Analysis
-
max time kernel
53s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-11-2020 22:37
Static task
static1
Behavioral task
behavioral1
Sample
921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll
Resource
win10v20201028
General
-
Target
921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll
-
Size
204KB
-
MD5
111e86e4e8ff48b9090e8d46ba7d3ced
-
SHA1
a814327f5f21e7fe932e43818b4d6e044bf3c061
-
SHA256
921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9
-
SHA512
4bf30c67eb6c103de3afb8980679329667bbd007b6d2e36155172c565cba97ac0e12f7e90703c662f696c14a91e7b5a99ec4acc6c13910295b7254dbee8f9a7c
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
ServiceHost packer 3 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/1596-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1596-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1596-4-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3780 1596 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe 3780 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3780 WerFault.exe Token: SeBackupPrivilege 3780 WerFault.exe Token: SeDebugPrivilege 3780 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 412 wrote to memory of 1596 412 rundll32.exe rundll32.exe PID 412 wrote to memory of 1596 412 rundll32.exe rundll32.exe PID 412 wrote to memory of 1596 412 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 6363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1596-0-0x0000000000000000-mapping.dmp
-
memory/1596-3-0x0000000000000000-mapping.dmp
-
memory/1596-2-0x0000000000000000-mapping.dmp
-
memory/1596-4-0x0000000000000000-mapping.dmp
-
memory/3780-1-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/3780-5-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB