cobaltstrike | 712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932 | Triage

Analysis

max time kernel
151s
max time network
174s
platform
windows10_x64
resource
win10-en-20211208
submitted
31-01-2022 04:09

Sharing

Report Analysis Logs

General

Target

712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe
Size

833KB
MD5

70ef6b2d2f01d1ff0732f7d9617b610e
SHA1

40bc8629f145c9092408482ca126e322a26eab47
SHA256

712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932
SHA512

8ceded8c21513d3e77ca66ea6c694e763f4c597d109b58dbecb4873ca97b1cea779eda14b03640db0adf5aa00a8ef6eeac67948057e0594d3fb395769547f981

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe

description	pid	process	target process
PID 2828 wrote to memory of 1172	2828	712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe	upnpcont.exe
PID 2828 wrote to memory of 1172	2828	712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe	upnpcont.exe
PID 2828 wrote to memory of 1172	2828	712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe	upnpcont.exe

C:\Users\Admin\AppData\Local\Temp\712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe
"C:\Users\Admin\AppData\Local\Temp\712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SYSTEM32\upnpcont.exe
upnpcont.exe
2⤵
PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-122-0x000002103E000000-0x000002103E2B0000-memory.dmp

Filesize
2.7MB

Download
memory/2828-118-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2828-120-0x0000000002090000-0x000000000214F000-memory.dmp

Filesize
764KB

Download