cobaltstrike | 21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f | Triage

Analysis

max time kernel
150s
max time network
158s
platform
windows10_x64
resource
win10-en-20211208
submitted
31-01-2022 04:10

Sharing

Report Analysis Logs

General

Target

21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f.exe
Size

833KB
MD5

cb6991a10c698a7e632d3397a15a1355
SHA1

cdc62df36002885fd268f4ceabecb7ec007963b4
SHA256

21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f
SHA512

07eb1a7cad56c7349bd8c895ccf720db2c27a93d0303ffaaaf56b15ac73606d3335a6169a8e4ea36c4f2ff7133664bf24027bff36a919037c56c4e511811162d

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f.exe

description	pid	process	target process
PID 2060 wrote to memory of 3708	2060	21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f.exe	upnpcont.exe
PID 2060 wrote to memory of 3708	2060	21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f.exe	upnpcont.exe
PID 2060 wrote to memory of 3708	2060	21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f.exe	upnpcont.exe

C:\Users\Admin\AppData\Local\Temp\21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f.exe
"C:\Users\Admin\AppData\Local\Temp\21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SYSTEM32\upnpcont.exe
upnpcont.exe
2⤵
PID:3708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2060-115-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2060-117-0x0000000002100000-0x00000000021BF000-memory.dmp

Filesize
764KB

Download
memory/3708-119-0x000002648FFE0000-0x00000264902E0000-memory.dmp

Filesize
3.0MB

Download