cobaltstrike | f3b2f1ec49bf6fbd4fe9e28fb28e526da4c7fce85ac95f835d3dc343b872075d

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 10:32

Target

f3b2f1ec49bf6fbd4fe9e28fb28e526da4c7fce85ac95f835d3dc343b872075d.exe
Size

7.7MB
MD5

bfa844f0be57643e3ebf11690e539a75
SHA1

8495fd0110b642c66f49e3d30c543f5c730bc206
SHA256

f3b2f1ec49bf6fbd4fe9e28fb28e526da4c7fce85ac95f835d3dc343b872075d
SHA512

c527259c31068ce4bcba4f88bd8f99745d43c4809b8c75f6242eccfa712bf2fcbf3e785294c94f65ee23397d44dda74b1ec02cc9b9a76e059b608d31c11c8317
SSDEEP

49152:u/byhpYcDbYtlxFbY2zU6AoF01ms886E4xkkrtCMcrY0Eqh88RwTAJx6ZXdl71KB:eyoaZl3sqbwEJOfcOm4ZW

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1628	2076	f3b2f1ec49bf6fbd4fe9e28fb28e526da4c7fce85ac95f835d3dc343b872075d.exe	31
PID 2076 wrote to memory of 1628	2076	f3b2f1ec49bf6fbd4fe9e28fb28e526da4c7fce85ac95f835d3dc343b872075d.exe	31
PID 2076 wrote to memory of 1628	2076	f3b2f1ec49bf6fbd4fe9e28fb28e526da4c7fce85ac95f835d3dc343b872075d.exe	31

C:\Users\Admin\AppData\Local\Temp\f3b2f1ec49bf6fbd4fe9e28fb28e526da4c7fce85ac95f835d3dc343b872075d.exe
"C:\Users\Admin\AppData\Local\Temp\f3b2f1ec49bf6fbd4fe9e28fb28e526da4c7fce85ac95f835d3dc343b872075d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2076 -s 276
  2⤵
  PID:1628

memory/2076-0-0x00000000003F0000-0x0000000000431000-memory.dmp

Filesize
260KB

Download
memory/2076-2-0x000000013F3C0000-0x000000013FB7D000-memory.dmp

Filesize
7.7MB

Download