cobaltstrike | 46348dc4001604b1bede4d700753b14db705fa4d308cbae0525aab5f1b8ed532 | Triage

Analysis

max time kernel
13s
max time network
71s
platform
windows10_x64
resource
win10v20201028
submitted
10-11-2020 07:01

Sharing

Report Analysis Logs

General

Target

46348dc4001604b1bede4d700753b14db705fa4d308cbae0525aab5f1b8ed532.dll
Size

204KB
MD5

ebe5044ff40edaead04ad0e25cf564b3
SHA1

ecb30800102dff8a407755978994fc2f96d7c0bb
SHA256

46348dc4001604b1bede4d700753b14db705fa4d308cbae0525aab5f1b8ed532
SHA512

829cead392877ee226cd3ff235488ed6f5850083c8d1b85aaac0345e091589ac78a47ec1d4bf3e8c0930d70d10e8b98e14807da176509fc1efceb1152e72e606

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 3 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1240-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1240-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1240-4-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3388 1240 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe
3388	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3388 WerFault.exe
Token: SeBackupPrivilege 3388 WerFault.exe
Token: SeDebugPrivilege 3388 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1036 wrote to memory of 1240	1036	rundll32.exe	rundll32.exe
PID 1036 wrote to memory of 1240	1036	rundll32.exe	rundll32.exe
PID 1036 wrote to memory of 1240	1036	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\46348dc4001604b1bede4d700753b14db705fa4d308cbae0525aab5f1b8ed532.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\46348dc4001604b1bede4d700753b14db705fa4d308cbae0525aab5f1b8ed532.dll,#1
2⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 636
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-0-0x0000000000000000-mapping.dmp

Download
memory/1240-2-0x0000000000000000-mapping.dmp

Download
memory/1240-3-0x0000000000000000-mapping.dmp

Download
memory/1240-4-0x0000000000000000-mapping.dmp

Download
memory/3388-1-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/3388-5-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download