cobaltstrike | 7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31 | Triage

Analysis

max time kernel
13s
max time network
113s
platform
windows10_x64
resource
win10v20201028
submitted
12-11-2020 14:42

Sharing

Report Analysis Logs

General

Target

7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31.dll
Size

204KB
MD5

80b57cb267ea3dd70b4b25dd81910cd6
SHA1

b9bc74d5004353a17a70668df2229311b247a00d
SHA256

7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31
SHA512

85914ff080460e409ae9285f688b9a631360d0530f828036f3f70eb947304fc2cefcea64156c933ec19b1aa4f2a843f1910a0d48cfbac0ec558095e47050d859

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2164 4760 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe
2164	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2164 WerFault.exe
Token: SeBackupPrivilege 2164 WerFault.exe
Token: SeDebugPrivilege 2164 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4716 wrote to memory of 4760	4716	rundll32.exe	rundll32.exe
PID 4716 wrote to memory of 4760	4716	rundll32.exe	rundll32.exe
PID 4716 wrote to memory of 4760	4716	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f7812eacc93910296d9434d1e9674613a0344d254c48f8bd9714f045ce5df31.dll,#1
2⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 640
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-1-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2164-5-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4760-0-0x0000000000000000-mapping.dmp

Download
memory/4760-2-0x0000000000000000-mapping.dmp

Download
memory/4760-3-0x0000000000000000-mapping.dmp

Download
memory/4760-4-0x0000000000000000-mapping.dmp

Download