cobaltstrike | 921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9

Analysis

Target

921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll
Size

204KB
MD5

111e86e4e8ff48b9090e8d46ba7d3ced
SHA1

a814327f5f21e7fe932e43818b4d6e044bf3c061
SHA256

921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9
SHA512

4bf30c67eb6c103de3afb8980679329667bbd007b6d2e36155172c565cba97ac0e12f7e90703c662f696c14a91e7b5a99ec4acc6c13910295b7254dbee8f9a7c

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2044 1840 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

2044 WerFault.exe
2044 WerFault.exe
2044 WerFault.exe
2044 WerFault.exe
2044 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2044 WerFault.exe

pid	pid_target	process	target process
2044	1840	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2044	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1032 wrote to memory of 1840	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1840	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1840	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1840	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1840	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1840	1032	rundll32.exe	rundll32.exe
PID 1032 wrote to memory of 1840	1032	rundll32.exe	rundll32.exe
PID 1840 wrote to memory of 2044	1840	rundll32.exe	WerFault.exe
PID 1840 wrote to memory of 2044	1840	rundll32.exe	WerFault.exe
PID 1840 wrote to memory of 2044	1840	rundll32.exe	WerFault.exe
PID 1840 wrote to memory of 2044	1840	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1840

memory/1840-0-0x0000000000000000-mapping.dmp

Download
memory/1840-3-0x0000000000000000-mapping.dmp

Download
memory/2044-1-0x0000000000000000-mapping.dmp

Download
memory/2044-2-0x0000000002080000-0x0000000002091000-memory.dmp

Filesize
68KB

Download
memory/2044-4-0x0000000002550000-0x0000000002561000-memory.dmp

Filesize
68KB

Download