cobaltstrike | 27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841

Analysis

Target

27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll
Size

469KB
MD5

833765960517f095d4ed2d8877bc254d
SHA1

883c469d97edab7f99f1668ac3b25742f35e380f
SHA256

27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841
SHA512

afa59745f9d43db1f4b451a2c36d09b395cefc9f0a923808ba4e2155ba1680de54f0cb91b3f2e6d37d17f7abb8c0e79fdf8215c859d1a785998969d4e2bfee54

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 3 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1232-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1232-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1232-4-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

416 1232 WerFault.exe rundll32.exe

pid	pid_target	process	target process
416	1232	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 416 WerFault.exe
Token: SeBackupPrivilege 416 WerFault.exe
Token: SeDebugPrivilege 416 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1036 wrote to memory of 1232	1036	rundll32.exe	rundll32.exe
PID 1036 wrote to memory of 1232	1036	rundll32.exe	rundll32.exe
PID 1036 wrote to memory of 1232	1036	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\27962c066713cb102b9972e0cadb98290fc95d67e2b9377a5e03640cbe7ac841.dll,#1
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 656
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:416

memory/416-1-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/416-5-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/416-8-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1232-0-0x0000000000000000-mapping.dmp

Download
memory/1232-2-0x0000000000000000-mapping.dmp

Download
memory/1232-3-0x0000000000000000-mapping.dmp

Download
memory/1232-4-0x0000000000000000-mapping.dmp

Download