25e5c682dfb65da8cf7b94eec9e7ce81dccb4f9fa629c0983d2569b3456b253c

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25-08-2023 14:17

Target

94a48de0ec6ad280556bd71f502449df_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

208KB
MD5

94a48de0ec6ad280556bd71f502449df
SHA1

6eade30ea33de2de412b2b215c1da828e1d855a6
SHA256

25e5c682dfb65da8cf7b94eec9e7ce81dccb4f9fa629c0983d2569b3456b253c
SHA512

5c7cff2c6a915bae776948c27a602cbb5c775cd172b17c3698f46604ebc6fdcd53dd934c6988906d634645b248cecefa168b8228aa7634217e08ad466304cc83
SSDEEP

3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUiXY5Y:LIDff9D8C6XYRw6MT2DEjf

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2128 3008 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2128	3008	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2600 wrote to memory of 3008	2600	rundll32.exe	rundll32.exe
PID 2600 wrote to memory of 3008	2600	rundll32.exe	rundll32.exe
PID 2600 wrote to memory of 3008	2600	rundll32.exe	rundll32.exe
PID 2600 wrote to memory of 3008	2600	rundll32.exe	rundll32.exe
PID 2600 wrote to memory of 3008	2600	rundll32.exe	rundll32.exe
PID 2600 wrote to memory of 3008	2600	rundll32.exe	rundll32.exe
PID 2600 wrote to memory of 3008	2600	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 2128	3008	rundll32.exe	WerFault.exe
PID 3008 wrote to memory of 2128	3008	rundll32.exe	WerFault.exe
PID 3008 wrote to memory of 2128	3008	rundll32.exe	WerFault.exe
PID 3008 wrote to memory of 2128	3008	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\94a48de0ec6ad280556bd71f502449df_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\94a48de0ec6ad280556bd71f502449df_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 232
3⤵
- Program crash
PID:2128