Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25-08-2023 14:17
Behavioral task
behavioral1
Sample
94a48de0ec6ad280556bd71f502449df_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
94a48de0ec6ad280556bd71f502449df_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win10v2004-20230703-en
General
-
Target
94a48de0ec6ad280556bd71f502449df_cobalt-strike_cobaltstrike_meterpreter_JC.dll
-
Size
208KB
-
MD5
94a48de0ec6ad280556bd71f502449df
-
SHA1
6eade30ea33de2de412b2b215c1da828e1d855a6
-
SHA256
25e5c682dfb65da8cf7b94eec9e7ce81dccb4f9fa629c0983d2569b3456b253c
-
SHA512
5c7cff2c6a915bae776948c27a602cbb5c775cd172b17c3698f46604ebc6fdcd53dd934c6988906d634645b248cecefa168b8228aa7634217e08ad466304cc83
-
SSDEEP
3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUiXY5Y:LIDff9D8C6XYRw6MT2DEjf
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2128 3008 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2600 wrote to memory of 3008 2600 rundll32.exe rundll32.exe PID 2600 wrote to memory of 3008 2600 rundll32.exe rundll32.exe PID 2600 wrote to memory of 3008 2600 rundll32.exe rundll32.exe PID 2600 wrote to memory of 3008 2600 rundll32.exe rundll32.exe PID 2600 wrote to memory of 3008 2600 rundll32.exe rundll32.exe PID 2600 wrote to memory of 3008 2600 rundll32.exe rundll32.exe PID 2600 wrote to memory of 3008 2600 rundll32.exe rundll32.exe PID 3008 wrote to memory of 2128 3008 rundll32.exe WerFault.exe PID 3008 wrote to memory of 2128 3008 rundll32.exe WerFault.exe PID 3008 wrote to memory of 2128 3008 rundll32.exe WerFault.exe PID 3008 wrote to memory of 2128 3008 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\94a48de0ec6ad280556bd71f502449df_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\94a48de0ec6ad280556bd71f502449df_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 2323⤵
- Program crash