Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2023 19:41
Behavioral task
behavioral1
Sample
2023-08-23_42c87bdc90fca56cad64ec67d26bb16d_cobalt-strike_cobaltstrike_JC.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-23_42c87bdc90fca56cad64ec67d26bb16d_cobalt-strike_cobaltstrike_JC.dll
Resource
win10v2004-20230831-en
General
-
Target
2023-08-23_42c87bdc90fca56cad64ec67d26bb16d_cobalt-strike_cobaltstrike_JC.dll
-
Size
208KB
-
MD5
42c87bdc90fca56cad64ec67d26bb16d
-
SHA1
21ad9920e0eda3423ddf112ceb6b042f2371129d
-
SHA256
1d5dd67978dacdc347b4e9adabd590eafd6b32497e411fb6acfa801f768e2f31
-
SHA512
a71755d3588fb35d6d2087c557bfbd3fce4c4bb9d10cc4e1a3a38ce22844d9bcef0e9a383ce1ff63cb51d96e8306ae8bbb7542c6dfc9701685264d1b14bd5813
-
SSDEEP
3072:z+FcIvEbJvYdGVWwk4Kj6olpR2B5f4dS/L4jjZUC9p5+w6E:AHEbJAZwBqplpAX/LmjbabE
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1032 3356 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4592 wrote to memory of 3356 4592 rundll32.exe rundll32.exe PID 4592 wrote to memory of 3356 4592 rundll32.exe rundll32.exe PID 4592 wrote to memory of 3356 4592 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_42c87bdc90fca56cad64ec67d26bb16d_cobalt-strike_cobaltstrike_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_42c87bdc90fca56cad64ec67d26bb16d_cobalt-strike_cobaltstrike_JC.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 6803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3356 -ip 33561⤵