Analysis
-
max time kernel
15s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 10:53
Static task
static1
Behavioral task
behavioral1
Sample
780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a.dll
Resource
win10v20201028
General
-
Target
780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a.dll
-
Size
204KB
-
MD5
1774e47878695044939263df2d589f73
-
SHA1
572eb65284497e34a84f844f27bb6d70d173c3f8
-
SHA256
780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a
-
SHA512
c360a6f6c8ae13675cd1b9183905baa4c146463fdcf543d69bc8d056314c1e5b9a7d0ecc812a7baade8aaa7539f80461da53598768e1eb9ca656e8f0a2afa3a4
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
ServiceHost packer 3 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/388-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/388-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/388-4-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3168 388 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe 3168 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3168 WerFault.exe Token: SeBackupPrivilege 3168 WerFault.exe Token: SeDebugPrivilege 3168 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1080 wrote to memory of 388 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 388 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 388 1080 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a.dll,#12⤵PID:388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 6363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-0-0x0000000000000000-mapping.dmp
-
memory/388-3-0x0000000000000000-mapping.dmp
-
memory/388-2-0x0000000000000000-mapping.dmp
-
memory/388-4-0x0000000000000000-mapping.dmp
-
memory/3168-1-0x0000000004270000-0x0000000004271000-memory.dmpFilesize
4KB
-
memory/3168-5-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB