Analysis
-
max time kernel
112s -
max time network
111s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-11-2020 14:36
General
-
Target
a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e.dll
-
Size
244KB
-
MD5
e10a231d10334d2def1a26db8c7624d2
-
SHA1
b3d4b8a0c268bfe29ed728b178969b2928893e84
-
SHA256
a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e
-
SHA512
400fed388b3c9271e040504c6bec0f3c8ac8498a97ea1f706ad7510e78cc078903c8e9e54e0e6983cfd22d915d35323491eca1ca278b9aa8bb3bdd703f1f7369
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a418c205a0e42a84ecedea8d2b79d700bc6c6962d91cc76446800cc4cb67963e.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1920-0-0x0000000000000000-mapping.dmp
-
memory/1920-3-0x0000000000000000-mapping.dmp
-
memory/1988-1-0x0000000000000000-mapping.dmp
-
memory/1988-2-0x0000000001F30000-0x0000000001F41000-memory.dmpFilesize
68KB
-
memory/1988-4-0x0000000002540000-0x0000000002551000-memory.dmpFilesize
68KB