Analysis
-
max time kernel
90s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-07-2021 07:59
Behavioral task
behavioral1
Sample
f0491f69eb12246a4842ee7b701a7cea3f21300f9f2acb1c95ad757118dcf3d6.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
f0491f69eb12246a4842ee7b701a7cea3f21300f9f2acb1c95ad757118dcf3d6.exe
-
Size
345KB
-
MD5
fb6a78f326527e98eb1c36e4da2af8d7
-
SHA1
8365d6213b1d48154c3f4b35b0798830dd30c883
-
SHA256
f0491f69eb12246a4842ee7b701a7cea3f21300f9f2acb1c95ad757118dcf3d6
-
SHA512
4b969155c99cd920cde2d248ce25ead1d48b09415edb29fb211eda79595c3dd5a606647bf4434472a09a858a24151201b228c218e1ff278084f4bbf10f6e261c
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3696 4016 WerFault.exe f0491f69eb12246a4842ee7b701a7cea3f21300f9f2acb1c95ad757118dcf3d6.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe 3696 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3696 WerFault.exe Token: SeBackupPrivilege 3696 WerFault.exe Token: SeDebugPrivilege 3696 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0491f69eb12246a4842ee7b701a7cea3f21300f9f2acb1c95ad757118dcf3d6.exe"C:\Users\Admin\AppData\Local\Temp\f0491f69eb12246a4842ee7b701a7cea3f21300f9f2acb1c95ad757118dcf3d6.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 5122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken