Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2023 15:26
Behavioral task
behavioral1
Sample
2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win10v2004-20230831-en
General
-
Target
2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
-
Size
208KB
-
MD5
10a52a9686c877dbc1f2e4e39055290a
-
SHA1
1c793f9bb60a1b2ea5307977b503cdf684294c10
-
SHA256
975e29484b7352f00730ef3375a1a2e20b266908c9d3d687144b04fa9b347733
-
SHA512
64b9a6eea43c97b4d0b40067f0a3fa56bd507fb8595cefd4ed158e0a48f7cc0179def7340a7fa29e5b8f45186ba62ef59613a6e6b633abec76c4956f4740d2d7
-
SSDEEP
3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUw1kY5k:LIDff9D8C6XYRw6MT2DEjD
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3908 2564 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2616 wrote to memory of 2564 2616 rundll32.exe rundll32.exe PID 2616 wrote to memory of 2564 2616 rundll32.exe rundll32.exe PID 2616 wrote to memory of 2564 2616 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_10a52a9686c877dbc1f2e4e39055290a_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#12⤵PID:2564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 6403⤵
- Program crash
PID:3908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2564 -ip 25641⤵PID:1704