Analysis
-
max time kernel
140s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2023 13:05
Behavioral task
behavioral1
Sample
2023-08-22_d0d1ede925af99a08fd475a4ba7e076f_cobalt-strike_cobaltstrike_havex_JC.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-22_d0d1ede925af99a08fd475a4ba7e076f_cobalt-strike_cobaltstrike_havex_JC.dll
Resource
win10v2004-20230831-en
General
-
Target
2023-08-22_d0d1ede925af99a08fd475a4ba7e076f_cobalt-strike_cobaltstrike_havex_JC.dll
-
Size
208KB
-
MD5
d0d1ede925af99a08fd475a4ba7e076f
-
SHA1
7c318dbe3e492e376f6fe1a4d2b3da89dd673a6d
-
SHA256
8af4c35ce2fbaa68c1736fc69073acb459e7c2094dd9f6dd9ce611eb3168c195
-
SHA512
30f4face351b2a5809351a53c27e6db180f92943bd9928c9b8c226ade586b336bd0da8b48420d8bc6df32c15ce091c97b757cc135a2f09b1cfceecee81db9df0
-
SSDEEP
3072:1I6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUmY53:1IDff9D8C6XYRw6MT2DEj
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1856 3172 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3764 wrote to memory of 3172 3764 rundll32.exe rundll32.exe PID 3764 wrote to memory of 3172 3764 rundll32.exe rundll32.exe PID 3764 wrote to memory of 3172 3764 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-22_d0d1ede925af99a08fd475a4ba7e076f_cobalt-strike_cobaltstrike_havex_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-22_d0d1ede925af99a08fd475a4ba7e076f_cobalt-strike_cobaltstrike_havex_JC.dll,#12⤵PID:3172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 5923⤵
- Program crash
PID:1856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3172 -ip 31721⤵PID:764