Analysis
-
max time kernel
13s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:20
Static task
static1
Behavioral task
behavioral1
Sample
1774e47878695044939263df2d589f73.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1774e47878695044939263df2d589f73.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
1774e47878695044939263df2d589f73.dll
-
Size
204KB
-
MD5
1b9725fdae1037706cd17fdda9e86339
-
SHA1
649e1cd0d87a9c44156dd797c8c6b06cfc55a564
-
SHA256
0343fcbdc5e1581dbeec5a963f171a8b16b047dfdd7ea0f6122120250b0f068d
-
SHA512
ed7780f5ca3c35465f0fc2aa3f14a76cbda92e7f0f2e1e63f32556b2ce5b8f3ea6e7c2d00f334b31a5b30b4adf40d4d1a0dd5b4eebce19dc9a1a6da1c40de1af
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
ServiceHost packer 3 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/712-2-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/712-3-0x0000000000000000-mapping.dmp servicehost behavioral2/memory/712-4-0x0000000000000000-mapping.dmp servicehost -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2056 712 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe 2056 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2056 WerFault.exe Token: SeBackupPrivilege 2056 WerFault.exe Token: SeDebugPrivilege 2056 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 912 wrote to memory of 712 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 712 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 712 912 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1774e47878695044939263df2d589f73.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1774e47878695044939263df2d589f73.dll,#12⤵PID:712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 5643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/712-0-0x0000000000000000-mapping.dmp
-
memory/712-2-0x0000000000000000-mapping.dmp
-
memory/712-3-0x0000000000000000-mapping.dmp
-
memory/712-4-0x0000000000000000-mapping.dmp
-
memory/2056-1-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/2056-5-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB