Analysis
-
max time kernel
4s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-11-2020 22:50
Static task
static1
Behavioral task
behavioral1
Sample
27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll
Resource
win10v20201028
General
-
Target
27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll
-
Size
469KB
-
MD5
833765960517f095d4ed2d8877bc254d
-
SHA1
883c469d97edab7f99f1668ac3b25742f35e380f
-
SHA256
27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841
-
SHA512
afa59745f9d43db1f4b451a2c36d09b395cefc9f0a923808ba4e2155ba1680de54f0cb91b3f2e6d37d17f7abb8c0e79fdf8215c859d1a785998969d4e2bfee54
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1288 1824 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1288 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1756 wrote to memory of 1824 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1824 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1824 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1824 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1824 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1824 1756 rundll32.exe rundll32.exe PID 1756 wrote to memory of 1824 1756 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1288 1824 rundll32.exe WerFault.exe PID 1824 wrote to memory of 1288 1824 rundll32.exe WerFault.exe PID 1824 wrote to memory of 1288 1824 rundll32.exe WerFault.exe PID 1824 wrote to memory of 1288 1824 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 2443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1288-1-0x0000000000000000-mapping.dmp
-
memory/1288-2-0x0000000001F50000-0x0000000001F61000-memory.dmpFilesize
68KB
-
memory/1288-4-0x0000000002700000-0x0000000002711000-memory.dmpFilesize
68KB
-
memory/1824-0-0x0000000000000000-mapping.dmp
-
memory/1824-3-0x0000000000000000-mapping.dmp