Analysis
-
max time kernel
7s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 11:53
Static task
static1
Behavioral task
behavioral1
Sample
306393ab257690d610aa142d02d998fe.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
306393ab257690d610aa142d02d998fe.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
306393ab257690d610aa142d02d998fe.dll
-
Size
244KB
-
MD5
d752b2cb852d6a8f16b64cbcb1b3e2b3
-
SHA1
af9f2204d1354b77e19bc2b96612ba5276671a04
-
SHA256
17fd50b6a70ae468b1fe38e632885d40c2abc590da13487466ed7dc2e016852b
-
SHA512
517de35b8afe36c70ef2a227679f740f0adeae5fca813dd2a237453057e19cf740f9d2daa8e0e23998fa114b4ed02c732355125403aa1d41b26400867f338588
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1488 1932 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1488 WerFault.exe 1488 WerFault.exe 1488 WerFault.exe 1488 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1488 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 744 wrote to memory of 1932 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 1932 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 1932 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 1932 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 1932 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 1932 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 1932 744 rundll32.exe rundll32.exe PID 1932 wrote to memory of 1488 1932 rundll32.exe WerFault.exe PID 1932 wrote to memory of 1488 1932 rundll32.exe WerFault.exe PID 1932 wrote to memory of 1488 1932 rundll32.exe WerFault.exe PID 1932 wrote to memory of 1488 1932 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\306393ab257690d610aa142d02d998fe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\306393ab257690d610aa142d02d998fe.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-1-0x0000000000000000-mapping.dmp
-
memory/1488-2-0x0000000001DD0000-0x0000000001DE1000-memory.dmpFilesize
68KB
-
memory/1488-4-0x0000000002510000-0x0000000002521000-memory.dmpFilesize
68KB
-
memory/1932-0-0x0000000000000000-mapping.dmp
-
memory/1932-3-0x0000000000000000-mapping.dmp