cobaltstrike | 6c3948e45a735227adf165e782b7ddfccf4b2547f44b08c5e5f9ee443f348cf2

Analysis

Target

46f46ade0fd2e8441d58fc443e158412.dll
Size

199KB
MD5

d854021f9aff7c142c26edaffdbdf825
SHA1

7a548811302f4c82e957c37f0116a2a10e2213d9
SHA256

6c3948e45a735227adf165e782b7ddfccf4b2547f44b08c5e5f9ee443f348cf2
SHA512

0f1a5f8ede3530549a88f4d51fd7ab896f7ee793b192e3494e3f66fe879022aae15ad31310e69d9f5ce36d89823bf4674e0e59f9e7a2cc8606703a242c9ac58f

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1340 1116 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1340 WerFault.exe
1340 WerFault.exe
1340 WerFault.exe
1340 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1340 WerFault.exe

pid	pid_target	process	target process
1340	1116	WerFault.exe	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1340	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1816 wrote to memory of 1116	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1116	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1116	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1116	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1116	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1116	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 1116	1816	rundll32.exe	rundll32.exe
PID 1116 wrote to memory of 1340	1116	rundll32.exe	WerFault.exe
PID 1116 wrote to memory of 1340	1116	rundll32.exe	WerFault.exe
PID 1116 wrote to memory of 1340	1116	rundll32.exe	WerFault.exe
PID 1116 wrote to memory of 1340	1116	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\46f46ade0fd2e8441d58fc443e158412.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\46f46ade0fd2e8441d58fc443e158412.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 224
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340

memory/1116-0-0x0000000000000000-mapping.dmp

Download
memory/1116-3-0x0000000000000000-mapping.dmp

Download
memory/1340-1-0x0000000000000000-mapping.dmp

Download
memory/1340-2-0x0000000002070000-0x0000000002081000-memory.dmp

Filesize
68KB

Download
memory/1340-4-0x0000000002500000-0x0000000002511000-memory.dmp

Filesize
68KB

Download