cobaltstrike | ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842 | Triage

Analysis

max time kernel
165s
max time network
165s
platform
windows10_x64
resource
win10-en-20211208
submitted
31-01-2022 04:08

Sharing

Report Analysis Logs

General

Target

ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842.exe
Size

833KB
MD5

5773e9876cdf907b9b06d85a216dccb7
SHA1

a6f41d1ae97e18fe627fb13fbffdac6d55407a42
SHA256

ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842
SHA512

9613a067673404784f1c0b58aefea80a0b35b991ad0ee34459f608729d5204697b43b26489abbd8396429136702b0020b62d309102c4cbacf7a1a8e413723fb1

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842.exe

description	pid	process	target process
PID 3716 wrote to memory of 2596	3716	ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842.exe	upnpcont.exe
PID 3716 wrote to memory of 2596	3716	ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842.exe	upnpcont.exe
PID 3716 wrote to memory of 2596	3716	ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842.exe	upnpcont.exe

C:\Users\Admin\AppData\Local\Temp\ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842.exe
"C:\Users\Admin\AppData\Local\Temp\ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SYSTEM32\upnpcont.exe
upnpcont.exe
2⤵
PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-119-0x000001A5E72A0000-0x000001A5E75C0000-memory.dmp

Filesize
3.1MB

Download
memory/3716-115-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3716-117-0x00000000020B0000-0x000000000216F000-memory.dmp

Filesize
764KB

Download