cobaltstrike | 1dc611df59bd29e9b8cd39a410f0acff24a8bea3fde20743da78d88d6f40f10e | Triage

Analysis

max time kernel
13s
max time network
111s
platform
windows10_x64
resource
win10v20210410
submitted
22-06-2021 15:20

Sharing

Report Analysis Logs

General

Target

1dc611df59bd29e9b8cd39a410f0acff24a8bea3fde20743da78d88d6f40f10e.exe
Size

316KB
MD5

59be978afa95d600b71544805bcfad80
SHA1

c5278d97f758a4e4d463dfa9219e59dd9d226b28
SHA256

1dc611df59bd29e9b8cd39a410f0acff24a8bea3fde20743da78d88d6f40f10e
SHA512

68fbde704486d5269478c2c3b99dc8c8e74aa0c4237f80d365ebbf0f7da7b40284c26a054632b0e7582e8a4145d931c9173f1385d1ed3e14a5970b162bcdadd6

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

184 3908 WerFault.exe 1dc611df59bd29e9b8cd39a410f0acff24a8bea3fde20743da78d88d6f40f10e.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe
184	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 184 WerFault.exe
Token: SeBackupPrivilege 184 WerFault.exe
Token: SeDebugPrivilege 184 WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1dc611df59bd29e9b8cd39a410f0acff24a8bea3fde20743da78d88d6f40f10e.exe
"C:\Users\Admin\AppData\Local\Temp\1dc611df59bd29e9b8cd39a410f0acff24a8bea3fde20743da78d88d6f40f10e.exe"
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 512
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3908-114-0x00000000021E0000-0x0000000002213000-memory.dmp

Filesize
204KB

Download
memory/3908-115-0x00000000004C0000-0x000000000056E000-memory.dmp

Filesize
696KB

Download
memory/3908-116-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download