1d5dd67978dacdc347b4e9adabd590eafd6b32497e411fb6acfa801f768e2f31

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2023 19:41

Target

2023-08-23_42c87bdc90fca56cad64ec67d26bb16d_cobalt-strike_cobaltstrike_JC.dll
Size

208KB
MD5

42c87bdc90fca56cad64ec67d26bb16d
SHA1

21ad9920e0eda3423ddf112ceb6b042f2371129d
SHA256

1d5dd67978dacdc347b4e9adabd590eafd6b32497e411fb6acfa801f768e2f31
SHA512

a71755d3588fb35d6d2087c557bfbd3fce4c4bb9d10cc4e1a3a38ce22844d9bcef0e9a383ce1ff63cb51d96e8306ae8bbb7542c6dfc9701685264d1b14bd5813
SSDEEP

3072:z+FcIvEbJvYdGVWwk4Kj6olpR2B5f4dS/L4jjZUC9p5+w6E:AHEbJAZwBqplpAX/LmjbabE

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1032 3356 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1032	3356	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 4592 wrote to memory of 3356	4592	rundll32.exe	rundll32.exe
PID 4592 wrote to memory of 3356	4592	rundll32.exe	rundll32.exe
PID 4592 wrote to memory of 3356	4592	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_42c87bdc90fca56cad64ec67d26bb16d_cobalt-strike_cobaltstrike_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_42c87bdc90fca56cad64ec67d26bb16d_cobalt-strike_cobaltstrike_JC.dll,#1
2⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 680
3⤵
- Program crash
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3356 -ip 3356
1⤵
PID:2280