Overview

overview

10

Static

static

10

5ccacffeab...d0.dll

windows7_x64

10

5ccacffeab...d0.dll

windows10_x64

1

Analysis

  • max time kernel
    4s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-11-2020 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ccacffeab30b1996801fc201a750cc7d82d642363d0201cb04ec6b5235621d0.dll

  • Size

    244KB

  • MD5

    c4ebf2441989e96ae9d03fc236afe324

  • SHA1

    4547c851af4b09ccadbd218398bca4941a69e3bb

  • SHA256

    5ccacffeab30b1996801fc201a750cc7d82d642363d0201cb04ec6b5235621d0

  • SHA512

    7cc49b6a0500d8bfc6b94cb2119c58e3e0316e5ed2e2f734507122f49494aa5659d39ce61f5dc99bed245bbee2ab29944bfbf7f9d057a790efe85ab810787719

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ccacffeab30b1996801fc201a750cc7d82d642363d0201cb04ec6b5235621d0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5ccacffeab30b1996801fc201a750cc7d82d642363d0201cb04ec6b5235621d0.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 196
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1596-0-0x0000000000000000-mapping.dmp
    Download
  • memory/1596-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1716-1-0x0000000000000000-mapping.dmp
    Download
  • memory/1716-2-0x0000000001E70000-0x0000000001E81000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1716-4-0x00000000025C0000-0x00000000025D1000-memory.dmp
    Filesize

    68KB

    Download