cobaltstrike | 7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476 | Triage

Analysis

max time kernel
152s
max time network
158s
platform
windows10_x64
resource
win10-en-20211208
submitted
31-01-2022 04:09

Sharing

Report Analysis Logs

General

Target

7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476.exe
Size

833KB
MD5

6cbb5480c075679075a54e84d626227e
SHA1

45c3f47d6ab9eabdf17e5748aeb0ec2a7b53a7b0
SHA256

7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476
SHA512

15ed1bfda03fe02025ddf8a46079a423977de8b9c85d5bd3e6417107ac28fe0d67e001737e18cde2b3286192c6beceb4776f821152de0016288e8c64a16bb3e8

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476.exe

description	pid	process	target process
PID 3288 wrote to memory of 584	3288	7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476.exe	upnpcont.exe
PID 3288 wrote to memory of 584	3288	7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476.exe	upnpcont.exe
PID 3288 wrote to memory of 584	3288	7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476.exe	upnpcont.exe

C:\Users\Admin\AppData\Local\Temp\7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476.exe
"C:\Users\Admin\AppData\Local\Temp\7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SYSTEM32\upnpcont.exe
upnpcont.exe
2⤵
PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-122-0x000001CC51F10000-0x000001CC52120000-memory.dmp

Filesize
2.1MB

Download
memory/3288-118-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3288-120-0x0000000002070000-0x000000000212F000-memory.dmp

Filesize
764KB

Download