cobaltstrike | 580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 01:16

Target

580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe
Size

262KB
MD5

22db6458c458b402831e8b74621e8a1d
SHA1

d4f1438bc1d39eef7fe39bd9ee5e21e988930b1f
SHA256

580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736
SHA512

7291d1c9d25ae6ef0372dbec1e07fb742acc8e3ce0798161915c5bbe21c163684f02a7f070cde74b0e6d8fa63f99a6e1ab212e9dd8383f9f8080d2d487340c03
SSDEEP

6144:IIn0gFc1UIE1gt395GTe83dMNJJJ655ZZo9W+Kki:IIn0Ac1UIE1gt3Kv3p+K1

Score

10^/10

Family

cobaltstrike

http://state-mgmt.us:443/amJE

Attributes

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2936	2880	580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe	83
PID 2880 wrote to memory of 2936	2880	580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe	83
PID 2880 wrote to memory of 2936	2880	580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe	83

C:\Users\Admin\AppData\Local\Temp\580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe
"C:\Users\Admin\AppData\Local\Temp\580809c7c05f1630c637690c41db2ddea7feb0e230bf92f51deebaa495b46736.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SYSTEM32\svchost.exe
  svchost.exe
  2⤵
  PID:2936

memory/2880-1-0x00007FF651960000-0x00007FF6519AE000-memory.dmp

Filesize
312KB

Download
memory/2936-0-0x00000168D12C0000-0x00000168D12C1000-memory.dmp

Filesize
4KB

Download