Analysis
-
max time kernel
12s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-06-2021 15:16
Behavioral task
behavioral1
Sample
b6723e956a07b31107bc26554497ee625e352164490431920784822cced2a21b.exe
Resource
win10v20210410
0 signatures
0 seconds
General
-
Target
b6723e956a07b31107bc26554497ee625e352164490431920784822cced2a21b.exe
-
Size
316KB
-
MD5
937c734fe74be9f82902d30a706a0a0b
-
SHA1
51566718fdb457738bbcddcfcaab51ee2fc2e2f0
-
SHA256
b6723e956a07b31107bc26554497ee625e352164490431920784822cced2a21b
-
SHA512
0dfd24e4827a5a0eaaff98ee3a7c289251b0d3fec8ec522f409a88b4f0c0dfff5726f2958d8c21e1705e06e9be6ddb40dc69014c37b0a734798e04da2b49714b
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4020 772 WerFault.exe b6723e956a07b31107bc26554497ee625e352164490431920784822cced2a21b.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4020 WerFault.exe Token: SeBackupPrivilege 4020 WerFault.exe Token: SeDebugPrivilege 4020 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6723e956a07b31107bc26554497ee625e352164490431920784822cced2a21b.exe"C:\Users\Admin\AppData\Local\Temp\b6723e956a07b31107bc26554497ee625e352164490431920784822cced2a21b.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 5162⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken