cobaltstrike | 265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c

Analysis

max time kernel
43s
max time network
35s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
Size

845KB
MD5

ef54050aeaa0ebec2b675ba8577bae23
SHA1

477ec2310ffa605f5642ae01a67ff6835fec11bc
SHA256

265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c
SHA512

6683b14cd170419b500b5cf67a53075ec2e19250c76bf4ba635d37d252223d53f1036472261936377221c1b9dfa37a0a519409f790e6285785786b4ece77777b
SSDEEP

24576:1xpwQg6i6hIZ110sSVkc2zUnHeii3+/ULY4:1PwQg0hIZgzkcfHexu/Yf

Score

10^/10

cobaltstrike 0 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1184	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
1184	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2380	2792	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	29
PID 2792 wrote to memory of 2380	2792	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	29
PID 2792 wrote to memory of 2380	2792	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	29
PID 2380 wrote to memory of 1356	2380	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	30
PID 2380 wrote to memory of 1356	2380	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	30
PID 2380 wrote to memory of 1356	2380	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	30
PID 1356 wrote to memory of 1516	1356	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	31
PID 1356 wrote to memory of 1516	1356	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	31
PID 1356 wrote to memory of 1516	1356	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	31
PID 1516 wrote to memory of 3012	1516	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	32
PID 1516 wrote to memory of 3012	1516	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	32
PID 1516 wrote to memory of 3012	1516	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	32
PID 3012 wrote to memory of 1184	3012	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	33
PID 3012 wrote to memory of 1184	3012	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	33
PID 3012 wrote to memory of 1184	3012	265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe	33

C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
"C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
  C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
    C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
      C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
        
        C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
        
        C:\Users\Admin\AppData\Local\Temp\265ee27379be8afcebcde7fc1338fc4f15bafaad5d34f5e36a56360eb25dcf8c.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-0-0x00000000000D0000-0x0000000000134000-memory.dmp

Filesize
400KB

Download
memory/1184-2-0x0000000000720000-0x0000000000B93000-memory.dmp

Filesize
4.4MB

Download
memory/1184-3-0x0000000000720000-0x0000000000B93000-memory.dmp

Filesize
4.4MB

Download
memory/1184-4-0x0000000000720000-0x0000000000B93000-memory.dmp

Filesize
4.4MB

Download
memory/1184-6-0x0000000077390000-0x0000000077391000-memory.dmp

Filesize
4KB

Download
memory/1184-5-0x0000000000720000-0x0000000000B93000-memory.dmp

Filesize
4.4MB

Download