Resubmissions
25-03-2021 14:02
210325-6mt4xffj46 1008-03-2021 01:58
210308-r9csy6wkvx 1026-02-2021 11:00
210226-9h1pkd739a 10Analysis
-
max time kernel
12s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-03-2021 01:58
General
-
Target
Employee-Bonus.exe
-
Size
97KB
-
MD5
b2a682b8fe731d3c9a97b8fbf1cd84ae
-
SHA1
ebbbbeadbfcff24fd604167a628cf12ab2bb9c6c
-
SHA256
84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252
-
SHA512
6aa9246f88e398d1167126e88c90fc5a4049d7361ec4853abd1094d667ba0be42964190f17c0b40615856d44724989439c2d9fb53cbd2b69b135832d8e8522f2
Score
10/10
Malware Config
Extracted
Family
cobaltstrike
Version
windows/download_exec
C2
http://jumpbill.com:443/image-directory/eso.jpg
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Employee-Bonus.exe"C:\Users\Admin\AppData\Local\Temp\Employee-Bonus.exe"1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1032 -s 10562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1032-3-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2200-2-0x000001ABCF120000-0x000001ABCF121000-memory.dmpFilesize
4KB