Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:16
Static task
static1
Behavioral task
behavioral1
Sample
7c5a448ef79801222dceb3a09298423a.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
7c5a448ef79801222dceb3a09298423a.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
7c5a448ef79801222dceb3a09298423a.dll
-
Size
208KB
-
MD5
4bda250be73136628f57a0ed1d8969a1
-
SHA1
d4c896cab15fde45c962353937b7f35f235a0576
-
SHA256
f2728813e7147c34eeb0c734753e0360731b9995de11f8921bed0febfda4de29
-
SHA512
49894fd6ddd49d1ea0ba3f377abf2e5537c0c543b16c45788d18c8c7bd907e7e5c8e7703e6e77ee200f7e5c44b1f1286cc523b72b386d5ca018cbb6b55e6cec8
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2976 908 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe 2976 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2976 WerFault.exe Token: SeBackupPrivilege 2976 WerFault.exe Token: SeDebugPrivilege 2976 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3324 wrote to memory of 908 3324 rundll32.exe rundll32.exe PID 3324 wrote to memory of 908 3324 rundll32.exe rundll32.exe PID 3324 wrote to memory of 908 3324 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c5a448ef79801222dceb3a09298423a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7c5a448ef79801222dceb3a09298423a.dll,#12⤵PID:908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 6643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-