Analysis
-
max time kernel
24s -
max time network
30s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-11-2020 10:53
Static task
static1
Behavioral task
behavioral1
Sample
0f9bfd21c33cf45c6d02b7066632284bd4126738ce879d7ff01cdb274c60524d.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0f9bfd21c33cf45c6d02b7066632284bd4126738ce879d7ff01cdb274c60524d.dll
Resource
win10v20201028
General
-
Target
0f9bfd21c33cf45c6d02b7066632284bd4126738ce879d7ff01cdb274c60524d.dll
-
Size
244KB
-
MD5
b2830ef3bc9e95316fd393b000ef0dee
-
SHA1
d45ec7c9865b2230b097ebdec7aa181b5cd1796c
-
SHA256
0f9bfd21c33cf45c6d02b7066632284bd4126738ce879d7ff01cdb274c60524d
-
SHA512
558ebd4eb5ce5c029727f6839c13f05d46b1bd60d089b749120c94b3d140e0c37a58587ef1f1d06dad634cdc331fafbb2448693001599718f512401d95e4e996
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2040 2028 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2040 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1120 wrote to memory of 2028 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2028 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2028 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2028 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2028 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2028 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2028 1120 rundll32.exe rundll32.exe PID 2028 wrote to memory of 2040 2028 rundll32.exe WerFault.exe PID 2028 wrote to memory of 2040 2028 rundll32.exe WerFault.exe PID 2028 wrote to memory of 2040 2028 rundll32.exe WerFault.exe PID 2028 wrote to memory of 2040 2028 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f9bfd21c33cf45c6d02b7066632284bd4126738ce879d7ff01cdb274c60524d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f9bfd21c33cf45c6d02b7066632284bd4126738ce879d7ff01cdb274c60524d.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2028-0-0x0000000000000000-mapping.dmp
-
memory/2028-3-0x0000000000000000-mapping.dmp
-
memory/2040-1-0x0000000000000000-mapping.dmp
-
memory/2040-2-0x0000000001FC0000-0x0000000001FD1000-memory.dmpFilesize
68KB
-
memory/2040-4-0x00000000025B0000-0x00000000025C1000-memory.dmpFilesize
68KB