File name:

6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb

Full analysis: https://app.any.run/tasks/0e83a728-c2f5-46cb-a475-c6aee71850bb
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: November 20, 2024, 16:09:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 9 sections
MD5:

4A6C23587F862589DD6D1761EFB18844

SHA1:

AB594B736F529D84CFAD5283776F5E9C695920C8

SHA256:

6D6851169CECDFF195568B1D34A3FE778E617E480BF57E7625DBF506F60F0AEB

SSDEEP:

192:AauHqWj7G4m1ajJAQa7LC+QWLfFCAZlYYqnpgKPptL7GbUaYnCrUR1p7gJTD:jWXGaNp+QWAClYRfn7GbUanrUPYD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe (PID: 4556)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe (PID: 4556)

    • Executes application which crashes

      • 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe (PID: 4556)

  • INFO

    • Checks supported languages

      • 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe (PID: 4556)

    • Reads the computer name

      • 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe (PID: 4556)

    • Checks proxy server information

      • 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe (PID: 4556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CobalStrike

(PID) Process(4556) 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe
C2192.168.1.47:8080/rBx1
HeadersUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP02)
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.34
CodeSize: 8704
InitializedDataSize: 18432
UninitializedDataSize: 2560
EntryPoint: 0x14c0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
848C:\WINDOWS\system32\WerFault.exe -u -p 4556 -s 1168C:\Windows\System32\WerFault.exe
6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
4556"C:\Users\admin\Desktop\6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe" C:\Users\admin\Desktop\6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
CobalStrike
(PID) Process(4556) 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe
C2192.168.1.47:8080/rBx1
HeadersUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP02)
Total events
6 603
Read events
6 595
Write events
8
Delete events
0

Modification events

(PID) Process:(4556) 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4556) 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4556) 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4556) 6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
848WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_6d6851169cecdff1_6e853697b02aa1af61b38df69777115f48f82553_855f5654_874c6ba1-c070-4841-944d-2a240675fe95\Report.wer
MD5:
SHA256:
848WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb.exe.4556.dmpbinary
MD5:41240C723080448CF69452B238C37B12
SHA256:7BD53403BE528CBA16B5F915140011A3F6092998C3EA5EB5EB807B14FE1100F4
848WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER2206.tmp.dmpbinary
MD5:9DBFD95D3D77A004E534BCF332D73A7D
SHA256:3CA1BF3682E343CC5676BB486F920ADA6A3689A7DDD2A4152BDBC1BBCA4E9A5B
848WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER22E2.tmp.xmlxml
MD5:052C5B04C70DD0FA730ABDA55E8A5E17
SHA256:770C771B46EE5BC4BB524440EB854B44F8C0CDB9698DD1FAA11B984B2A826F69
848WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER22C2.tmp.WERInternalMetadata.xmlxml
MD5:F3F033B59A2C0BC3854234CC335CBFD8
SHA256:F88C12C65899BF6E05F5E5F4A79470759DAFE50BEE209EA75439F4DE715E838C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5996
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4932
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5996
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4932
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5996
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4932
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.131:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
192.168.100.225:49679
unknown
5996
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4932
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 104.126.37.131
  • 104.126.37.163
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.170
  • 104.126.37.128
  • 104.126.37.186
  • 104.126.37.162
  • 104.126.37.171
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
self.events.data.microsoft.com
  • 51.104.15.252
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6d6851169cecdff195568b1d34a3fe778e617e480bf57e7625dbf506f60f0aeb