cobaltstrike | 10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 05:22

Target

10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe
Size

1.4MB
MD5

7852d19ca1efd7a26644980df3ba01d3
SHA1

18cfdd421415f819d833a10c994d8d3fc31ec484
SHA256

10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae
SHA512

f69f1ec58acab14a6bf4d122649422f694c1ed4c6a992f30da5b93a717efc50360d0cba737efa1f0529ea8e21a012c6e786156d1fedad57a7940aa886e71e14c
SSDEEP

24576:0Hyi0YRzZgx/jtTObFtURiRQkzRQD9ZkdxTu5iZpUHLQfRRNa:HIIhTObMbIItrya

Score

10^/10

Family

cobaltstrike

http://49.233.48.44:443/Rpc

Attributes

user_agent
Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

notepad.exe

description pid process target process

PID 3736 created 3332 3736 notepad.exe Explorer.EXE
Executes dropped EXE 1 IoCs

Processes:

notepad.exe

pid process

3736 notepad.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

notepad.exe

pid process

3736 notepad.exe
3736 notepad.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

notepad.exe

pid process

3736 notepad.exe

description	pid	process	target process
PID 3736 created 3332	3736	notepad.exe	Explorer.EXE

pid	process
3736	notepad.exe

pid	process
3736	notepad.exe
3736	notepad.exe

pid	process
3736	notepad.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.execmd.exenotepad.exe

description	pid	process	target process
PID 4076 wrote to memory of 4440	4076	10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe	cmd.exe
PID 4076 wrote to memory of 4440	4076	10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe	cmd.exe
PID 4076 wrote to memory of 4184	4076	10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe	cmd.exe
PID 4076 wrote to memory of 4184	4076	10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe	cmd.exe
PID 4076 wrote to memory of 4316	4076	10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe	cmd.exe
PID 4076 wrote to memory of 4316	4076	10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe	cmd.exe
PID 4184 wrote to memory of 3736	4184	cmd.exe	notepad.exe
PID 4184 wrote to memory of 3736	4184	cmd.exe	notepad.exe
PID 3736 wrote to memory of 5004	3736	notepad.exe	explorer.exe
PID 3736 wrote to memory of 5004	3736	notepad.exe	explorer.exe
PID 3736 wrote to memory of 5004	3736	notepad.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe
"C:\Users\Admin\AppData\Local\Temp\10d7c0e08d2f5ccaee9e722c965f65c8d4a9ac54b32c542bde29c017d76bc7ae.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SYSTEM32\cmd.exe
cmd /c C:\Windows\Temp\notepad.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4488

C:\Windows\Temp\notepad.exe
Filesize
831KB

MD5
eaa16e9789f182de10c482e26b374304

SHA1
b53763f592b24ff14b15e1662917c41722299957

SHA256
281a624fcdf4a1c2593a44c436f3523550f31b66ff756f73f1d7e5ebf03d5717

SHA512
c7b1d24b537b63a4ed786f4763dbf287e6c1d5233e36048433ca7ff235f4feeefb68b4ff1d5f7c6763e5993371540f8b6bb373c681bc7b193ba466b647e508e0

Download Submit
memory/3736-6-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3736-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4076-2-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/5004-12-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download