cobaltstrike | 780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a | Triage

Analysis

max time kernel
15s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
11-11-2020 10:53

Sharing

Report Analysis Logs

General

Target

780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a.dll
Size

204KB
MD5

1774e47878695044939263df2d589f73
SHA1

572eb65284497e34a84f844f27bb6d70d173c3f8
SHA256

780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a
SHA512

c360a6f6c8ae13675cd1b9183905baa4c146463fdcf543d69bc8d056314c1e5b9a7d0ecc812a7baade8aaa7539f80461da53598768e1eb9ca656e8f0a2afa3a4

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 3 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/388-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/388-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/388-4-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3168 388 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe
3168	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3168 WerFault.exe
Token: SeBackupPrivilege 3168 WerFault.exe
Token: SeDebugPrivilege 3168 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1080 wrote to memory of 388	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 388	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 388	1080	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\780e094f58b79d1e36bea73f8d51d794932c0e4e3ff2129ba8c08b5667a05f8a.dll,#1
2⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 636
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-0-0x0000000000000000-mapping.dmp

Download
memory/388-3-0x0000000000000000-mapping.dmp

Download
memory/388-2-0x0000000000000000-mapping.dmp

Download
memory/388-4-0x0000000000000000-mapping.dmp

Download
memory/3168-1-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/3168-5-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download