cobaltstrike | c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964

Analysis

max time kernel
131s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 05:25

Target

c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.exe
Size

1.4MB
MD5

501421bcb0f4bc8d1fe5dcaeb47cbc77
SHA1

76ec9e0c013f4c37bf59b21c29eecbd4edae8e24
SHA256

c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964
SHA512

e6d524137caf4b9ad384141d63e5140127c91d42c68801ebced474465505a38dbead7f6cc5edcb705b5bb2cf0473c1b828aa2596bf54daa21ec7df82902388a0
SSDEEP

24576:0Hyi0YRzZgx/jtTObFtURiRQkzRQD9ZkdxTu5iZpUHLQfRRNi:HIIhTObMbIItryi

Score

10^/10

Family

cobaltstrike

http://49.233.48.44:443/Rpc

Attributes

user_agent
Accept: */* User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

notepad.exe

description pid process target process

PID 2460 created 3460 2460 notepad.exe Explorer.EXE
Executes dropped EXE 1 IoCs

Processes:

notepad.exe

pid process

2460 notepad.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

notepad.exe

pid process

2460 notepad.exe
2460 notepad.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

notepad.exe

pid process

2460 notepad.exe

description	pid	process	target process
PID 2460 created 3460	2460	notepad.exe	Explorer.EXE

pid	process
2460	notepad.exe

pid	process
2460	notepad.exe
2460	notepad.exe

pid	process
2460	notepad.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.execmd.exenotepad.exe

description	pid	process	target process
PID 464 wrote to memory of 4564	464	c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.exe	cmd.exe
PID 464 wrote to memory of 4564	464	c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.exe	cmd.exe
PID 464 wrote to memory of 1448	464	c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.exe	cmd.exe
PID 464 wrote to memory of 1448	464	c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.exe	cmd.exe
PID 464 wrote to memory of 4416	464	c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.exe	cmd.exe
PID 464 wrote to memory of 4416	464	c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.exe	cmd.exe
PID 1448 wrote to memory of 2460	1448	cmd.exe	notepad.exe
PID 1448 wrote to memory of 2460	1448	cmd.exe	notepad.exe
PID 2460 wrote to memory of 4468	2460	notepad.exe	explorer.exe
PID 2460 wrote to memory of 4468	2460	notepad.exe	explorer.exe
PID 2460 wrote to memory of 4468	2460	notepad.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.exe
"C:\Users\Admin\AppData\Local\Temp\c1c212c43955c7e2ec5467c6a1eb5e875ad660eddb728019caa261b03c3ab964.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SYSTEM32\cmd.exe
cmd /c C:\Windows\Temp\notepad.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\Temp\notepad.exe
Filesize
831KB

MD5
eaa16e9789f182de10c482e26b374304

SHA1
b53763f592b24ff14b15e1662917c41722299957

SHA256
281a624fcdf4a1c2593a44c436f3523550f31b66ff756f73f1d7e5ebf03d5717

SHA512
c7b1d24b537b63a4ed786f4763dbf287e6c1d5233e36048433ca7ff235f4feeefb68b4ff1d5f7c6763e5993371540f8b6bb373c681bc7b193ba466b647e508e0

Download Submit
memory/464-2-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2460-6-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2460-12-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4468-11-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download