b97db8ebc398ea68713488fe0c3574eeddfa009750e92244c4855dfb6fdec054

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 13:42

Target

cobaltstrike.exe
Size

18KB
MD5

abb453ca14124b179d37b9f121761612
SHA1

968e518c00a750dd826b970db66b6b78808bf43a
SHA256

b97db8ebc398ea68713488fe0c3574eeddfa009750e92244c4855dfb6fdec054
SHA512

2aa80c8b72c77e3412710e7697e66ffd16fb28765c5f2245de0a6c3be7268e1f91c586055e9a7ee66a7422f860ea536372fff7afb1b2f71ea866c8a59990b149
SSDEEP

384:cDZh+oq26YtlgezucmOk36LdMumXZl0Ys9U6hp:+h+teOwucXo6mxM

Score

1^/10

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1172	svchost.exe

C:\Users\Admin\AppData\Local\Temp\cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\cobaltstrike.exe"
1⤵
PID:2276

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

memory/1172-1-0x0000028095940000-0x0000028095950000-memory.dmp

Filesize
64KB

Download
memory/1172-17-0x0000028095A40000-0x0000028095A50000-memory.dmp

Filesize
64KB

Download
memory/1172-33-0x000002809DDB0000-0x000002809DDB1000-memory.dmp

Filesize
4KB

Download
memory/1172-35-0x000002809DDE0000-0x000002809DDE1000-memory.dmp

Filesize
4KB

Download
memory/1172-36-0x000002809DDE0000-0x000002809DDE1000-memory.dmp

Filesize
4KB

Download
memory/1172-37-0x000002809DEF0000-0x000002809DEF1000-memory.dmp

Filesize
4KB

Download
memory/2276-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download