cobaltstrike | 921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9 | Triage

Analysis

max time kernel
53s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
15-11-2020 22:37

Sharing

Report Analysis Logs

General

Target

921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll
Size

204KB
MD5

111e86e4e8ff48b9090e8d46ba7d3ced
SHA1

a814327f5f21e7fe932e43818b4d6e044bf3c061
SHA256

921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9
SHA512

4bf30c67eb6c103de3afb8980679329667bbd007b6d2e36155172c565cba97ac0e12f7e90703c662f696c14a91e7b5a99ec4acc6c13910295b7254dbee8f9a7c

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 3 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1596-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1596-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1596-4-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3780 1596 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe
3780	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3780 WerFault.exe
Token: SeBackupPrivilege 3780 WerFault.exe
Token: SeDebugPrivilege 3780 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 412 wrote to memory of 1596	412	rundll32.exe	rundll32.exe
PID 412 wrote to memory of 1596	412	rundll32.exe	rundll32.exe
PID 412 wrote to memory of 1596	412	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\921ba3ee946b8cf59df3ee83b8824a254bc7b69e68c5c6d63af1497c0930cbb9.dll,#1
2⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 636
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-0-0x0000000000000000-mapping.dmp

Download
memory/1596-3-0x0000000000000000-mapping.dmp

Download
memory/1596-2-0x0000000000000000-mapping.dmp

Download
memory/1596-4-0x0000000000000000-mapping.dmp

Download
memory/3780-1-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/3780-5-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download