cobaltstrike | 568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71

General

Target

568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
Size

2.5MB
MD5

304fd4c13d6834f849e7143b48531550
SHA1

f9a3ab38ca4e3b94766d70aafb8516b19cf0d850
SHA256

568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71
SHA512

4c8bc2a286e0cd9c7ae519c0ff196ae3209f6f81aa928f06cd033f71ba34b276a298611592dd5ef87a34c7d700b66a58fa1df43f6008c5cd95d6fb73faf74129
SSDEEP

49152:5gOLhfcWbCsrb/T7vO90d7HjmAFd4A64nsfJrc+lfetfcwdxCyMp117igl0bEVEE:FC5cBFwP

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe

pid	process
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe

description pid process

Token: SeDebugPrivilege 4356 568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe

description	pid	process
Token: SeDebugPrivilege	4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe

description	pid	process	target process
PID 4356 wrote to memory of 4924	4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe	notepad.exe
PID 4356 wrote to memory of 4924	4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe	notepad.exe
PID 4356 wrote to memory of 4924	4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe	notepad.exe
PID 4356 wrote to memory of 4924	4356	568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe
"C:\Users\Admin\AppData\Local\Temp\568850394a9fb2a13bbc21804a451613d70b63f61dbc33d4a827789e218b5e71.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:4924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4924-132-0x000001C1937D0000-0x000001C193811000-memory.dmp

Filesize
260KB

Download
memory/4924-133-0x0000000000000000-mapping.dmp

Download
memory/4924-134-0x000001C1952D0000-0x000001C195742000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing