AnnualReport.exe

General
Target

AnnualReport.exe

Filesize

441KB

Completed

03-02-2021 17:06

Score
10 /10
MD5

2c00aaba1bad8a20cf1f154646e50878

SHA1

314c5dd041216b0eb130075961ab660004e39fdf

SHA256

52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b

Malware Config

Extracted

Family cobaltstrike
Version windows/download_exec
C2

http://topservicebin.com:443/wp-includes/eo.png

Signatures 7

Filter: none

  • Cobaltstrike

    Description

    Detected malicious payload which is part of Cobaltstrike.

  • Suspicious use of NtCreateProcessExOtherParentProcess
    WerFault.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1908 created 40841908WerFault.exepowershell.exe
  • Blocklisted process makes network request
    powershell.exe

    Reported IOCs

    flowpidprocess
    274084powershell.exe
    284084powershell.exe
    294084powershell.exe
    304084powershell.exe
    314084powershell.exe
    344084powershell.exe
    354084powershell.exe
    374084powershell.exe
    384084powershell.exe
    394084powershell.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    19084084WerFault.exepowershell.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
    1908WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1908WerFault.exe
  • Suspicious use of WriteProcessMemory
    AnnualReport.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3888 wrote to memory of 40843888AnnualReport.exepowershell.exe
    PID 3888 wrote to memory of 40843888AnnualReport.exepowershell.exe
    PID 3888 wrote to memory of 40843888AnnualReport.exepowershell.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe
    "C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe"
    Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell
      Blocklisted process makes network request
      PID:4084
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4084 -s 936
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:1908
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1908-5-0x000001B5BA030000-0x000001B5BA031000-memory.dmp

                          • memory/4084-2-0x0000000000000000-mapping.dmp

                          • memory/4084-3-0x000002BECA940000-0x000002BECA941000-memory.dmp