Analysis
-
max time kernel
10s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 11:44
Static task
static1
Behavioral task
behavioral1
Sample
68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088.dll
Resource
win10v20201028
General
-
Target
68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088.dll
-
Size
199KB
-
MD5
46f46ade0fd2e8441d58fc443e158412
-
SHA1
6a6c86ee912a59369857dd79a291e4c9a6d1ea17
-
SHA256
68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088
-
SHA512
e4f12ece6c7d6b02f7413afd534671e980b7a3bf822ac57bf1ee566eb4c6f438befd7b55e3a18f78df2c3b0d1a52ce82b22d3f647bdd0d9844eedd2668c4d968
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
ServiceHost packer 2 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/4756-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/4756-3-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5096 4756 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe 5096 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 5096 WerFault.exe Token: SeBackupPrivilege 5096 WerFault.exe Token: SeDebugPrivilege 5096 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4696 wrote to memory of 4756 4696 rundll32.exe rundll32.exe PID 4696 wrote to memory of 4756 4696 rundll32.exe rundll32.exe PID 4696 wrote to memory of 4756 4696 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 6323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4756-0-0x0000000000000000-mapping.dmp
-
memory/4756-2-0x0000000000000000-mapping.dmp
-
memory/4756-3-0x0000000000000000-mapping.dmp
-
memory/5096-1-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/5096-4-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB