cobaltstrike | fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507 | Triage

Analysis

max time kernel
124s
max time network
123s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-12-2021 13:51

Sharing

Report Analysis Logs

General

Target

oben32.dll
Size

354KB
MD5

b873bfa8dec8c3a1f62c30903e59e849
SHA1

2c4aaefe0c20843db9b9f4996d42c7563b081097
SHA256

fba9dd0ebb8d838fa394cda10dca50450d8c0fc6158deff38904072140d64507
SHA512

a8c0a467788335297f34b9a60401b0ef50e023d0efc0b77eaf560decc785ed2c2b79534e14451aab747e307baa057fad0956e2941ff28b9995d4dbbd6e762457

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://api.musicbee.getlist.destinycraftpe.com:443/azure/v2/api

Attributes

user_agent
Content-Type: application/json accept: */* cookie: HSID=cl0gxhLgPAirQvdbj sec-ch-ua: Chromium;v=91 sec-ch-ua-mobile: ?0 sec-fetch-site: same-site sec-fetch-mode: cors sec-fetch-dest: empty accept-encoding: gzip, deflate accept-language: en X-Amz-Cf-Pop: HTL55-C2 User-Agent: MusicBee/3.4

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 652 created 2756 652 WerFault.exe regsvr32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

652 2756 WerFault.exe regsvr32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 652 WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\oben32.dll
1⤵
PID:2756
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2756 -s 1180
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2756-114-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2756-115-0x0000000002E80000-0x0000000003280000-memory.dmp

Filesize
4.0MB

Download