cobaltstrike | 2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877

Analysis

Target

2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll
Size

206KB
MD5

c70b84a85cb5f921b3ade9c7e2715bcf
SHA1

e17ea5f874c5e8bfd90d2fcd96fb7dfd48c4a0f5
SHA256

2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877
SHA512

1281e8cc8c66c34f7e9f34b3fc52531dda58c51af7ad8ef4fa52142f7289878e3d567c2fc146d9f2d942c2819d2dc2d7d68a6f6512b98cb3240d13a2d39b91db

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1288 1252 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1288 WerFault.exe
1288 WerFault.exe
1288 WerFault.exe
1288 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1288 WerFault.exe

pid	pid_target	process	target process
1288	1252	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1288	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1084 wrote to memory of 1252	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1252	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1252	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1252	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1252	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1252	1084	rundll32.exe	rundll32.exe
PID 1084 wrote to memory of 1252	1084	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 1288	1252	rundll32.exe	WerFault.exe
PID 1252 wrote to memory of 1288	1252	rundll32.exe	WerFault.exe
PID 1252 wrote to memory of 1288	1252	rundll32.exe	WerFault.exe
PID 1252 wrote to memory of 1288	1252	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b06e5a59feeafa3d75239fd0ade197eaede91209c24950ffea1a89ae5bd3877.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

memory/1252-0-0x0000000000000000-mapping.dmp

Download
memory/1252-3-0x0000000000000000-mapping.dmp

Download
memory/1288-1-0x0000000000000000-mapping.dmp

Download
memory/1288-2-0x0000000002250000-0x0000000002261000-memory.dmp

Filesize
68KB

Download
memory/1288-4-0x00000000027F0000-0x0000000002801000-memory.dmp

Filesize
68KB

Download