File name:

21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98

Full analysis: https://app.any.run/tasks/c93705d4-329a-47f0-b86c-7b2975a83940
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 02:15:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

7169FF69A4AB909881CFE2FB8F041ADA

SHA1:

00338A972E32AAA74F30D334B6612AB1FCE8A554

SHA256:

21E60F444AD41CF3FBF875EC0777AD85ABD3838223FCCA713F0145C1F3B81E98

SSDEEP:

192:NauHqWj7G4m1ajJAQa7LC+QWLfFCAZlYYqn5yyyptL7GbUaYnCrUR1p7gJTD:QWXGaNp+QWAClYRs9n7GbUanrUPYD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • 21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe (PID: 6372)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe (PID: 6372)

    • Executes application which crashes

      • 21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe (PID: 6372)

  • INFO

    • Checks proxy server information

      • 21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe (PID: 6372)
      • WerFault.exe (PID: 6880)

    • Reads the computer name

      • 21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe (PID: 6372)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6880)

    • Checks supported languages

      • 21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe (PID: 6372)

    • Reads the software policy settings

      • WerFault.exe (PID: 6880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(6372) 21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe
C2192.168.1.170:7000/D9rn
HeadersUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSMSE)
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.2
ImageVersion: -
OSVersion: 4
EntryPoint: 0x14c0
UninitializedDataSize: 2560
InitializedDataSize: 18432
CodeSize: 8704
LinkerVersion: 2.34
PEType: PE32+
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
TimeStamp: 0000:00:00 00:00:00
MachineType: AMD AMD64
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE 21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6372"C:\Users\admin\Desktop\21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe" C:\Users\admin\Desktop\21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
CobalStrike
(PID) Process(6372) 21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe
C2192.168.1.170:7000/D9rn
HeadersUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUSMSE)
6880C:\WINDOWS\system32\WerFault.exe -u -p 6372 -s 1176C:\Windows\System32\WerFault.exe
21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
6 443
Read events
6 443
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_21e60f444ad41cf3_1149544b0a21599f79c1c6fc2cd623659ae399_ae2e6674_04221ba5-ba68-4031-bff5-04a7f5e35212\Report.wer
MD5:
SHA256:
6880WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98.exe.6372.dmpbinary
MD5:0847F944E5CE6337CBCBEBCE43D41A73
SHA256:F1A79DC301C13F59D5AED4A3947DC7070DD5ED1C844C44AF8F4782D921005F71
6880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE4C7.tmp.WERInternalMetadata.xmlxml
MD5:7F7A9A7AA21695F50050558DEC4FC5E2
SHA256:5E118CC1F416AB4C7947072376A30A9EAB916F1DFEED720A6247AFE7972500AD
6880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE429.tmp.dmpbinary
MD5:31DD447DDB279F7756822A555561D719
SHA256:6E5709B17DEEC224ADBA1D8BFDB1A867BF9ACBFE8AAA6FE0C9A25BDDDC8DF824
6880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE4E7.tmp.xmlxml
MD5:C97AF672609BA757AA3758EC10FDE945
SHA256:E82F2355A7227B0826D5DA676D3FDD4B6E7C0AB18ADE8E9188B4EFD219331233
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6092
svchost.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
6092
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4160
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.212.110.144:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
192.168.100.63:49679
unknown
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6092
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4160
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 23.212.110.144
  • 23.212.110.162
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.22
whitelisted
self.events.data.microsoft.com
  • 20.42.65.93
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
21e60f444ad41cf3fbf875ec0777ad85abd3838223fcca713f0145c1f3b81e98