Analysis
-
max time kernel
580s -
max time network
580s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 16:56
Static task
static1
Behavioral task
behavioral1
Sample
AnnualReport.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
AnnualReport.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
AnnualReport.exe
-
Size
441KB
-
MD5
2c00aaba1bad8a20cf1f154646e50878
-
SHA1
314c5dd041216b0eb130075961ab660004e39fdf
-
SHA256
52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b
-
SHA512
f6b48cb567a808b2b25b113a84476178ae42ffa7f4d47e03f6ca0c3e31762316f539d1913afedb88de28a6164c6551705130f28a66bdedfd4d182cf1cdd37ce0
Score
10/10
Malware Config
Extracted
Family
cobaltstrike
Version
windows/download_exec
C2
http://topservicebin.com:443/wp-includes/eo.png
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid Process procid_target PID 1908 created 4084 1908 WerFault.exe 79 -
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid Process 27 4084 powershell.exe 28 4084 powershell.exe 29 4084 powershell.exe 30 4084 powershell.exe 31 4084 powershell.exe 34 4084 powershell.exe 35 4084 powershell.exe 37 4084 powershell.exe 38 4084 powershell.exe 39 4084 powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1908 4084 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid Process 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe 1908 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid Process Token: SeDebugPrivilege 1908 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
AnnualReport.exedescription pid Process procid_target PID 3888 wrote to memory of 4084 3888 AnnualReport.exe 79 PID 3888 wrote to memory of 4084 3888 AnnualReport.exe 79 PID 3888 wrote to memory of 4084 3888 AnnualReport.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe"C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell2⤵
- Blocklisted process makes network request
PID:4084 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4084 -s 9363⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-