Analysis
-
max time kernel
11s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 15:21
Behavioral task
behavioral1
Sample
20908d9af9d4c4cc53f8ab4ebb7074675f28d0f2fcc31fb3497156ba51bb0ad2.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
20908d9af9d4c4cc53f8ab4ebb7074675f28d0f2fcc31fb3497156ba51bb0ad2.exe
-
Size
316KB
-
MD5
748a2474b56c133c5f30632273f7954a
-
SHA1
8b0269ddf234de45faf3fadb2d83fe2cc2c13efc
-
SHA256
20908d9af9d4c4cc53f8ab4ebb7074675f28d0f2fcc31fb3497156ba51bb0ad2
-
SHA512
2c083b240d3577e9f18b5b3b4fb3ba087990edfa0438b95240881a4a17582dcaea72a152cb534be5bfada0bd55b5390675f7268952d9afbc3c4722e05040d8d2
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2888 1892 WerFault.exe 20908d9af9d4c4cc53f8ab4ebb7074675f28d0f2fcc31fb3497156ba51bb0ad2.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe 2888 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2888 WerFault.exe Token: SeBackupPrivilege 2888 WerFault.exe Token: SeDebugPrivilege 2888 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20908d9af9d4c4cc53f8ab4ebb7074675f28d0f2fcc31fb3497156ba51bb0ad2.exe"C:\Users\Admin\AppData\Local\Temp\20908d9af9d4c4cc53f8ab4ebb7074675f28d0f2fcc31fb3497156ba51bb0ad2.exe"1⤵PID:1892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 5122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888