Analysis
-
max time kernel
13s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-06-2021 15:20
Behavioral task
behavioral1
Sample
d2e1d9b7a5c33dd98ff1221108bfdc935ade3a19248743b55c3ec5a182c00f42.exe
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
d2e1d9b7a5c33dd98ff1221108bfdc935ade3a19248743b55c3ec5a182c00f42.exe
-
Size
316KB
-
MD5
b1e8d5465394be4ad5ad90c12f76cf2c
-
SHA1
bcb72da7d86bead3a98e996ef66ea59554e803ba
-
SHA256
d2e1d9b7a5c33dd98ff1221108bfdc935ade3a19248743b55c3ec5a182c00f42
-
SHA512
90d56976b8fd220575ebc689ec56761fa6fad9211126bf629c196a0508390dc9bfe339cfd9f69670d9466bf58e19efc68db47a31458d61edba003f936c6d4665
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 580 808 WerFault.exe d2e1d9b7a5c33dd98ff1221108bfdc935ade3a19248743b55c3ec5a182c00f42.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe 580 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 580 WerFault.exe Token: SeBackupPrivilege 580 WerFault.exe Token: SeDebugPrivilege 580 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2e1d9b7a5c33dd98ff1221108bfdc935ade3a19248743b55c3ec5a182c00f42.exe"C:\Users\Admin\AppData\Local\Temp\d2e1d9b7a5c33dd98ff1221108bfdc935ade3a19248743b55c3ec5a182c00f42.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 5202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken