Analysis
-
max time kernel
31s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-11-2020 23:12
Static task
static1
Behavioral task
behavioral1
Sample
83672444b1fa6ec5a69b5fd0c06603c4fc4a87e35e04095a9653e19f657c496b.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
83672444b1fa6ec5a69b5fd0c06603c4fc4a87e35e04095a9653e19f657c496b.dll
Resource
win10v20201028
General
-
Target
83672444b1fa6ec5a69b5fd0c06603c4fc4a87e35e04095a9653e19f657c496b.dll
-
Size
244KB
-
MD5
51e0e3b8aaff688cf4287aec0fd84790
-
SHA1
c0d4493834925e65a93e81fc4b257d6a799d20c1
-
SHA256
83672444b1fa6ec5a69b5fd0c06603c4fc4a87e35e04095a9653e19f657c496b
-
SHA512
5e8f0950274617eaf87ba12800123dedf2cbc63c8f99f2aec0672e6c994a544e76f89525b6bde77eca31ddfd537dba1cad7243a58a354e659f279ee7641364ce
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2028 1392 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 2028 WerFault.exe 2028 WerFault.exe 2028 WerFault.exe 2028 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2028 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1632 wrote to memory of 1392 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1392 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1392 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1392 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1392 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1392 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1392 1632 rundll32.exe rundll32.exe PID 1392 wrote to memory of 2028 1392 rundll32.exe WerFault.exe PID 1392 wrote to memory of 2028 1392 rundll32.exe WerFault.exe PID 1392 wrote to memory of 2028 1392 rundll32.exe WerFault.exe PID 1392 wrote to memory of 2028 1392 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83672444b1fa6ec5a69b5fd0c06603c4fc4a87e35e04095a9653e19f657c496b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83672444b1fa6ec5a69b5fd0c06603c4fc4a87e35e04095a9653e19f657c496b.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1392-0-0x0000000000000000-mapping.dmp
-
memory/1392-3-0x0000000000000000-mapping.dmp
-
memory/2028-1-0x0000000000000000-mapping.dmp
-
memory/2028-2-0x0000000001FD0000-0x0000000001FE1000-memory.dmpFilesize
68KB
-
memory/2028-4-0x0000000002560000-0x0000000002571000-memory.dmpFilesize
68KB