cobaltstrike | 580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736 | Triage

Analysis

max time kernel
131s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 18:42

Sharing

Report Analysis Logs

General

Target

nimwhispers.exe
Size

262KB
MD5

22db6458c458b402831e8b74621e8a1d
SHA1

d4f1438bc1d39eef7fe39bd9ee5e21e988930b1f
SHA256

580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736
SHA512

7291d1c9d25ae6ef0372dbec1e07fb742acc8e3ce0798161915c5bbe21c163684f02a7f070cde74b0e6d8fa63f99a6e1ab212e9dd8383f9f8080d2d487340c03
SSDEEP

6144:IIn0gFc1UIE1gt395GTe83dMNJJJ655ZZo9W+Kki:IIn0Ac1UIE1gt3Kv3p+K1

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://state-mgmt.us:443/amJE

Attributes

user_agent
User-Agent: Microsoft-CryptoAPI/6.1

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1904	2384	nimwhispers.exe	31
PID 2384 wrote to memory of 1904	2384	nimwhispers.exe	31
PID 2384 wrote to memory of 1904	2384	nimwhispers.exe	31
PID 2384 wrote to memory of 1904	2384	nimwhispers.exe	31

C:\Users\Admin\AppData\Local\Temp\nimwhispers.exe
"C:\Users\Admin\AppData\Local\Temp\nimwhispers.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-0-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x000000013FEE0000-0x000000013FF2E000-memory.dmp

Filesize
312KB

Download