Analysis
-
max time kernel
1732s -
max time network
1792s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-02-2021 16:56
Static task
static1
Behavioral task
behavioral1
Sample
AnnualReport.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
AnnualReport.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
AnnualReport.exe
-
Size
441KB
-
MD5
2c00aaba1bad8a20cf1f154646e50878
-
SHA1
314c5dd041216b0eb130075961ab660004e39fdf
-
SHA256
52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b
-
SHA512
f6b48cb567a808b2b25b113a84476178ae42ffa7f4d47e03f6ca0c3e31762316f539d1913afedb88de28a6164c6551705130f28a66bdedfd4d182cf1cdd37ce0
Score
10/10
Malware Config
Extracted
Family
cobaltstrike
Version
windows/download_exec
C2
http://topservicebin.com:443/wp-includes/eo.png
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 1608 created 372 1608 WerFault.exe 78 -
Blocklisted process makes network request 10 IoCs
flow pid Process 26 372 powershell.exe 27 372 powershell.exe 28 372 powershell.exe 29 372 powershell.exe 30 372 powershell.exe 31 372 powershell.exe 32 372 powershell.exe 33 372 powershell.exe 34 372 powershell.exe 35 372 powershell.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1608 372 WerFault.exe 78 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1608 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4764 wrote to memory of 372 4764 AnnualReport.exe 78 PID 4764 wrote to memory of 372 4764 AnnualReport.exe 78 PID 4764 wrote to memory of 372 4764 AnnualReport.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe"C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell2⤵
- Blocklisted process makes network request
PID:372 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 372 -s 8123⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-