Resubmissions
25-03-2021 14:02
210325-6mt4xffj46 1008-03-2021 01:58
210308-r9csy6wkvx 1026-02-2021 11:00
210226-9h1pkd739a 10Analysis
-
max time kernel
12s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-03-2021 01:58
Static task
static1
Behavioral task
behavioral1
Sample
Employee-Bonus.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Employee-Bonus.exe
Resource
win10v20201028
General
-
Target
Employee-Bonus.exe
-
Size
97KB
-
MD5
b2a682b8fe731d3c9a97b8fbf1cd84ae
-
SHA1
ebbbbeadbfcff24fd604167a628cf12ab2bb9c6c
-
SHA256
84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252
-
SHA512
6aa9246f88e398d1167126e88c90fc5a4049d7361ec4853abd1094d667ba0be42964190f17c0b40615856d44724989439c2d9fb53cbd2b69b135832d8e8522f2
Malware Config
Extracted
cobaltstrike
windows/download_exec
http://jumpbill.com:443/image-directory/eso.jpg
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2200 created 1032 2200 WerFault.exe Employee-Bonus.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2200 1032 WerFault.exe Employee-Bonus.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2200 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Employee-Bonus.exe"C:\Users\Admin\AppData\Local\Temp\Employee-Bonus.exe"1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1032 -s 10562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken