Analysis
-
max time kernel
8s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 15:12
Static task
static1
Behavioral task
behavioral1
Sample
d2ac54ac2efc435930d8d23c5b200667.dll
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d2ac54ac2efc435930d8d23c5b200667.dll
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
d2ac54ac2efc435930d8d23c5b200667.dll
-
Size
244KB
-
MD5
397227671529e7cef93dd42b8b34931c
-
SHA1
7024f2d5b42041b0c34fe53aafe78688a57993b8
-
SHA256
736b364431416b59ca7fdfee09d098b7c5003f01a136ca618a4191505359a1d3
-
SHA512
fb6a2a141c87b3c262831386f9331b365e6af85fc555e7c71d22043c9b7e5211bce0f960cf7e26961cc5483d5eeef62990d034975b9a5723fe3a7bc533dcd456
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1308 1132 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe 1308 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1308 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1876 wrote to memory of 1132 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1132 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1132 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1132 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1132 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1132 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1132 1876 rundll32.exe rundll32.exe PID 1132 wrote to memory of 1308 1132 rundll32.exe WerFault.exe PID 1132 wrote to memory of 1308 1132 rundll32.exe WerFault.exe PID 1132 wrote to memory of 1308 1132 rundll32.exe WerFault.exe PID 1132 wrote to memory of 1308 1132 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ac54ac2efc435930d8d23c5b200667.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d2ac54ac2efc435930d8d23c5b200667.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1132-0-0x0000000000000000-mapping.dmp
-
memory/1132-3-0x0000000000000000-mapping.dmp
-
memory/1308-1-0x0000000000000000-mapping.dmp
-
memory/1308-2-0x0000000001EC0000-0x0000000001ED1000-memory.dmpFilesize
68KB
-
memory/1308-4-0x0000000002560000-0x0000000002571000-memory.dmpFilesize
68KB