Analysis
-
max time kernel
4s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-11-2020 22:46
Static task
static1
Behavioral task
behavioral1
Sample
2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll
Resource
win10v20201028
General
-
Target
2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll
-
Size
206KB
-
MD5
c70b84a85cb5f921b3ade9c7e2715bcf
-
SHA1
e17ea5f874c5e8bfd90d2fcd96fb7dfd48c4a0f5
-
SHA256
2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877
-
SHA512
1281e8cc8c66c34f7e9f34b3fc52531dda58c51af7ad8ef4fa52142f7289878e3d567c2fc146d9f2d942c2819d2dc2d7d68a6f6512b98cb3240d13a2d39b91db
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1288 1252 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe 1288 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1288 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1084 wrote to memory of 1252 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1252 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1252 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1252 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1252 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1252 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1252 1084 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1288 1252 rundll32.exe WerFault.exe PID 1252 wrote to memory of 1288 1252 rundll32.exe WerFault.exe PID 1252 wrote to memory of 1288 1252 rundll32.exe WerFault.exe PID 1252 wrote to memory of 1288 1252 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 2443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1252-0-0x0000000000000000-mapping.dmp
-
memory/1252-3-0x0000000000000000-mapping.dmp
-
memory/1288-1-0x0000000000000000-mapping.dmp
-
memory/1288-2-0x0000000002250000-0x0000000002261000-memory.dmpFilesize
68KB
-
memory/1288-4-0x00000000027F0000-0x0000000002801000-memory.dmpFilesize
68KB