cobaltstrike | a4ae67c76f52db57703b9430563359ac65497f5e7197f3cd992d11ef225cd057

Analysis

Target

a4ae67c76f52db57703b9430563359ac65497f5e7197f3cd992d11ef225cd057.dll
Size

192KB
MD5

db7d51898a038b7b9133f29d2a46cf59
SHA1

e4668b3fdecdf2c6224d5520e32f7b979aa46dc2
SHA256

a4ae67c76f52db57703b9430563359ac65497f5e7197f3cd992d11ef225cd057
SHA512

ac112c04232efff6419117be04250b08c389ca9659ce5e33755b00690c439fc9f0864b578de3dafa0680be0bc89423fa7ba50dfd0736b1c8a79a880fb5836295

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 3 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/4740-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4740-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4740-4-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1680 4740 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1680	4740	WerFault.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1680 WerFault.exe
Token: SeBackupPrivilege 1680 WerFault.exe
Token: SeDebugPrivilege 1680 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4704 wrote to memory of 4740	4704	rundll32.exe	rundll32.exe
PID 4704 wrote to memory of 4740	4704	rundll32.exe	rundll32.exe
PID 4704 wrote to memory of 4740	4704	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4ae67c76f52db57703b9430563359ac65497f5e7197f3cd992d11ef225cd057.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a4ae67c76f52db57703b9430563359ac65497f5e7197f3cd992d11ef225cd057.dll,#1
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 656
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1680

memory/1680-1-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/1680-5-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4740-0-0x0000000000000000-mapping.dmp

Download
memory/4740-3-0x0000000000000000-mapping.dmp

Download
memory/4740-2-0x0000000000000000-mapping.dmp

Download
memory/4740-4-0x0000000000000000-mapping.dmp

Download