cobaltstrike | 7c72e4793b2aa5407153b54b427040a466595a52d96f7a632523de23003c63d0

Analysis

max time kernel
136s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 15:10

Target

7c72e4793b2aa5407153b54b427040a466595a52d96f7a632523de23003c63d0.exe
Size

1.3MB
MD5

68d421e637be00f118edc6205518fc2c
SHA1

6eb14b1b6f85542b38e02fc15dd5020c48ffdd24
SHA256

7c72e4793b2aa5407153b54b427040a466595a52d96f7a632523de23003c63d0
SHA512

a6087976c2be1fe909646ed346a1f96a7f2463ee95ce7ccfb923c791804f3d6a430b74028e0db672e1dbd0bae390ff1e5bb7be09c19942146350ecf279ea3054
SSDEEP

12288:D3sXm99oq60jkgtuHeUIVJKoIIKfWbgbvRKW9zDeWTN7lDh1P:oyqq60jvKeF0fWbgbv4WYW57z1P

Score

10^/10

Family

cobaltstrike

http://167.71.215.63:443/1hJz

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 7 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2576	3012	7c72e4793b2aa5407153b54b427040a466595a52d96f7a632523de23003c63d0.exe	30
PID 3012 wrote to memory of 2576	3012	7c72e4793b2aa5407153b54b427040a466595a52d96f7a632523de23003c63d0.exe	30
PID 3012 wrote to memory of 2576	3012	7c72e4793b2aa5407153b54b427040a466595a52d96f7a632523de23003c63d0.exe	30
PID 3012 wrote to memory of 2576	3012	7c72e4793b2aa5407153b54b427040a466595a52d96f7a632523de23003c63d0.exe	30

C:\Users\Admin\AppData\Local\Temp\7c72e4793b2aa5407153b54b427040a466595a52d96f7a632523de23003c63d0.exe
"C:\Users\Admin\AppData\Local\Temp\7c72e4793b2aa5407153b54b427040a466595a52d96f7a632523de23003c63d0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Blocklisted process makes network request
  PID:2576

C:\Users\Admin\AppData\Local\Temp\CabAE4B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBCB0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2576-1-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2576-0-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2576-160-0x00000000039B0000-0x0000000003DB0000-memory.dmp

Filesize
4.0MB

Download
memory/2576-161-0x0000000000530000-0x0000000000586000-memory.dmp

Filesize
344KB

Download
memory/2576-208-0x0000000000530000-0x0000000000586000-memory.dmp

Filesize
344KB

Download