Analysis
-
max time kernel
16s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-11-2020 22:46
Static task
static1
Behavioral task
behavioral1
Sample
2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll
Resource
win10v20201028
General
-
Target
2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll
-
Size
206KB
-
MD5
c70b84a85cb5f921b3ade9c7e2715bcf
-
SHA1
e17ea5f874c5e8bfd90d2fcd96fb7dfd48c4a0f5
-
SHA256
2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877
-
SHA512
1281e8cc8c66c34f7e9f34b3fc52531dda58c51af7ad8ef4fa52142f7289878e3d567c2fc146d9f2d942c2819d2dc2d7d68a6f6512b98cb3240d13a2d39b91db
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
ServiceHost packer 4 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/1476-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1476-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1476-4-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/1476-5-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3228 1476 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe 3228 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3228 WerFault.exe Token: SeBackupPrivilege 3228 WerFault.exe Token: SeDebugPrivilege 3228 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 880 wrote to memory of 1476 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 1476 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 1476 880 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 6603⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1476-0-0x0000000000000000-mapping.dmp
-
memory/1476-3-0x0000000000000000-mapping.dmp
-
memory/1476-2-0x0000000000000000-mapping.dmp
-
memory/1476-4-0x0000000000000000-mapping.dmp
-
memory/1476-5-0x0000000000000000-mapping.dmp
-
memory/3228-1-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/3228-6-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB