cobaltstrike | 27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841

Analysis

Target

27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll
Size

469KB
MD5

833765960517f095d4ed2d8877bc254d
SHA1

883c469d97edab7f99f1668ac3b25742f35e380f
SHA256

27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841
SHA512

afa59745f9d43db1f4b451a2c36d09b395cefc9f0a923808ba4e2155ba1680de54f0cb91b3f2e6d37d17f7abb8c0e79fdf8215c859d1a785998969d4e2bfee54

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1288 1824 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1288 WerFault.exe
1288 WerFault.exe
1288 WerFault.exe
1288 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1288 WerFault.exe

pid	pid_target	process	target process
1288	1824	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1288	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1756 wrote to memory of 1824	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1824	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1824	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1824	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1824	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1824	1756	rundll32.exe	rundll32.exe
PID 1756 wrote to memory of 1824	1756	rundll32.exe	rundll32.exe
PID 1824 wrote to memory of 1288	1824	rundll32.exe	WerFault.exe
PID 1824 wrote to memory of 1288	1824	rundll32.exe	WerFault.exe
PID 1824 wrote to memory of 1288	1824	rundll32.exe	WerFault.exe
PID 1824 wrote to memory of 1288	1824	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1824

memory/1288-1-0x0000000000000000-mapping.dmp

Download
memory/1288-2-0x0000000001F50000-0x0000000001F61000-memory.dmp

Filesize
68KB

Download
memory/1288-4-0x0000000002700000-0x0000000002711000-memory.dmp

Filesize
68KB

Download
memory/1824-0-0x0000000000000000-mapping.dmp

Download
memory/1824-3-0x0000000000000000-mapping.dmp

Download