8e1071977bdbaf69ebcf78a2320a216afed6a706a840e5eac5b0b474e339ea24

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 19:46

Target

ee5f94e9d402ed55081859727fd68108_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

206KB
MD5

ee5f94e9d402ed55081859727fd68108
SHA1

7fac309c8394dccde82715bc88d9f56a89c21b61
SHA256

8e1071977bdbaf69ebcf78a2320a216afed6a706a840e5eac5b0b474e339ea24
SHA512

f42f03d052887d6855f66fadb0b6c548422dd101fd67c014aa993b0fd19f49697fb851f8521e3a3a7b194fdf27ba3dfb3d4bf3ee80954a0470a89d8cb537256d
SSDEEP

3072:cOZl41JXuwmn7WyDKU8Cw7v3xKwVj4sKvWbUNRjlU/5Kj:cOeXuXnf+U8CIvxBjHbU7j

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4880	4328	WerFault.exe	81

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4328	5012	rundll32.exe	81
PID 5012 wrote to memory of 4328	5012	rundll32.exe	81
PID 5012 wrote to memory of 4328	5012	rundll32.exe	81

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ee5f94e9d402ed55081859727fd68108_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ee5f94e9d402ed55081859727fd68108_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 560
    3⤵
    - Program crash
    PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4328 -ip 4328
1⤵
PID:552