21e45e68fc41bada918ef5b84cec121723596ae4c703ab6c35a5cffab286a1ab

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03-09-2023 13:07

Target

2023-08-22_d22e5b16da6ad0ff56deb2a8e4f81e9b_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

208KB
MD5

d22e5b16da6ad0ff56deb2a8e4f81e9b
SHA1

c78750b117b8df67aeabd8bbe1be6df0cfb7a2b0
SHA256

21e45e68fc41bada918ef5b84cec121723596ae4c703ab6c35a5cffab286a1ab
SHA512

6c4d42693f9cad52c186ebef13276b3f3d3fbd5231e18ae79ef86315dfa030e4f4651440fc84382aa1382be41a0135928e13ea750ef9f64e7107fb5b9fd328b6
SSDEEP

3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdU/Y5A:LIDff9D8C6XYRw6MT2DEj

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2112 2568 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2112	2568	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2212 wrote to memory of 2568	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2568	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2568	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2568	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2568	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2568	2212	rundll32.exe	rundll32.exe
PID 2212 wrote to memory of 2568	2212	rundll32.exe	rundll32.exe
PID 2568 wrote to memory of 2112	2568	rundll32.exe	WerFault.exe
PID 2568 wrote to memory of 2112	2568	rundll32.exe	WerFault.exe
PID 2568 wrote to memory of 2112	2568	rundll32.exe	WerFault.exe
PID 2568 wrote to memory of 2112	2568	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-22_d22e5b16da6ad0ff56deb2a8e4f81e9b_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-22_d22e5b16da6ad0ff56deb2a8e4f81e9b_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 232
3⤵
- Program crash
PID:2112