cobaltstrike | 265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 17:29

Target

265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
Size

845KB
MD5

ef54050aeaa0ebec2b675ba8577bae23
SHA1

477ec2310ffa605f5642ae01a67ff6835fec11bc
SHA256

265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c
SHA512

6683b14cd170419b500b5cf67a53075ec2e19250c76bf4ba635d37d252223d53f1036472261936377221c1b9dfa37a0a519409f790e6285785786b4ece77777b
SSDEEP

24576:1xpwQg6i6hIZ110sSVkc2zUnHeii3+/ULY4:1PwQg0hIZgzkcfHexu/Yf

Score

10^/10

Family

cobaltstrike

Botnet

Attributes

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2944	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
2944	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2732	3040	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	30
PID 3040 wrote to memory of 2732	3040	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	30
PID 3040 wrote to memory of 2732	3040	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	30
PID 2732 wrote to memory of 2940	2732	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	31
PID 2732 wrote to memory of 2940	2732	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	31
PID 2732 wrote to memory of 2940	2732	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	31
PID 2940 wrote to memory of 2944	2940	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	32
PID 2940 wrote to memory of 2944	2940	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	32
PID 2940 wrote to memory of 2944	2940	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	32

C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
"C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
  C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
    C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
      C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2944

memory/2944-0-0x00000000000D0000-0x0000000000134000-memory.dmp

Filesize
400KB

Download
memory/2944-2-0x00000000005C0000-0x0000000000A33000-memory.dmp

Filesize
4.4MB

Download
memory/2944-3-0x00000000000D0000-0x0000000000134000-memory.dmp

Filesize
400KB

Download
memory/2944-4-0x00000000005C0000-0x0000000000A33000-memory.dmp

Filesize
4.4MB

Download
memory/2944-5-0x00000000005C0000-0x0000000000A33000-memory.dmp

Filesize
4.4MB

Download
memory/2944-7-0x00000000773B0000-0x00000000773B1000-memory.dmp

Filesize
4KB

Download
memory/2944-6-0x00000000005C0000-0x0000000000A33000-memory.dmp

Filesize
4.4MB

Download