Overview

overview

10

Static

static

10

27962c0667...41.dll

windows7_x64

10

27962c0667...41.dll

windows10_x64

10

Analysis

  • max time kernel
    12s
  • max time network
    70s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-11-2020 22:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll

  • Size

    469KB

  • MD5

    833765960517f095d4ed2d8877bc254d

  • SHA1

    883c469d97edab7f99f1668ac3b25742f35e380f

  • SHA256

    27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841

  • SHA512

    afa59745f9d43db1f4b451a2c36d09b395cefc9f0a923808ba4e2155ba1680de54f0cb91b3f2e6d37d17f7abb8c0e79fdf8215c859d1a785998969d4e2bfee54

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • ServiceHost packer 3 IoCs

    Detects ServiceHost packer used for .NET malware

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll,#1
      2⤵
        PID:1232
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 656
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:416

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/416-1-0x00000000046E0000-0x00000000046E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/416-5-0x00000000050D0000-0x00000000050D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/416-8-0x00000000050D0000-0x00000000050D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1232-0-0x0000000000000000-mapping.dmp
      Download
    • memory/1232-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1232-3-0x0000000000000000-mapping.dmp
      Download
    • memory/1232-4-0x0000000000000000-mapping.dmp
      Download