cobaltstrike | 49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe
Size

1.1MB
MD5

b24a83c233c1779de6c84ac023e091c3
SHA1

1a00dbe47fa6cd9aa5a0564089bef5654f1fd7bb
SHA256

49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04
SHA512

423c9dc882b0737ee7833f449ac1a6663d91858ff1b3922e511dc738a0eeb8ee034a761601e82b62e03f7b867efd2a7b8a491dac4f06dde1ea458cd88040314f
SSDEEP

12288:qBcVkHD+Mb90JxQR9sBtylhFqNBHx+kiXhEZ9BB9xDTgLeJIJ:KD+Mb90JxQR6BolhYrx+g9BjJO

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://:0

http://167.179.116.121:80/uBaE

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe
2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1148	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20
PID 2348 wrote to memory of 1148	2348	49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:1148
- C:\Users\Admin\AppData\Local\Temp\49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe
  "C:\Users\Admin\AppData\Local\Temp\49f0cdb4cb8c7c0f2ea2a0f88f1802d8788d949ae7e3be5bda31b03a2be9cb04.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1148-1-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-20-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-64-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-63-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-898-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-62-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-61-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-60-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-59-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-58-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-57-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-56-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-55-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-54-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-53-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-52-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-51-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-50-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-49-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-48-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-47-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-46-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-45-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-44-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-43-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-42-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-41-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-40-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-39-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-38-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-37-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-36-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-35-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-34-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-33-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-32-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-31-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-30-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-29-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-28-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-27-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-26-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-25-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-24-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-23-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-22-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-21-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-19-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-18-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-17-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-16-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-15-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-14-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-13-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-12-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-8-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-7-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-6-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-5-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-4-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-3-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1148-2-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2348-0-0x000000013FA40000-0x000000013FBC8000-memory.dmp

Filesize
1.5MB

Download
memory/2348-899-0x000000013FA40000-0x000000013FBC8000-memory.dmp

Filesize
1.5MB

Download