File name:

1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb

Full analysis: https://app.any.run/tasks/eaf929a5-d314-4b82-91ca-2f3f3fc80c9f
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: January 01, 2025, 06:58:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

42515CED5CFBDB3CBCD531521A97E472

SHA1:

BCB3E8CECC1DF1584AF90488EB7A3936660D902D

SHA256:

1CB78B2B099C06CD7C955BF5891330F014D6F77888CBFB0CF6AEDE367DEF18BB

SSDEEP:

192:pauHqWj7G4m1ajJAQa7LC+QWLfFCAZlYYqnjdhdaeptL7GbUaYnCrUR1p7gJTD:0WXGaNp+QWAClYR9aen7GbUanrUPYD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe (PID: 556)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe (PID: 556)

    • Executes application which crashes

      • 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe (PID: 556)

    • Connects to unusual port

      • 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe (PID: 556)

  • INFO

    • Checks supported languages

      • 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe (PID: 556)

    • Reads the computer name

      • 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe (PID: 556)

    • Checks proxy server information

      • 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe (PID: 556)
      • WerFault.exe (PID: 4672)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4672)

    • Reads the software policy settings

      • WerFault.exe (PID: 4672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(556) 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe
C2192.168.119.128:1234/CYyH
HeadersUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.34
CodeSize: 8704
InitializedDataSize: 18432
UninitializedDataSize: 2560
EntryPoint: 0x14c0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Users\admin\Desktop\1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe" C:\Users\admin\Desktop\1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
CobalStrike
(PID) Process(556) 1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe
C2192.168.119.128:1234/CYyH
HeadersUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
4672C:\WINDOWS\system32\WerFault.exe -u -p 556 -s 1176C:\Windows\System32\WerFault.exe
1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
6 443
Read events
6 443
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4672WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1cb78b2b099c06cd_7c4ceb68fecc163f706f1250768fde7dccf743_cecea214_038dc449-09ec-4689-97f0-42c7367c5b00\Report.wer
MD5:
SHA256:
4672WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERF560.tmp.dmpdmp
MD5:07C3126ED210151AF8DEC888096B1CF5
SHA256:7C6F128222C27CC9BAF2AFF626DF7C8E579856D83EB34632BD6CC7A66249C1E5
4672WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe.556.dmpbinary
MD5:1F94AA90B06BB917D27A3C620E26C431
SHA256:C4B551F458E9765E82AEC46FDA0BF688FBFB1AC596630D32BE137FD9416AB3C7
4672WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERF63B.tmp.WERInternalMetadata.xmlxml
MD5:113F8E18AA13162C425E3DF20CF2CB51
SHA256:F88047303390A0514FD453DF7097D11DF479161B16F9754E527C638AD0339229
4672WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERF65C.tmp.xmlxml
MD5:BFD61491F8BEC3F9B06CF5E5F4B4C25B
SHA256:AF2C394FFAF7F00055C0D3FEBEAFDE0C16A35D187F4B0711C2694D9815A1A7B6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
448
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
448
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
448
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
192.168.100.255:138
whitelisted
556
1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb.exe
192.168.119.128:1234
unknown
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
448
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
448
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
448
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
watson.events.data.microsoft.com
  • 52.168.117.173
whitelisted
self.events.data.microsoft.com
  • 13.69.116.109
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1cb78b2b099c06cd7c955bf5891330f014d6f77888cbfb0cf6aede367def18bb