cobaltstrike | 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b

Target

championship.inf.dll
Size

2.0MB
MD5

0b7da6388091ff9d696a18c95d41b587
SHA1

6c10d7d88606ac1afd30b4e61bf232329a276cdc
SHA256

6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
SHA512

45b26e8f9885dca6f4e1984fc39cb4c2a5b5988c970f35dde987b7a5a8417acbe5e972a6602071e903425f91a9095c7c289e574c3bad3039324185ad85d06a9a

Score

10^/10

Malware Config

Family

cobaltstrike

http://dodefoh.com:443/static-directory/media.gif

Attributes

user_agent
Host: microsoft.com Connection: close Accept-Encoding: br Accept-Language: en-US User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1400	wabmig.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1400	powershell.exe	28

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	656	rundll32.exe

Deletes itself 1 IoCs

pid	Process
1784	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
656	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	rundll32.exe
Token: SeDebugPrivilege	1784	powershell.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 1592	656	rundll32.exe	30

C:\Program Files\Windows Mail\wabmig.exe
"C:\Program Files\Windows Mail\wabmig.exe"
1⤵
- Process spawned unexpected child process
PID:1592

memory/656-69-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

Filesize
4KB

Download
memory/1592-59-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp

Filesize
8KB

Download
memory/1592-63-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1784-61-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1784-62-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

Filesize
4KB

Download
memory/1784-64-0x000000001AB20000-0x000000001AB22000-memory.dmp

Filesize
8KB

Download
memory/1784-66-0x000000001AA20000-0x000000001AA21000-memory.dmp

Filesize
4KB

Download
memory/1784-65-0x000000001AB24000-0x000000001AB26000-memory.dmp

Filesize
8KB

Download
memory/1784-67-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1784-68-0x000000001B6D0000-0x000000001B6D1000-memory.dmp

Filesize
4KB

Download
memory/1784-70-0x000000001B7A0000-0x000000001B7A1000-memory.dmp

Filesize
4KB

Download