Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-11-2020 14:08
Static task
static1
Behavioral task
behavioral1
Sample
f09511a7b731bba59d266c1be3fa6870a0d6008de5febf9ce9b6b59273237158.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f09511a7b731bba59d266c1be3fa6870a0d6008de5febf9ce9b6b59273237158.dll
Resource
win10v20201028
General
-
Target
f09511a7b731bba59d266c1be3fa6870a0d6008de5febf9ce9b6b59273237158.dll
-
Size
244KB
-
MD5
2c70f37c51d5a3ccdd745e1e2b1239f1
-
SHA1
a55d12929e54dec5728cd5622935d7827d9097cf
-
SHA256
f09511a7b731bba59d266c1be3fa6870a0d6008de5febf9ce9b6b59273237158
-
SHA512
099dcf6c7cf64e4c3daf2cff2615e6a1830141427409a30f3a9dcd429192194fa5a3845d49568d7a4718be114cc3ae52e6688a2c749da73c7045b78e70f98728
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1924 1332 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe 1924 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1924 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 796 wrote to memory of 1332 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1332 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1332 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1332 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1332 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1332 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1332 796 rundll32.exe rundll32.exe PID 1332 wrote to memory of 1924 1332 rundll32.exe WerFault.exe PID 1332 wrote to memory of 1924 1332 rundll32.exe WerFault.exe PID 1332 wrote to memory of 1924 1332 rundll32.exe WerFault.exe PID 1332 wrote to memory of 1924 1332 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f09511a7b731bba59d266c1be3fa6870a0d6008de5febf9ce9b6b59273237158.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f09511a7b731bba59d266c1be3fa6870a0d6008de5febf9ce9b6b59273237158.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1332-0-0x0000000000000000-mapping.dmp
-
memory/1332-3-0x0000000000000000-mapping.dmp
-
memory/1924-1-0x0000000000000000-mapping.dmp
-
memory/1924-2-0x0000000001F10000-0x0000000001F21000-memory.dmpFilesize
68KB
-
memory/1924-4-0x0000000002560000-0x0000000002571000-memory.dmpFilesize
68KB