Analysis
-
max time kernel
12s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 11:32
Static task
static1
Behavioral task
behavioral1
Sample
958483daa785f416869f8bb77b8b3168.dll
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
958483daa785f416869f8bb77b8b3168.dll
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
958483daa785f416869f8bb77b8b3168.dll
-
Size
204KB
-
MD5
0d39ffeef0a201f67a32015fa715a828
-
SHA1
97630df6406238b3450ca244e23eb1fa34daf3ca
-
SHA256
4f509c612841349936856c59afbaf021d5c79a7e24f93b91ca5a72d796db2a99
-
SHA512
6ccc49e4f20df985131acd0c934230af9695ff487da0a9667e3b7b0f28d17f40058ae7a14034ef38d42b041a1e0078f02d5e6df34ed3b34af23dfe60d0a34e42
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4020 1096 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4020 WerFault.exe Token: SeBackupPrivilege 4020 WerFault.exe Token: SeDebugPrivilege 4020 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1080 wrote to memory of 1096 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1096 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1096 1080 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\958483daa785f416869f8bb77b8b3168.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\958483daa785f416869f8bb77b8b3168.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 6403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-0-0x0000000000000000-mapping.dmp
-
memory/1096-4-0x0000000000000000-mapping.dmp
-
memory/1096-3-0x0000000000000000-mapping.dmp
-
memory/1096-2-0x0000000000000000-mapping.dmp
-
memory/4020-1-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/4020-5-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB