cobaltstrike | 2ed14b6684588231835482081d2b209485d872cac76b25b4e6fb59ddd65a5216

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 10:14

Target

2ed14b6684588231835482081d2b209485d872cac76b25b4e6fb59ddd65a5216.exe
Size

3.8MB
MD5

e45327c4b8b1981130f11447f3d570d9
SHA1

2f6e4e4e65723051c909b932cceed1e521cbbb0a
SHA256

2ed14b6684588231835482081d2b209485d872cac76b25b4e6fb59ddd65a5216
SHA512

afe75a686766133df7e8bdf6dbcd684a72f3b68f218165ba01baab1492d2e613e34af94cd9ec008af7bd07741ee2ab981539efc6c683d1fd43ec1d25596d94e3
SSDEEP

49152:RJKXvSV63FWrb/TNvO90d7HjmAFd4A64nsfJb4tP1pG08igYVYaCq5EhpoYghw4T:H63FNgKigSEkWlEsRjv3zM0

Score

10^/10

Family

cobaltstrike

http://1.13.160.188:8501/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 3020	368	2ed14b6684588231835482081d2b209485d872cac76b25b4e6fb59ddd65a5216.exe	84
PID 368 wrote to memory of 3020	368	2ed14b6684588231835482081d2b209485d872cac76b25b4e6fb59ddd65a5216.exe	84
PID 368 wrote to memory of 3020	368	2ed14b6684588231835482081d2b209485d872cac76b25b4e6fb59ddd65a5216.exe	84
PID 368 wrote to memory of 3020	368	2ed14b6684588231835482081d2b209485d872cac76b25b4e6fb59ddd65a5216.exe	84

C:\Users\Admin\AppData\Local\Temp\2ed14b6684588231835482081d2b209485d872cac76b25b4e6fb59ddd65a5216.exe
"C:\Users\Admin\AppData\Local\Temp\2ed14b6684588231835482081d2b209485d872cac76b25b4e6fb59ddd65a5216.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3020

memory/3020-0-0x000001FA81C40000-0x000001FA81C41000-memory.dmp

Filesize
4KB

Download