Analysis
-
max time kernel
108s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 18:33
Static task
static1
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
info.txt
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
info.txt
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
umpdc.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
umpdc.dll
Resource
win10v2004-20221111-en
General
-
Target
umpdc.dll
-
Size
391KB
-
MD5
1570c92c1c5f039c438295ac68ff7e82
-
SHA1
3ee6c1d3582361e8af4efec44b1d1420494ab728
-
SHA256
b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
-
SHA512
fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
-
SSDEEP
6144:JAuyRydkljgV0gy791xfB9yDAxRX9yMhklyCgk0gyWYFgdDlmZdHyHydkl9Tr0g/:JAAU8V0ZrH88Y2k0md8dHdUB0BwH
Malware Config
Extracted
cobaltstrike
987654321
http://45.12.253.139:443/an.js
-
access_type
512
-
beacon_type
2048
-
host
45.12.253.139,/an.js
-
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
55991
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.63976192e+08
-
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
-
watermark
987654321
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
rundll32.exedescription pid process target process PID 1456 created 1396 1456 rundll32.exe Explorer.EXE PID 1456 created 1396 1456 rundll32.exe Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftLibrary = "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\\Libraries\\MicrosoftLibrary; Start-Process $env:Public\\Libraries\\MicrosoftLibrary\\RuntimeBroker.exe\"" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1456 rundll32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 1456 wrote to memory of 1476 1456 rundll32.exe wermgr.exe PID 1456 wrote to memory of 1476 1456 rundll32.exe wermgr.exe PID 1456 wrote to memory of 1476 1456 rundll32.exe wermgr.exe PID 1456 wrote to memory of 1476 1456 rundll32.exe wermgr.exe PID 1456 wrote to memory of 1352 1456 rundll32.exe cmd.exe PID 1456 wrote to memory of 1352 1456 rundll32.exe cmd.exe PID 1456 wrote to memory of 1352 1456 rundll32.exe cmd.exe PID 1352 wrote to memory of 1112 1352 cmd.exe reg.exe PID 1352 wrote to memory of 1112 1352 cmd.exe reg.exe PID 1352 wrote to memory of 1112 1352 cmd.exe reg.exe PID 1456 wrote to memory of 1804 1456 rundll32.exe schtasks.exe PID 1456 wrote to memory of 1804 1456 rundll32.exe schtasks.exe PID 1456 wrote to memory of 1804 1456 rundll32.exe schtasks.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\umpdc.dll,#12⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\System32\schtasks.exe/F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe3⤵
- Creates scheduled task(s)
-
C:\windows\system32\wermgr.exe"C:\windows\system32\wermgr.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-58-0x0000000000000000-mapping.dmp
-
memory/1352-57-0x0000000000000000-mapping.dmp
-
memory/1456-60-0x00000000778C0000-0x0000000077A69000-memory.dmpFilesize
1.7MB
-
memory/1476-54-0x0000000000000000-mapping.dmp
-
memory/1476-55-0x0000000000060000-0x00000000000A4000-memory.dmpFilesize
272KB
-
memory/1476-56-0x00000000002B0000-0x000000000032E000-memory.dmpFilesize
504KB
-
memory/1476-61-0x000007FEFC141000-0x000007FEFC143000-memory.dmpFilesize
8KB
-
memory/1804-59-0x0000000000000000-mapping.dmp