Overview

overview

10

Static

static

1

RuntimeBroker.exe

windows7-x64

RuntimeBroker.exe

windows10-2004-x64

10

info.txt

windows7-x64

1

info.txt

windows10-2004-x64

1

umpdc.dll

windows7-x64

10

umpdc.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RuntimeBroker.exe

  • Size

    100KB

  • MD5

    ba4cfe6461afa1004c52f19c8f2169dc

  • SHA1

    ab8539ef6b2a93ff9589dec4b34a0257b6296c92

  • SHA256

    e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628

  • SHA512

    2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0

  • SSDEEP

    1536:l5gC0wSKok6UAeVEBFgvozLmwCedFpQHI8PXjYlTx/2whBGE/5K5/EJD2VEUcO8h:sC+vEArBCgmejo8X/2whRJDAE2r+e

Score
10/10
cobaltstrike987654321backdoorpersistencetrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://45.12.253.139:443/an.js

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    45.12.253.139,/an.js

  • http_header1

    AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    55991

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dllhost.exe

  • sc_process64

    %windir%\sysnative\dllhost.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    9.63976192e+08

  • unknown2

    AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /ch

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135

  • watermark

    987654321

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Windows\System32\cmd.exe
          /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2488
          • C:\Windows\system32\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f
            4⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:4704
        • C:\Windows\System32\schtasks.exe
          /F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe
          3⤵
          • Creates scheduled task(s)
          PID:1620
      • C:\windows\system32\wermgr.exe
        "C:\windows\system32\wermgr.exe"
        2⤵
          PID:4812

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1620-137-0x0000000000000000-mapping.dmp
        Download
      • memory/2488-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4704-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4812-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4812-134-0x00000125264D0000-0x0000012526514000-memory.dmp
        Filesize

        272KB

        Download
      • memory/4812-135-0x0000012526800000-0x000001252687E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/4916-132-0x00007FF82E030000-0x00007FF82E225000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4916-139-0x00007FF82E030000-0x00007FF82E225000-memory.dmp
        Filesize

        2.0MB

        Download