Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
01-07-2021 07:17
Behavioral task
behavioral1
Sample
58637f1b136cf2f592b5871a00fc247aa45f6bf25f537211c043aa79bc845bb4.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
58637f1b136cf2f592b5871a00fc247aa45f6bf25f537211c043aa79bc845bb4.exe
-
Size
345KB
-
MD5
7f18cbc582ab9004c8f44b1cff5b49f8
-
SHA1
4403ab3078c3e7d73dabb5710e0084bc7f5d509c
-
SHA256
58637f1b136cf2f592b5871a00fc247aa45f6bf25f537211c043aa79bc845bb4
-
SHA512
aad94e95bef0fbb170fa61dd6c60f12162509df4da9f9a42813a5da54cd1dd16f6d9862f76da25d4e80a224cb13f878665eaf324962e8fad7bbc7f55aac36a46
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1468 912 WerFault.exe 58637f1b136cf2f592b5871a00fc247aa45f6bf25f537211c043aa79bc845bb4.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe 1468 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1468 WerFault.exe Token: SeBackupPrivilege 1468 WerFault.exe Token: SeDebugPrivilege 1468 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58637f1b136cf2f592b5871a00fc247aa45f6bf25f537211c043aa79bc845bb4.exe"C:\Users\Admin\AppData\Local\Temp\58637f1b136cf2f592b5871a00fc247aa45f6bf25f537211c043aa79bc845bb4.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 5082⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken