Analysis
-
max time kernel
23s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 10:14
Static task
static1
Behavioral task
behavioral1
Sample
339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502.exe
Resource
win10v20210410
General
-
Target
339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502.exe
-
Size
17KB
-
MD5
60a1bfe619b2dc1cec9f3f61762255f4
-
SHA1
0c71506f28da58c9c90a0008eafae21309f729b7
-
SHA256
339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502
-
SHA512
1bbeddebc065360a49b0cea2a0e876a6237baca850cb75f73ee94fb6c37858c0c2f1274fe9a5a4ee2a8e739a3385d389ba702130a8dea98adde4043820bc926c
Malware Config
Extracted
cobaltstrike
http://95.181.157.170:80/uNIQ
-
user_agent
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3484 created 3896 3484 WerFault.exe 339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3484 3896 WerFault.exe 339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe 3484 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 3484 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502.exe"C:\Users\Admin\AppData\Local\Temp\339c7ac759b7ef0ab8e2a9434f53fcd212786575b08b4b41687ab10fdcf2c502.exe"1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3896 -s 9602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3896-114-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB