Analysis
-
max time kernel
120s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 18:33
Static task
static1
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
info.txt
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
info.txt
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
umpdc.dll
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
umpdc.dll
Resource
win10v2004-20221111-en
General
-
Target
umpdc.dll
-
Size
391KB
-
MD5
1570c92c1c5f039c438295ac68ff7e82
-
SHA1
3ee6c1d3582361e8af4efec44b1d1420494ab728
-
SHA256
b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
-
SHA512
fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
-
SSDEEP
6144:JAuyRydkljgV0gy791xfB9yDAxRX9yMhklyCgk0gyWYFgdDlmZdHyHydkl9Tr0g/:JAAU8V0ZrH88Y2k0md8dHdUB0BwH
Malware Config
Extracted
cobaltstrike
987654321
http://45.12.253.139:443/an.js
-
access_type
512
-
beacon_type
2048
-
host
45.12.253.139,/an.js
-
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
55991
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.63976192e+08
-
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
-
watermark
987654321
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
rundll32.exedescription pid process target process PID 4352 created 1036 4352 rundll32.exe Explorer.EXE PID 4352 created 1036 4352 rundll32.exe Explorer.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftLibrary = "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\\Libraries\\MicrosoftLibrary; Start-Process $env:Public\\Libraries\\MicrosoftLibrary\\RuntimeBroker.exe\"" reg.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4352 rundll32.exe 4352 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
rundll32.exepid process 4352 rundll32.exe 4352 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 4352 wrote to memory of 4984 4352 rundll32.exe wermgr.exe PID 4352 wrote to memory of 4984 4352 rundll32.exe wermgr.exe PID 4352 wrote to memory of 4984 4352 rundll32.exe wermgr.exe PID 4352 wrote to memory of 4720 4352 rundll32.exe cmd.exe PID 4352 wrote to memory of 4720 4352 rundll32.exe cmd.exe PID 4352 wrote to memory of 4712 4352 rundll32.exe schtasks.exe PID 4352 wrote to memory of 4712 4352 rundll32.exe schtasks.exe PID 4720 wrote to memory of 5112 4720 cmd.exe reg.exe PID 4720 wrote to memory of 5112 4720 cmd.exe reg.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\umpdc.dll,#11⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\System32\schtasks.exe/F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe2⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\windows\system32\wermgr.exe"C:\windows\system32\wermgr.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4352-132-0x00007FFA14BF0000-0x00007FFA14DE5000-memory.dmpFilesize
2.0MB
-
memory/4352-139-0x00007FFA14BF0000-0x00007FFA14DE5000-memory.dmpFilesize
2.0MB
-
memory/4712-137-0x0000000000000000-mapping.dmp
-
memory/4720-136-0x0000000000000000-mapping.dmp
-
memory/4984-133-0x0000000000000000-mapping.dmp
-
memory/4984-134-0x0000024BA2570000-0x0000024BA25B4000-memory.dmpFilesize
272KB
-
memory/4984-135-0x0000024BA2810000-0x0000024BA288E000-memory.dmpFilesize
504KB
-
memory/5112-138-0x0000000000000000-mapping.dmp