520 wrote to memory of 1940 1520 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rundll32.exe"C:\Users\Admin\AppData\Local\Temp\rundll32.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\system32\winlogon.exewinlogon3⤵PID:1648
-
C:\Windows\system32\bcdedit.exebcdedit /enum3⤵
- Modifies boot configuration data using bcdedit
PID:308 -
C:\Windows\system32\bcdedit.exebcdedit /set recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1960 -
C:\Windows\system32\bcdedit.exebcdedit /enum3⤵
- Modifies boot configuration data using bcdedit
PID:1940 -
C:\Windows\system32\bcdedit.exebcdedit /set recoveryenabled yes3⤵
- Modifies boot configuration data using bcdedit
PID:1556
-
C:\Windows\system32\cmd.execmd.exe /c echo srrfya > \\.\pipe\srrfya1⤵PID:1692
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/308-66-0x0000000000000000-mapping.dmp
-
memory/1284-61-0x00000000003E0000-0x0000000000400000-memory.dmpFilesize
128KB
-
memory/1284-56-0x0000000000270000-0x00000000002A1000-memory.dmpFilesize
196KB
-
memory/1284-58-0x00000000023D0000-0x00000000024D0000-memory.dmpFilesize
1024KB
-
memory/1284-59-0x0000000000420000-0x000000000047F000-memory.dmpFilesize
380KB
-
memory/1284-60-0x0000000000574000-0x0000000000591000-memory.dmpFilesize
116KB
-
memory/1284-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1284-55-0x0000000000240000-0x000000000026B000-memory.dmpFilesize
172KB
-
memory/1556-69-0x0000000000000000-mapping.dmp
-
memory/1640-63-0x0000000000000000-mapping.dmp
-
memory/1648-65-0x0000000000000000-mapping.dmp
-
memory/1768-64-0x0000000000000000-mapping.dmp
-
memory/1928-62-0x0000000000000000-mapping.dmp
-
memory/1940-68-0x0000000000000000-mapping.dmp
-
memory/1960-67-0x0000000000000000-mapping.dmp