Analysis
-
max time kernel
90s -
max time network
160s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
30-06-2021 22:49
Behavioral task
behavioral1
Sample
417abd1c1db6a5df3a86924f2263a684b58527dfbbada584ba3360f2c5462dfa.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
417abd1c1db6a5df3a86924f2263a684b58527dfbbada584ba3360f2c5462dfa.exe
-
Size
345KB
-
MD5
b10f6a5dc20e493d684999d006b53bbe
-
SHA1
2220c7327163012b08db53a1acece97ade29f26b
-
SHA256
417abd1c1db6a5df3a86924f2263a684b58527dfbbada584ba3360f2c5462dfa
-
SHA512
e7c1fc7ab53c4d108aa7b2acc84c0517e6789fa6f9b241704d6f85dd192a948b7f3bf0e3da5905785b9ad753fb9b1e6425c46663d3c1a1643a9242e0c91fb36f
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4092 1808 WerFault.exe 417abd1c1db6a5df3a86924f2263a684b58527dfbbada584ba3360f2c5462dfa.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe 4092 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4092 WerFault.exe Token: SeBackupPrivilege 4092 WerFault.exe Token: SeDebugPrivilege 4092 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\417abd1c1db6a5df3a86924f2263a684b58527dfbbada584ba3360f2c5462dfa.exe"C:\Users\Admin\AppData\Local\Temp\417abd1c1db6a5df3a86924f2263a684b58527dfbbada584ba3360f2c5462dfa.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 5082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken