cobaltstrike | 6c3948e45a735227adf165e782b7ddfccf4b2547f44b08c5e5f9ee443f348cf2 | Triage

Analysis

max time kernel
12s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 11:30

Sharing

Report Analysis Logs

General

Target

46f46ade0fd2e8441d58fc443e158412.dll
Size

199KB
MD5

d854021f9aff7c142c26edaffdbdf825
SHA1

7a548811302f4c82e957c37f0116a2a10e2213d9
SHA256

6c3948e45a735227adf165e782b7ddfccf4b2547f44b08c5e5f9ee443f348cf2
SHA512

0f1a5f8ede3530549a88f4d51fd7ab896f7ee793b192e3494e3f66fe879022aae15ad31310e69d9f5ce36d89823bf4674e0e59f9e7a2cc8606703a242c9ac58f

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 2 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1664-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1664-3-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1776 1664 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1776 WerFault.exe
Token: SeBackupPrivilege 1776 WerFault.exe
Token: SeDebugPrivilege 1776 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3160 wrote to memory of 1664	3160	rundll32.exe	rundll32.exe
PID 3160 wrote to memory of 1664	3160	rundll32.exe	rundll32.exe
PID 3160 wrote to memory of 1664	3160	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\46f46ade0fd2e8441d58fc443e158412.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\46f46ade0fd2e8441d58fc443e158412.dll,#1
2⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 628
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-0-0x0000000000000000-mapping.dmp

Download
memory/1664-2-0x0000000000000000-mapping.dmp

Download
memory/1664-3-0x0000000000000000-mapping.dmp

Download
memory/1776-1-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/1776-4-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download