cobaltstrike | 265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c

Analysis

max time kernel
92s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
Size

845KB
MD5

ef54050aeaa0ebec2b675ba8577bae23
SHA1

477ec2310ffa605f5642ae01a67ff6835fec11bc
SHA256

265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c
SHA512

6683b14cd170419b500b5cf67a53075ec2e19250c76bf4ba635d37d252223d53f1036472261936377221c1b9dfa37a0a519409f790e6285785786b4ece77777b
SSDEEP

24576:1xpwQg6i6hIZ110sSVkc2zUnHeii3+/ULY4:1PwQg0hIZgzkcfHexu/Yf

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1484	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
1484	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4088	3668	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	81
PID 3668 wrote to memory of 4088	3668	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	81
PID 4088 wrote to memory of 4840	4088	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	82
PID 4088 wrote to memory of 4840	4088	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	82
PID 4840 wrote to memory of 3348	4840	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	83
PID 4840 wrote to memory of 3348	4840	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	83
PID 3348 wrote to memory of 1888	3348	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	84
PID 3348 wrote to memory of 1888	3348	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	84
PID 1888 wrote to memory of 1484	1888	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	85
PID 1888 wrote to memory of 1484	1888	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	85

C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
"C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
  C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
    C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
      C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3348
    - - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
        
        C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
        
        C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1484-0-0x000001C4AEEE0000-0x000001C4AEF44000-memory.dmp

Filesize
400KB

Download