Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03-09-2023 13:07
Behavioral task
behavioral1
Sample
2023-08-22_d22e5b16da6ad0ff56deb2a8e4f81e9b_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-22_d22e5b16da6ad0ff56deb2a8e4f81e9b_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win10v2004-20230831-en
General
-
Target
2023-08-22_d22e5b16da6ad0ff56deb2a8e4f81e9b_cobalt-strike_cobaltstrike_meterpreter_JC.dll
-
Size
208KB
-
MD5
d22e5b16da6ad0ff56deb2a8e4f81e9b
-
SHA1
c78750b117b8df67aeabd8bbe1be6df0cfb7a2b0
-
SHA256
21e45e68fc41bada918ef5b84cec121723596ae4c703ab6c35a5cffab286a1ab
-
SHA512
6c4d42693f9cad52c186ebef13276b3f3d3fbd5231e18ae79ef86315dfa030e4f4651440fc84382aa1382be41a0135928e13ea750ef9f64e7107fb5b9fd328b6
-
SSDEEP
3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdU/Y5A:LIDff9D8C6XYRw6MT2DEj
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2112 2568 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2212 wrote to memory of 2568 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2568 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2568 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2568 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2568 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2568 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2568 2212 rundll32.exe rundll32.exe PID 2568 wrote to memory of 2112 2568 rundll32.exe WerFault.exe PID 2568 wrote to memory of 2112 2568 rundll32.exe WerFault.exe PID 2568 wrote to memory of 2112 2568 rundll32.exe WerFault.exe PID 2568 wrote to memory of 2112 2568 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-22_d22e5b16da6ad0ff56deb2a8e4f81e9b_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-22_d22e5b16da6ad0ff56deb2a8e4f81e9b_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 2323⤵
- Program crash
PID:2112