Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 11:34
Static task
static1
Behavioral task
behavioral1
Sample
562893fef79989aecf27f035d8df4a82.dll
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
562893fef79989aecf27f035d8df4a82.dll
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
562893fef79989aecf27f035d8df4a82.dll
-
Size
244KB
-
MD5
95edddc2ba7770314faac11a8e5fc9f0
-
SHA1
1fd0bf07054ce2ac05c34d0bd1b6098f0b2732d5
-
SHA256
b42f4e00fd5806d8d176713db7f7c05b35c522c4f589e7a0eeba23bf9afbb777
-
SHA512
3bec77e8861cdcf803dd5c80ab0fce33a206fdc190b901cd9e5bbe4f69df8a18c8fa59faf3bee58010417d1fc0a42ea8df3e61c439d71ba5e314943b4eefb94d
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1116 1520 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1116 WerFault.exe 1116 WerFault.exe 1116 WerFault.exe 1116 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1116 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1960 wrote to memory of 1520 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1520 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1520 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1520 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1520 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1520 1960 rundll32.exe rundll32.exe PID 1960 wrote to memory of 1520 1960 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1116 1520 rundll32.exe WerFault.exe PID 1520 wrote to memory of 1116 1520 rundll32.exe WerFault.exe PID 1520 wrote to memory of 1116 1520 rundll32.exe WerFault.exe PID 1520 wrote to memory of 1116 1520 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\562893fef79989aecf27f035d8df4a82.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\562893fef79989aecf27f035d8df4a82.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1116-1-0x0000000000000000-mapping.dmp
-
memory/1116-2-0x0000000000840000-0x0000000000851000-memory.dmpFilesize
68KB
-
memory/1116-4-0x00000000024D0000-0x00000000024E1000-memory.dmpFilesize
68KB
-
memory/1520-0-0x0000000000000000-mapping.dmp
-
memory/1520-3-0x0000000000000000-mapping.dmp