Analysis
-
max time kernel
4s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-11-2020 13:56
Static task
static1
Behavioral task
behavioral1
Sample
9b3256082d52fa5f63f0c1502c3028124f01bf2d1244ac159ecaec2898180a7d.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
9b3256082d52fa5f63f0c1502c3028124f01bf2d1244ac159ecaec2898180a7d.dll
Resource
win10v20201028
General
-
Target
9b3256082d52fa5f63f0c1502c3028124f01bf2d1244ac159ecaec2898180a7d.dll
-
Size
244KB
-
MD5
93451f4312bbb46f654b985d825a4cca
-
SHA1
21e1c3cdcf86f4224fa2c0d797875c4bebb7bce4
-
SHA256
9b3256082d52fa5f63f0c1502c3028124f01bf2d1244ac159ecaec2898180a7d
-
SHA512
a122a6431aabb7f4ec72c2d09148682275d9f37f04c85c3732f4888ee8ee6a80de64ac82ddb64c1212a4c950119d18a8be4e25392e3bb32e0972d7b48b145130
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1500 1960 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1500 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1588 wrote to memory of 1960 1588 rundll32.exe rundll32.exe PID 1588 wrote to memory of 1960 1588 rundll32.exe rundll32.exe PID 1588 wrote to memory of 1960 1588 rundll32.exe rundll32.exe PID 1588 wrote to memory of 1960 1588 rundll32.exe rundll32.exe PID 1588 wrote to memory of 1960 1588 rundll32.exe rundll32.exe PID 1588 wrote to memory of 1960 1588 rundll32.exe rundll32.exe PID 1588 wrote to memory of 1960 1588 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1500 1960 rundll32.exe WerFault.exe PID 1960 wrote to memory of 1500 1960 rundll32.exe WerFault.exe PID 1960 wrote to memory of 1500 1960 rundll32.exe WerFault.exe PID 1960 wrote to memory of 1500 1960 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b3256082d52fa5f63f0c1502c3028124f01bf2d1244ac159ecaec2898180a7d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b3256082d52fa5f63f0c1502c3028124f01bf2d1244ac159ecaec2898180a7d.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1500-1-0x0000000000000000-mapping.dmp
-
memory/1500-2-0x0000000001DA0000-0x0000000001DB1000-memory.dmpFilesize
68KB
-
memory/1500-4-0x0000000002490000-0x00000000024A1000-memory.dmpFilesize
68KB
-
memory/1960-0-0x0000000000000000-mapping.dmp
-
memory/1960-3-0x0000000000000000-mapping.dmp