Analysis
-
max time kernel
93s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-07-2021 07:15
Behavioral task
behavioral1
Sample
3734d797c5f3ad3fe1211802b686c8b7453c410e8222c049092988e12a9b0dae.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
3734d797c5f3ad3fe1211802b686c8b7453c410e8222c049092988e12a9b0dae.exe
-
Size
345KB
-
MD5
93e38628be9ad530506023bf708dd049
-
SHA1
517f938f319d3844b5a704ea9570cfa28275c766
-
SHA256
3734d797c5f3ad3fe1211802b686c8b7453c410e8222c049092988e12a9b0dae
-
SHA512
d43d686bb6e3f2f17b8d2ba04fa1506216a1adfc500411f07f82c96121fa882b827ad24291c7e42f7af611cea57318fd113f09d39d909fff5e28c77bcedadec1
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3384 3908 WerFault.exe 3734d797c5f3ad3fe1211802b686c8b7453c410e8222c049092988e12a9b0dae.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe 3384 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3384 WerFault.exe Token: SeBackupPrivilege 3384 WerFault.exe Token: SeDebugPrivilege 3384 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3734d797c5f3ad3fe1211802b686c8b7453c410e8222c049092988e12a9b0dae.exe"C:\Users\Admin\AppData\Local\Temp\3734d797c5f3ad3fe1211802b686c8b7453c410e8222c049092988e12a9b0dae.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 5082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken