Analysis

  • max time kernel
    8s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-11-2020 15:12

General

  • Target

    d2ac54ac2efc435930d8d23c5b200667.dll

  • Size

    244KB

  • MD5

    397227671529e7cef93dd42b8b34931c

  • SHA1

    7024f2d5b42041b0c34fe53aafe78688a57993b8

  • SHA256

    736b364431416b59ca7fdfee09d098b7c5003f01a136ca618a4191505359a1d3

  • SHA512

    fb6a2a141c87b3c262831386f9331b365e6af85fc555e7c71d22043c9b7e5211bce0f960cf7e26961cc5483d5eeef62990d034975b9a5723fe3a7bc533dcd456

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ac54ac2efc435930d8d23c5b200667.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ac54ac2efc435930d8d23c5b200667.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 196
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1132-0-0x0000000000000000-mapping.dmp
  • memory/1132-3-0x0000000000000000-mapping.dmp
  • memory/1308-1-0x0000000000000000-mapping.dmp
  • memory/1308-2-0x0000000001EC0000-0x0000000001ED1000-memory.dmp
    Filesize

    68KB

  • memory/1308-4-0x0000000002560000-0x0000000002571000-memory.dmp
    Filesize

    68KB