cobaltstrike | 0f42d6ba815739d16f265c678f7798865117ae2ee048107cc3859a60956fd87e

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 14:54

Target

0f42d6ba815739d16f265c678f7798865117ae2ee048107cc3859a60956fd87e.exe
Size

13KB
MD5

7c0e7659be1c8c378a4da4ebb8eec6c4
SHA1

f04dc754d52b621e5a4772d4a18b6aa3c1d089ab
SHA256

0f42d6ba815739d16f265c678f7798865117ae2ee048107cc3859a60956fd87e
SHA512

c497b65a820706e4bb3f748ea761ad737fd2644852e9603e18319fcc6073514114fc1864dda779d4a63bdabb4e7536c6796a77f64893b83b156bfcd53a2f745c
SSDEEP

192:dYFdShBgR1Te4q0FXLl0h8Zswne3Q5tffoWR:OFdSYR1H3XLX6D36R

Score

10^/10

Family

cobaltstrike

http://3.122.237.166:4443/HEbn

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2464	0f42d6ba815739d16f265c678f7798865117ae2ee048107cc3859a60956fd87e.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1208	2464	0f42d6ba815739d16f265c678f7798865117ae2ee048107cc3859a60956fd87e.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:1208
- C:\Users\Admin\AppData\Local\Temp\0f42d6ba815739d16f265c678f7798865117ae2ee048107cc3859a60956fd87e.exe
  "C:\Users\Admin\AppData\Local\Temp\0f42d6ba815739d16f265c678f7798865117ae2ee048107cc3859a60956fd87e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2464

memory/1208-1-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1208-0-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download