Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03-09-2023 15:26
Behavioral task
behavioral1
Sample
2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win10v2004-20230831-en
General
-
Target
2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
-
Size
208KB
-
MD5
10a52a9686c877dbc1f2e4e39055290a
-
SHA1
1c793f9bb60a1b2ea5307977b503cdf684294c10
-
SHA256
975e29484b7352f00730ef3375a1a2e20b266908c9d3d687144b04fa9b347733
-
SHA512
64b9a6eea43c97b4d0b40067f0a3fa56bd507fb8595cefd4ed158e0a48f7cc0179def7340a7fa29e5b8f45186ba62ef59613a6e6b633abec76c4956f4740d2d7
-
SSDEEP
3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUw1kY5k:LIDff9D8C6XYRw6MT2DEjD
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3052 1892 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2552 wrote to memory of 1892 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 1892 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 1892 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 1892 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 1892 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 1892 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 1892 2552 rundll32.exe rundll32.exe PID 1892 wrote to memory of 3052 1892 rundll32.exe WerFault.exe PID 1892 wrote to memory of 3052 1892 rundll32.exe WerFault.exe PID 1892 wrote to memory of 3052 1892 rundll32.exe WerFault.exe PID 1892 wrote to memory of 3052 1892 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 2323⤵
- Program crash
PID:3052