cobaltstrike | 68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088 | Triage

Analysis

max time kernel
10s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
11-11-2020 11:44

Sharing

Report Analysis Logs

General

Target

68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088.dll
Size

199KB
MD5

46f46ade0fd2e8441d58fc443e158412
SHA1

6a6c86ee912a59369857dd79a291e4c9a6d1ea17
SHA256

68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088
SHA512

e4f12ece6c7d6b02f7413afd534671e980b7a3bf822ac57bf1ee566eb4c6f438befd7b55e3a18f78df2c3b0d1a52ce82b22d3f647bdd0d9844eedd2668c4d968

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 2 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/4756-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4756-3-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5096 4756 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe
5096	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 5096 WerFault.exe
Token: SeBackupPrivilege 5096 WerFault.exe
Token: SeDebugPrivilege 5096 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4696 wrote to memory of 4756	4696	rundll32.exe	rundll32.exe
PID 4696 wrote to memory of 4756	4696	rundll32.exe	rundll32.exe
PID 4696 wrote to memory of 4756	4696	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\68c56df172f7293805b94e92f2611e514025a4b0dbdcc00c510224a8da4b3088.dll,#1
2⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 632
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4756-0-0x0000000000000000-mapping.dmp

Download
memory/4756-2-0x0000000000000000-mapping.dmp

Download
memory/4756-3-0x0000000000000000-mapping.dmp

Download
memory/5096-1-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/5096-4-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download