cobaltstrike | 52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b

Analysis

Target

AnnualReport.exe
Size

441KB
MD5

2c00aaba1bad8a20cf1f154646e50878
SHA1

314c5dd041216b0eb130075961ab660004e39fdf
SHA256

52bbe09c7150ea66269c71bac8d0237fb0e6b0cae4ca63ab19807c310d6a1a0b
SHA512

f6b48cb567a808b2b25b113a84476178ae42ffa7f4d47e03f6ca0c3e31762316f539d1913afedb88de28a6164c6551705130f28a66bdedfd4d182cf1cdd37ce0

Score

10^/10

Family

cobaltstrike

Version

windows/download_exec

http://topservicebin.com:443/wp-includes/eo.png

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1608 created 372 1608 WerFault.exe powershell.exe

description	pid	process	target process
PID 1608 created 372	1608	WerFault.exe	powershell.exe

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1608 372 WerFault.exe powershell.exe

pid	pid_target	process	target process
1608	372	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1608 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1608	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

AnnualReport.exe

description	pid	process	target process
PID 4764 wrote to memory of 372	4764	AnnualReport.exe	powershell.exe
PID 4764 wrote to memory of 372	4764	AnnualReport.exe	powershell.exe
PID 4764 wrote to memory of 372	4764	AnnualReport.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe
"C:\Users\Admin\AppData\Local\Temp\AnnualReport.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell
  2⤵
  - Blocklisted process makes network request
  PID:372
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 372 -s 812
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1608

memory/372-2-0x0000000000000000-mapping.dmp

Download
memory/372-3-0x00000289CB190000-0x00000289CB191000-memory.dmp

Filesize
4KB

Download
memory/1608-5-0x0000019CDD250000-0x0000019CDD251000-memory.dmp

Filesize
4KB

Download