cobaltstrike | c8c6067cf64a8be76fb389fca74bafcb545076ceb7d1183ffd7ad814a04fa05d

Analysis

max time kernel
152s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beacon.exe
Size

281KB
MD5

94ca9b4aa1cf9d29c9375d1306959f38
SHA1

9fb7d599f78adb8bd7ca03ba8fee41ea38db2cdc
SHA256

c8c6067cf64a8be76fb389fca74bafcb545076ceb7d1183ffd7ad814a04fa05d
SHA512

e7d56b31e632629a7e333f67c6fffbd41f34cafc8f208e150efe9f3eb1f4a82a9dcd45b9cbd6863e01d1c8cea78497beb171df8454806115362498405302743a
SSDEEP

6144:OCu2IC+Mu3OP6KMz+7ImkQ0H01PX2C3shk/FYgpv5gxDs1Xo0odWyGFF:Yrd3FKUmkRE3syNVpFyw

Score

10^/10

cobaltstrike 100000 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

100000

Attributes

beacon_type
1024
host
192.168.150.9
http_header1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
polling_time
10000
port_number
4444
sc_process32
%windir%\syswow64\gpupdate.exe
sc_process64
%windir%\sysnative\gpupdate.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCHFQjnAnUbEXD+c5GiuPpC/L5pH2AnHxcutfvep6LOO4ik5oTdUI5q7KAsEzt7oUQI06rl0seBjlfZlXoAbwfbSbtvYJDKZMeDPvaY6QJRM9SYTgD+nlUiAR0qeMpbvhj68n3khnS1Cu2IS9GJpCMa7kRYn7ylraIWKBIArzaEQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
watermark
100000

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

beacon.exe

description	pid	process	target process
PID 2020 wrote to memory of 2616	2020	beacon.exe	WerFault.exe
PID 2020 wrote to memory of 2616	2020	beacon.exe	WerFault.exe
PID 2020 wrote to memory of 2616	2020	beacon.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\beacon.exe
"C:\Users\Admin\AppData\Local\Temp\beacon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2020 -s 320
2⤵
PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-0-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2020-1-0x0000000000860000-0x0000000000CD2000-memory.dmp

Filesize
4.4MB

Download
memory/2020-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download