cobaltstrike | b6e092b5f8f73908841a430e8e45e5928d69e7a4288e6bec9a12706dddf39194 | Triage

Analysis

max time kernel
16s
max time network
67s
platform
windows10_x64
resource
win10v20201028
submitted
07-01-2021 11:43

Sharing

Report Analysis Logs

General

Target

cobaltstrike_shellcode_child2.bin.dll
Size

201KB
MD5

b5c9b319bc54cbde2af2bcb3b3ee744a
SHA1

25d18f1af52c3c55b71ad20f3d87dd9a3faacabc
SHA256

b6e092b5f8f73908841a430e8e45e5928d69e7a4288e6bec9a12706dddf39194
SHA512

b5ecccc0736937a202444500a0ea39c9377a7e772d8be7872fa2b96c8b145fca9c717c15f48cb51944e9bce662d43d15844672c1e51dfebf1a4db349f7837c68

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

ServiceHost packer 3 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/1200-5-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1200-4-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/1200-6-0x0000000000000000-mapping.dmp	servicehost

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3396 1200 WerFault.exe rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe
3396	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3396 WerFault.exe
Token: SeBackupPrivilege 3396 WerFault.exe
Token: SeDebugPrivilege 3396 WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 832 wrote to memory of 1200	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1200	832	rundll32.exe	rundll32.exe
PID 832 wrote to memory of 1200	832	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cobaltstrike_shellcode_child2.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cobaltstrike_shellcode_child2.bin.dll,#1
2⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 636
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-2-0x0000000000000000-mapping.dmp

Download
memory/1200-5-0x0000000000000000-mapping.dmp

Download
memory/1200-4-0x0000000000000000-mapping.dmp

Download
memory/1200-6-0x0000000000000000-mapping.dmp

Download
memory/3396-3-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download