Analysis
-
max time kernel
112s -
max time network
111s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-11-2020 14:36
Static task
static1
Behavioral task
behavioral1
Sample
a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e.dll
Resource
win10v20201028
General
-
Target
a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e.dll
-
Size
244KB
-
MD5
e10a231d10334d2def1a26db8c7624d2
-
SHA1
b3d4b8a0c268bfe29ed728b178969b2928893e84
-
SHA256
a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e
-
SHA512
400fed388b3c9271e040504c6bec0f3c8ac8498a97ea1f706ad7510e78cc078903c8e9e54e0e6983cfd22d915d35323491eca1ca278b9aa8bb3bdd703f1f7369
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1988 1920 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1988 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 292 wrote to memory of 1920 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1920 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1920 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1920 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1920 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1920 292 rundll32.exe rundll32.exe PID 292 wrote to memory of 1920 292 rundll32.exe rundll32.exe PID 1920 wrote to memory of 1988 1920 rundll32.exe WerFault.exe PID 1920 wrote to memory of 1988 1920 rundll32.exe WerFault.exe PID 1920 wrote to memory of 1988 1920 rundll32.exe WerFault.exe PID 1920 wrote to memory of 1988 1920 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1920-0-0x0000000000000000-mapping.dmp
-
memory/1920-3-0x0000000000000000-mapping.dmp
-
memory/1988-1-0x0000000000000000-mapping.dmp
-
memory/1988-2-0x0000000001F30000-0x0000000001F41000-memory.dmpFilesize
68KB
-
memory/1988-4-0x0000000002540000-0x0000000002551000-memory.dmpFilesize
68KB