cobaltstrike | a32821288e4c9ec67ad293f67135d868db184fb8063f0febcceca8d76e198095

Analysis

Target

a32821288e4c9ec67ad293f67135d868db184fb8063f0febcceca8d76e198095.dll
Size

244KB
MD5

ef7cb9b6a3e813fffe9ce5eaf18ca10f
SHA1

a3397580a3de6ea2235ac52909832816be701921
SHA256

a32821288e4c9ec67ad293f67135d868db184fb8063f0febcceca8d76e198095
SHA512

3f9db572a97a1b7c00b3bcb463854e2a27b09cd29b9ff9dc2f2462809f57d4a84dc5b8e031f394b21707b8493558589ee506c80813e67aa182ae9eae60882587

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1200 904 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1200 WerFault.exe
1200 WerFault.exe
1200 WerFault.exe
1200 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1200 WerFault.exe

pid	pid_target	process	target process
1200	904	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1200	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1744 wrote to memory of 904	1744	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 904	1744	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 904	1744	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 904	1744	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 904	1744	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 904	1744	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 904	1744	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1200	904	rundll32.exe	WerFault.exe
PID 904 wrote to memory of 1200	904	rundll32.exe	WerFault.exe
PID 904 wrote to memory of 1200	904	rundll32.exe	WerFault.exe
PID 904 wrote to memory of 1200	904	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a32821288e4c9ec67ad293f67135d868db184fb8063f0febcceca8d76e198095.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a32821288e4c9ec67ad293f67135d868db184fb8063f0febcceca8d76e198095.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:904

memory/904-0-0x0000000000000000-mapping.dmp

Download
memory/904-3-0x0000000000000000-mapping.dmp

Download
memory/1200-1-0x0000000000000000-mapping.dmp

Download
memory/1200-2-0x0000000001F00000-0x0000000001F11000-memory.dmp

Filesize
68KB

Download
memory/1200-4-0x00000000025D0000-0x00000000025E1000-memory.dmp

Filesize
68KB

Download