Analysis
-
max time kernel
13s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-11-2020 14:42
Static task
static1
Behavioral task
behavioral1
Sample
7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31.dll
Resource
win10v20201028
General
-
Target
7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31.dll
-
Size
204KB
-
MD5
80b57cb267ea3dd70b4b25dd81910cd6
-
SHA1
b9bc74d5004353a17a70668df2229311b247a00d
-
SHA256
7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31
-
SHA512
85914ff080460e409ae9285f688b9a631360d0530f828036f3f70eb947304fc2cefcea64156c933ec19b1aa4f2a843f1910a0d48cfbac0ec558095e47050d859
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2164 4760 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe 2164 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2164 WerFault.exe Token: SeBackupPrivilege 2164 WerFault.exe Token: SeDebugPrivilege 2164 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4716 wrote to memory of 4760 4716 rundll32.exe rundll32.exe PID 4716 wrote to memory of 4760 4716 rundll32.exe rundll32.exe PID 4716 wrote to memory of 4760 4716 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31.dll,#12⤵PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 6403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2164-1-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/2164-5-0x0000000005970000-0x0000000005971000-memory.dmpFilesize
4KB
-
memory/4760-0-0x0000000000000000-mapping.dmp
-
memory/4760-2-0x0000000000000000-mapping.dmp
-
memory/4760-3-0x0000000000000000-mapping.dmp
-
memory/4760-4-0x0000000000000000-mapping.dmp