cobaltstrike | 6629fd327706ece79f824a2963e1c86b83ba9c51e5e2ed6aed63a203ebba2d32

Analysis

max time kernel
298s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2023, 09:05

Target

0x0003000000000733-166/temp.exe
Size

15KB
MD5

41ccf51b3a24d3e1c6c9af8b0757022f
SHA1

acfc57baadd14e910d0b8da2064ed3252c7a5ae4
SHA256

c91ff88ac8b096bd1a10929dd500eb7bc53622a070cd7fc1b1d541eab2d16630
SHA512

3c873540ff416d7ea4b7c6b7adf225d990c3a0eb968da42f9bca385cce60986561163967ae1587f129ca60762f76b6038dc13846eb9ec28d4ad516302fe2d0e3
SSDEEP

384:6FLOnmzHEiSRVtE464nnnnn1zmijBnnndITSPtp57:6ximzHDku46Omz2

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 3176	4352	temp.exe	88
PID 4352 wrote to memory of 3176	4352	temp.exe	88
PID 4352 wrote to memory of 3176	4352	temp.exe	88

C:\Users\Admin\AppData\Local\Temp\0x0003000000000733-166\temp.exe
"C:\Users\Admin\AppData\Local\Temp\0x0003000000000733-166\temp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4352
- \??\c:\windows\System32\wermgr.exe
  c:\windows\System32\wermgr.exe
  2⤵
  PID:3176

memory/3176-135-0x0000029D09A60000-0x0000029D09B98000-memory.dmp

Filesize
1.2MB

Download
memory/3176-136-0x0000029D09660000-0x0000029D09768000-memory.dmp

Filesize
1.0MB

Download
memory/3176-137-0x0000029D07AD0000-0x0000029D07AD2000-memory.dmp

Filesize
8KB

Download
memory/3176-138-0x0000029D09660000-0x0000029D09768000-memory.dmp

Filesize
1.0MB

Download
memory/4352-133-0x000002A1C77C0000-0x000002A1C77C8000-memory.dmp

Filesize
32KB

Download