File name:

f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2

Full analysis: https://app.any.run/tasks/f0937092-5209-4ba0-8d91-5bf89e4f90ea
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 00:13:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
cobaltstrike
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 17 sections
MD5:

08B594BFF7CEC1EBFD4C855B5B34482C

SHA1:

4055753A83AA3B383EACEBB456704D403F02A671

SHA256:

F082EEDEF33641437CABB0607D29194C1B27CA57B797F0170FE48F83EDF70BE2

SSDEEP:

1536:tXZyXbZYbku4k6Nqr4iPzeDQFjWSWAaKuVBIX0BFNhtyp:tXwm4LaCNh0p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COBALTSTRIKE has been detected (YARA)

      • f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe (PID: 6520)

  • SUSPICIOUS

    • Executes application which crashes

      • f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe (PID: 6520)

  • INFO

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6716)

    • Checks proxy server information

      • WerFault.exe (PID: 6716)

    • Checks supported languages

      • f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe (PID: 6520)

    • Reads the software policy settings

      • WerFault.exe (PID: 6716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.2)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 5.2
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1500
UninitializedDataSize: 3072
InitializedDataSize: 8192
CodeSize: 7680
LinkerVersion: 2.24
PEType: PE32+
ImageFileCharacteristics: No relocs, Executable, No line numbers, Large address aware
TimeStamp: 2024:12:11 13:38:02+00:00
MachineType: AMD AMD64
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #COBALTSTRIKE f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe conhost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6520"C:\Users\admin\Desktop\f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe" C:\Users\admin\Desktop\f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
6528\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exef082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6716C:\WINDOWS\system32\WerFault.exe -u -p 6520 -s 188C:\Windows\System32\WerFault.exe
f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
6 741
Read events
6 741
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6716WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_f082eedef3364143_27ff1de504bc7d5604735caa89756dffb3226c_7a1ecdea_9cd9044c-e795-46a2-bc9a-b8ce9b3ef433\Report.wer
MD5:
SHA256:
6716WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6787.tmp.dmpbinary
MD5:ED591A474B1FFD80765D833A933C2C8B
SHA256:AE9C7D4D4B60D815A761C4943C1958CB6CB65292724D90E9982789069B174643
6716WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2.exe.6520.dmpbinary
MD5:7624E309307C6013E38A75177AF0595B
SHA256:24A3CE7A27112D1B9036D4F6E3EF5F3B1359757E36BC489B79922798D74B8885
6716WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER67E6.tmp.WERInternalMetadata.xmlxml
MD5:4616E1455E95D3CCF8952EE7EC87E6E5
SHA256:9532883D14B96B2D2F1987F790B089DE48762BEFAD259DB83888C159E3CD4DE9
6716WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6816.tmp.xmlxml
MD5:7A344B01E249E3F5974254C002D29902
SHA256:F61A8F50717F172EC570A2E2C07EDADA91A5BD2746274BBBAD6ED6745AD68643
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
1684
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
whitelisted
6716
WerFault.exe
13.89.179.12:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1684
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.bing.com
  • 104.126.37.144
  • 104.126.37.131
  • 104.126.37.153
  • 104.126.37.155
  • 104.126.37.130
  • 104.126.37.139
whitelisted
google.com
  • 142.250.184.238
whitelisted
watson.events.data.microsoft.com
  • 13.89.179.12
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.52.64.201
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
f082eedef33641437cabb0607d29194c1b27ca57b797f0170fe48f83edf70be2