cobaltstrike | 0343fcbdc5e1581dbeec5a963f171a8b16b047dfdd7ea0f6122120250b0f068d | Triage

Analysis

max time kernel
13s
max time network
114s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 12:20

Sharing

Report Analysis Logs

General

Target

1774e47878695044939263df2d589f73.dll
Size

204KB
MD5

1b9725fdae1037706cd17fdda9e86339
SHA1

649e1cd0d87a9c44156dd797c8c6b06cfc55a564
SHA256

0343fcbdc5e1581dbeec5a963f171a8b16b047dfdd7ea0f6122120250b0f068d
SHA512

ed7780f5ca3c35465f0fc2aa3f14a76cbda92e7f0f2e1e63f32556b2ce5b8f3ea6e7c2d00f334b31a5b30b4adf40d4d1a0dd5b4eebce19dc9a1a6da1c40de1af

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 3 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/712-2-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/712-3-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/712-4-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2056 712 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe
2056	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 2056 WerFault.exe
Token: SeBackupPrivilege 2056 WerFault.exe
Token: SeDebugPrivilege 2056 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 912 wrote to memory of 712	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 712	912	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 712	912	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1774e47878695044939263df2d589f73.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1774e47878695044939263df2d589f73.dll,#1
2⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 564
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/712-0-0x0000000000000000-mapping.dmp

Download
memory/712-2-0x0000000000000000-mapping.dmp

Download
memory/712-3-0x0000000000000000-mapping.dmp

Download
memory/712-4-0x0000000000000000-mapping.dmp

Download
memory/2056-1-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/2056-5-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download