Windows Analysis Report
6gmoJJZr1e.dll

Overview

General Information

Sample name:	6gmoJJZr1e.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	ad0474f0d6021d0de97c77ca222a05777762aad59bda2be2f3b1a8f1a8022707.exe
Analysis ID:	1562666
MD5:	9ab72fbaf8da0474c38e5be5813384cf
SHA1:	98038ca580f83893db070e9fabd28e7078003377
SHA256:	ad0474f0d6021d0de97c77ca222a05777762aad59bda2be2f3b1a8f1a8022707
Tags:	exeuser-nawhack
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Powershell download and execute

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses Microsoft's Enhanced Cryptographic Provider

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6gmoJJZr1e.dll

Avira: detected

Found malware configuration

Source: 6gmoJJZr1e.dll

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8080, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "3.78.244.11,/en_US/all.js", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Multi AV Scanner detection for submitted file

Source: 6gmoJJZr1e.dll

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 84.0% probability

Machine Learning detection for sample

Source: 6gmoJJZr1e.dll

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C651184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

7_2_00007FFB0C651184

Source: 6gmoJJZr1e.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C669220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		7_2_00007FFB0C669220
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C661C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		7_2_00007FFB0C661C30

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 3.78.244.11

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C66EE0C recv,

7_2_00007FFB0C66EE0C

Source: 6gmoJJZr1e.dll	String found in binary or memory: http://127.0.0.1:%u/
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C660F34 CreateProcessAsUserA,GetLastError,GetLastError,CreateProcessA,GetLastError,GetCurrentDirectoryW,GetCurrentDirectoryW,CreateProcessWithTokenW,GetLastError,GetLastError,GetLastError,GetLastError,

7_2_00007FFB0C660F34

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C676514	7_2_00007FFB0C676514
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C659D6C	7_2_00007FFB0C659D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C672528	7_2_00007FFB0C672528
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C66867C	7_2_00007FFB0C66867C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C671E64	7_2_00007FFB0C671E64
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67B6B0	7_2_00007FFB0C67B6B0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67CF97	7_2_00007FFB0C67CF97
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C670F74	7_2_00007FFB0C670F74
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C660F34	7_2_00007FFB0C660F34
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C672F9C	7_2_00007FFB0C672F9C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67F200	7_2_00007FFB0C67F200
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C6701A8	7_2_00007FFB0C6701A8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C65A280	7_2_00007FFB0C65A280
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67D280	7_2_00007FFB0C67D280
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C65DA3C	7_2_00007FFB0C65DA3C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C667B38	7_2_00007FFB0C667B38
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67DBF0	7_2_00007FFB0C67DBF0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67C3B0	7_2_00007FFB0C67C3B0

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7172 -s 332

Yara signature match

Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winDLL@13/13@0/0

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C660B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

7_2_00007FFB0C660B70

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C66867C TerminateProcess,GetLastError,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,htonl,htonl,GetLastError,OpenProcessToken,GetLastError,ImpersonateLoggedOnUser,GetLastError,DuplicateTokenEx,GetLastError,ImpersonateLoggedOnUser,GetLastError,

7_2_00007FFB0C66867C

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7172
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7180

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f133e19a-9108-402a-831d-fb9a0f4e5746

Jump to behavior

Source: 6gmoJJZr1e.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader

Source: 6gmoJJZr1e.dll

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7172 -s 332
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7180 -s 352
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",ReflectiveLoader
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 344
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",ReflectiveLoader	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 6gmoJJZr1e.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: 6gmoJJZr1e.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C679744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_00007FFB0C679744

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C6701A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00007FFB0C6701A8

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C665854		7_2_00007FFB0C665854
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C65FA1C		7_2_00007FFB0C65FA1C

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe

API coverage: 0.1 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C65FA1C

7_2_00007FFB0C65FA1C

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 2892

Thread sleep time: -120000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C669220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		7_2_00007FFB0C669220
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C661C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		7_2_00007FFB0C661C30

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C679744

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C679744

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C679744

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C671D88 GetProcessHeap,

7_2_00007FFB0C671D88

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C6744D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00007FFB0C6744D0

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR

Contains functionality to execute programs as a different user

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C66DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

7_2_00007FFB0C66DF50

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C66DEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

7_2_00007FFB0C66DEC8

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C660920 CreateNamedPipeA,

7_2_00007FFB0C660920

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C67ECDC GetSystemTimeAsFileTime,

7_2_00007FFB0C67ECDC

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C665E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

7_2_00007FFB0C665E28

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C665E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

7_2_00007FFB0C665E28

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: 6gmoJJZr1e.dll, type: SAMPLE
Source: Yara match	File source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C66EE8C socket,closesocket,htons,bind,listen,	7_2_00007FFB0C66EE8C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C666670 htonl,htons,socket,closesocket,bind,ioctlsocket,	7_2_00007FFB0C666670
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C666A78 socket,htons,ioctlsocket,closesocket,bind,listen,	7_2_00007FFB0C666A78

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
3.78.244.11	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 6gmoJJZr1e.dll

Avira: detected

Found malware configuration

Source: 6gmoJJZr1e.dll

Multi AV Scanner detection for submitted file

Source: 6gmoJJZr1e.dll

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 84.0% probability

Machine Learning detection for sample

Source: 6gmoJJZr1e.dll

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C651184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

7_2_00007FFB0C651184

Source: 6gmoJJZr1e.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C669220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		7_2_00007FFB0C669220
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C661C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		7_2_00007FFB0C661C30

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 3.78.244.11

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C66EE0C recv,

7_2_00007FFB0C66EE0C

Source: 6gmoJJZr1e.dll	String found in binary or memory: http://127.0.0.1:%u/
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Contains functionality to launch a process as a different user

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C660F34

Detected potential crypto function

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C676514	7_2_00007FFB0C676514
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C659D6C	7_2_00007FFB0C659D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C672528	7_2_00007FFB0C672528
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C66867C	7_2_00007FFB0C66867C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C671E64	7_2_00007FFB0C671E64
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67B6B0	7_2_00007FFB0C67B6B0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67CF97	7_2_00007FFB0C67CF97
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C670F74	7_2_00007FFB0C670F74
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C660F34	7_2_00007FFB0C660F34
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C672F9C	7_2_00007FFB0C672F9C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67F200	7_2_00007FFB0C67F200
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C6701A8	7_2_00007FFB0C6701A8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C65A280	7_2_00007FFB0C65A280
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67D280	7_2_00007FFB0C67D280
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C65DA3C	7_2_00007FFB0C65DA3C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C667B38	7_2_00007FFB0C667B38
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67DBF0	7_2_00007FFB0C67DBF0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C67C3B0	7_2_00007FFB0C67C3B0

One or more processes crash

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7172 -s 332

Yara signature match

Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6gmoJJZr1e.dll, type: SAMPLE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winDLL@13/13@0/0

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C660B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

7_2_00007FFB0C660B70

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C66867C

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7172
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7180

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f133e19a-9108-402a-831d-fb9a0f4e5746

Jump to behavior

Source: 6gmoJJZr1e.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader

Source: 6gmoJJZr1e.dll

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7172 -s 332
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7180 -s 352
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",ReflectiveLoader
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 344
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",ReflectiveLoader	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 6gmoJJZr1e.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: 6gmoJJZr1e.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C679744

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C6701A8

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C665854		7_2_00007FFB0C665854
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C65FA1C		7_2_00007FFB0C65FA1C

Found large amount of non-executed APIs

Source: C:\Windows\System32\rundll32.exe

API coverage: 0.1 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C65FA1C

7_2_00007FFB0C65FA1C

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 2892

Thread sleep time: -120000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C669220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		7_2_00007FFB0C669220
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C661C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		7_2_00007FFB0C661C30

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C679744

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C679744

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\rundll32.exe

7_2_00007FFB0C679744

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C671D88 GetProcessHeap,

7_2_00007FFB0C671D88

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C6744D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_00007FFB0C6744D0

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR

Contains functionality to execute programs as a different user

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C66DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

7_2_00007FFB0C66DF50

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C66DEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

7_2_00007FFB0C66DEC8

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C660920 CreateNamedPipeA,

7_2_00007FFB0C660920

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C67ECDC GetSystemTimeAsFileTime,

7_2_00007FFB0C67ECDC

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C665E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

7_2_00007FFB0C665E28

Source: C:\Windows\System32\rundll32.exe

Code function: 7_2_00007FFB0C665E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

7_2_00007FFB0C665E28

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: 6gmoJJZr1e.dll, type: SAMPLE
Source: Yara match	File source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C66EE8C socket,closesocket,htons,bind,listen,	7_2_00007FFB0C66EE8C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C666670 htonl,htons,socket,closesocket,bind,ioctlsocket,	7_2_00007FFB0C666670
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_00007FFB0C666A78 socket,htons,ioctlsocket,closesocket,bind,listen,	7_2_00007FFB0C666A78

ID:	1562666
Product:	CloudBasic
Start time:	21:00:06
Start date:	25.11.2024
Sample:	6gmoJJZr1e.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9ab72fbaf8da0474c38e5be5813384cf
SHA1:	98038ca580f83893db070e9fabd28e7078003377
SHA256:	ad0474f0d6021d0de97c77ca222a05777762aad59bda2be2f3b1a8f1a8022707
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 87.93%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6gm_9b1d9c974cdc3e984dfdab69b0a88852c0a1104e_548d04a3_3f19492b-0eed-400a-afd1-e598d38770c0\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	BF1A496E45A09278BA2DF54FCE5C08D3	1801431BABAEA4A51C9EBDAFD34D4154E3497C82	80135C7B2CEBD290B9199B9B58DCC53FA15AC5F40AA98F2C2E46166EA8CA3052
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6gm_9b1d9c974cdc3e984dfdab69b0a88852c0a1104e_548d04a3_563ae1a6-ee2b-4b5b-920d-2c39c7262e81\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1C5D4AF4C119FE796BB30176458007EE	ADCDB0DE8DF31DEBA5566B637B162E36387257F5	ADE90A3C53AFC4FAD0C93965CC83A1488A9E28ACF37F9ACD454C428F3E924696
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6gm_9b1d9c974cdc3e984dfdab69b0a88852c0a1104e_548d04a3_8abe9583-1d52-4e8c-8b02-0ee72f6ed599\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	EF1C7FB5374EE66F250646123AAA74A7	D87600ACC93D5EC66EF1A207BAB91F7FB1F5901C	15A7EEC131F8501DA027412B98A92AF22C19BD0798E7AF47845F8B59A29AFE10
C:\ProgramData\Microsoft\Windows\WER\Temp\WER72E6.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Nov 25 20:01:11 2024, 0x1205a4 type	07D42ED6F867DFDE73A85F3863D0FCE2	7CECA6411C9298A0E45213B7C6738FAFC17F4B50	1B7B7FA1A9AEA07ED2E073EA995E5808C9EAF54387761F686E98C4B441765A52
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7382.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Nov 25 20:01:11 2024, 0x1205a4 type	346EA3CDFF427DF207AAC08FCE954BFB	57F2DAB96DB147BB2A96A028CDDBC39BF9E3B68A	AE24F60029058434C8A27B4D2679758D43B381E6037F721D0C03579471C93317
C:\ProgramData\Microsoft\Windows\WER\Temp\WER75B6.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	AD369B8B150B8E0D50FBCBB4150E56FA	9123D67C92276837B942CBBF4E5A6E18BBDBFFF8	69BA586D7B7B59A14B5839E2833E1436E3495AD4918FB988CDDB2415A8BE73D3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7614.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F1E614C45C7DECB16AFE274E878263EE	5F22D8A4E238FE31ED056115AE61430262168D60	11C6373A9914DF0238FC5F3867453BA24CDE8D2D2CA8C1DA85611FC08253AB4B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7634.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	4CD3E8B2BF1313405488C0890CD4503C	FDF923A431804898BE3E60C99A72ADC89A64752E	58EA565E5DD0A72BB9B358AD298D94E564B052FAEF9C390B3143BA3A4AB78945
C:\ProgramData\Microsoft\Windows\WER\Temp\WER76E0.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4CCEBCD9AFEE10597102FB426252E8BC	99AD51BBD0CF107F1F6305D3726FDCC8B3314317	8E24B5539F234E320AD840F32F6A25277F5BF7794EE7808D0248E4265A3BBBF2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7883.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Nov 25 20:01:12 2024, 0x1205a4 type	9490F96B74949CD750FE02807BBC098F	7DDF13640506DE5E1BE6CF470AFDDC2E0E785674	E34306E172C8F9E4426920752CF9AAB5ED80D3C8D3CC394FB85E72B96136C9F6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER78E2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B11D92318BBE8FC606158087F6930A03	5AEF1AFCCF5A537F34F2BA1F79172231CCBB8CF2	80B22546E55A763476B131F7A594B34D5980F90A7D32D538094CFEBA19D8A821
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7912.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	419A655D405D14D9901326D8E2E47980	DE2A63145C45EC0A3F11217110219B497D39A6C9	810E8DBFF37FD0CB3C7433E0DCCAD9FF20F57C93822DB326ED81C32F7B036B3D
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	BC4D29448F61E1F2A1C7D28093294C11	BBCC6E67A4019E75A0F1AE64E92BA020E0E523BC	221F989C8C6D8F7734E5ACCB6A9F97FB8A4F8486DCE1E7D65B8F66D8480DDE90

Windows Analysis Report
6gmoJJZr1e.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report 6gmoJJZr1e.dll

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
6gmoJJZr1e.dll

Malware Threat Intel
Provided by