cobaltstrike | e9feca1aefb5369e43fe1d88c3c9f038b245ba66bb6f99deefa093ab4efe8f44

Analysis

Target

e9feca1aefb5369e43fe1d88c3c9f038b245ba66bb6f99deefa093ab4efe8f44.dll
Size

206KB
MD5

f29175af254d5f0fd16db7a7c751442b
SHA1

24348191d585f720633af637f6f3918c97aca884
SHA256

e9feca1aefb5369e43fe1d88c3c9f038b245ba66bb6f99deefa093ab4efe8f44
SHA512

d6a6722ff48579622673240e3d57a63bc85e7d3a5397f89d395ae26271db6a8d54137d01799af7a374e0a190af8a7ac5a46e9526c6e9f9a0b74989617550b036

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1168 1484 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1168 WerFault.exe
1168 WerFault.exe
1168 WerFault.exe
1168 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1168 WerFault.exe

pid	pid_target	process	target process
1168	1484	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1168	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1688 wrote to memory of 1484	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1484	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1484	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1484	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1484	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1484	1688	rundll32.exe	rundll32.exe
PID 1688 wrote to memory of 1484	1688	rundll32.exe	rundll32.exe
PID 1484 wrote to memory of 1168	1484	rundll32.exe	WerFault.exe
PID 1484 wrote to memory of 1168	1484	rundll32.exe	WerFault.exe
PID 1484 wrote to memory of 1168	1484	rundll32.exe	WerFault.exe
PID 1484 wrote to memory of 1168	1484	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9feca1aefb5369e43fe1d88c3c9f038b245ba66bb6f99deefa093ab4efe8f44.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9feca1aefb5369e43fe1d88c3c9f038b245ba66bb6f99deefa093ab4efe8f44.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

memory/1168-1-0x0000000000000000-mapping.dmp

Download
memory/1168-2-0x0000000001DA0000-0x0000000001DB1000-memory.dmp

Filesize
68KB

Download
memory/1168-4-0x00000000027E0000-0x00000000027F1000-memory.dmp

Filesize
68KB

Download
memory/1484-0-0x0000000000000000-mapping.dmp

Download
memory/1484-3-0x0000000000000000-mapping.dmp

Download