cobaltstrike | 9278aea6561d5cb76147702e104ab805b54303f6fe1ce598484efc3e443e988d

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 19:25

Target

9278aea6561d5cb76147702e104ab805b54303f6fe1ce598484efc3e443e988d.dll
Size

17KB
MD5

d4a2ed4f54b532c45a751f4c6cc7c238
SHA1

87e60643b97cc6af95429ce9fb09a66260478da4
SHA256

9278aea6561d5cb76147702e104ab805b54303f6fe1ce598484efc3e443e988d
SHA512

7c02659c2ac8d959be59271fda7b328d3e2877c1beb27ac6cbff458aef773a4cee3c071bdc6a6fc2ee5742ec22195c6cafc04b2056d061a0ebcc9301647b021d
SSDEEP

192:hAJlQmO0zw24dB36AkSvvwzWlKo8KhIPuK3BX7SO6TVKSMUZiTTTTTTTTTTTTTTV:hAJlu1F/vvwa4qkuKZHUZskJEZT

Score

10^/10

Family

cobaltstrike

http://192.168.200.32:443/v2.0/identity/authorize

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/json;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 Edg/128.0.0.0

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 860	3036	rundll32.exe	30
PID 3036 wrote to memory of 860	3036	rundll32.exe	30
PID 3036 wrote to memory of 860	3036	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9278aea6561d5cb76147702e104ab805b54303f6fe1ce598484efc3e443e988d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3036 -s 88
  2⤵
  PID:860

memory/3036-0-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3036-1-0x000007FEFB9E0000-0x000007FEFB9ED000-memory.dmp

Filesize
52KB

Download