Analysis
-
max time kernel
9s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-11-2020 22:37
Static task
static1
Behavioral task
behavioral1
Sample
921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll
Resource
win10v20201028
General
-
Target
921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll
-
Size
204KB
-
MD5
111e86e4e8ff48b9090e8d46ba7d3ced
-
SHA1
a814327f5f21e7fe932e43818b4d6e044bf3c061
-
SHA256
921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9
-
SHA512
4bf30c67eb6c103de3afb8980679329667bbd007b6d2e36155172c565cba97ac0e12f7e90703c662f696c14a91e7b5a99ec4acc6c13910295b7254dbee8f9a7c
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2044 1840 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 2044 WerFault.exe 2044 WerFault.exe 2044 WerFault.exe 2044 WerFault.exe 2044 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2044 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1032 wrote to memory of 1840 1032 rundll32.exe rundll32.exe PID 1032 wrote to memory of 1840 1032 rundll32.exe rundll32.exe PID 1032 wrote to memory of 1840 1032 rundll32.exe rundll32.exe PID 1032 wrote to memory of 1840 1032 rundll32.exe rundll32.exe PID 1032 wrote to memory of 1840 1032 rundll32.exe rundll32.exe PID 1032 wrote to memory of 1840 1032 rundll32.exe rundll32.exe PID 1032 wrote to memory of 1840 1032 rundll32.exe rundll32.exe PID 1840 wrote to memory of 2044 1840 rundll32.exe WerFault.exe PID 1840 wrote to memory of 2044 1840 rundll32.exe WerFault.exe PID 1840 wrote to memory of 2044 1840 rundll32.exe WerFault.exe PID 1840 wrote to memory of 2044 1840 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 2323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1840-0-0x0000000000000000-mapping.dmp
-
memory/1840-3-0x0000000000000000-mapping.dmp
-
memory/2044-1-0x0000000000000000-mapping.dmp
-
memory/2044-2-0x0000000002080000-0x0000000002091000-memory.dmpFilesize
68KB
-
memory/2044-4-0x0000000002550000-0x0000000002561000-memory.dmpFilesize
68KB