b0b21ad60adea461c529acfcea841fea9d1fb882cee8441d9223703aea503744

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 11:42

Target

cobaltstrike.exe
Size

882KB
MD5

d0bf7f5cae8c06378d5f3e748490d88a
SHA1

0e469e8bfd99eaf5ea78d9dca7594d5c85ef6173
SHA256

b0b21ad60adea461c529acfcea841fea9d1fb882cee8441d9223703aea503744
SHA512

f97288c12fd18e5529e641efb263e195d4372db69d5d81ad9d70b29829381ed81067e0204b66970cd415288c113a35d2020dc088ec2a63db62f8ecfdcef547da
SSDEEP

12288:wspvpZHZ08Y1eu88MaLiGWBKlYR8P7zaBiKuroDl:Lpz8CaLYB6P7giel

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2016	1048	cobaltstrike.exe	29
PID 1048 wrote to memory of 2016	1048	cobaltstrike.exe	29
PID 1048 wrote to memory of 2016	1048	cobaltstrike.exe	29

C:\Users\Admin\AppData\Local\Temp\cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\cobaltstrike.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System32\java.exe
  "C:\Windows\System32\java.exe" -Dfile.encoding=UTF-8 -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -javaagent:CSAgent.jar=CSAgent.properties -Duser.language=en -jar cobaltstrike.jar %*
  2⤵
  PID:2016

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1048-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download