4f4fe3c9a73cee60fbf935844887a3b860556d2c2e1e7684c5c212517162e750

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21/08/2023, 17:52

Target

643a9947b322770d7e86798edf4d16aa_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

234KB
MD5

643a9947b322770d7e86798edf4d16aa
SHA1

7db4631160068b5d41c00f51095464702f2c88cf
SHA256

4f4fe3c9a73cee60fbf935844887a3b860556d2c2e1e7684c5c212517162e750
SHA512

06d3fd7f08cecf18d97094c8ccd88daf9d9d64faa4523a46ca1f3ae800eefa15feabf802eee50739270cd58f69e495af5bcaf76a0ab8035830e319b123ff1613
SSDEEP

3072:n3vli2EJv1RBuZH3JxgYhgipvLKoTte0SqoOCtA21/wlULGs7jnZdFjdUJ5gRt:n3vyJNRkZHBvZp0qoOCu2pkojnZHjp

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2972	1276	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1276	2652	rundll32.exe	28
PID 2652 wrote to memory of 1276	2652	rundll32.exe	28
PID 2652 wrote to memory of 1276	2652	rundll32.exe	28
PID 2652 wrote to memory of 1276	2652	rundll32.exe	28
PID 2652 wrote to memory of 1276	2652	rundll32.exe	28
PID 2652 wrote to memory of 1276	2652	rundll32.exe	28
PID 2652 wrote to memory of 1276	2652	rundll32.exe	28
PID 1276 wrote to memory of 2972	1276	rundll32.exe	29
PID 1276 wrote to memory of 2972	1276	rundll32.exe	29
PID 1276 wrote to memory of 2972	1276	rundll32.exe	29
PID 1276 wrote to memory of 2972	1276	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\643a9947b322770d7e86798edf4d16aa_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\643a9947b322770d7e86798edf4d16aa_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 232
    3⤵
    - Program crash
    PID:2972