61c1d9c410d3128276e10ffed5caf9c53c62fc91b2d4cb175a9af41c907f0764

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-09-2023 15:59

Target

2023-08-23_535ca62f8774e763efd9168a3877b3cc_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

203KB
MD5

535ca62f8774e763efd9168a3877b3cc
SHA1

e147f55995e459acaba97a7db939ab57ea26eda3
SHA256

61c1d9c410d3128276e10ffed5caf9c53c62fc91b2d4cb175a9af41c907f0764
SHA512

cc8a95260e72b93cc2303eb89dc14aa0f86d71fabc7bc0597229a1b905a811884b851a94ee2be789ee718dd01072e0c167e1c1c0b119204f92ebc99e21ac93bb
SSDEEP

3072:PYaW8qUEflaASmkDs1oo8CUS5D+u73vqQ+z+F62hAxquMfgj5jdUO5YK:PFHEfoAaDQoo8CUwxTvhU+F66fgVj

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3000 2880 WerFault.exe rundll32.exe

pid	pid_target	process	target process
3000	2880	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2076 wrote to memory of 2880	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 2880	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 2880	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 2880	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 2880	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 2880	2076	rundll32.exe	rundll32.exe
PID 2076 wrote to memory of 2880	2076	rundll32.exe	rundll32.exe
PID 2880 wrote to memory of 3000	2880	rundll32.exe	WerFault.exe
PID 2880 wrote to memory of 3000	2880	rundll32.exe	WerFault.exe
PID 2880 wrote to memory of 3000	2880	rundll32.exe	WerFault.exe
PID 2880 wrote to memory of 3000	2880	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_535ca62f8774e763efd9168a3877b3cc_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_535ca62f8774e763efd9168a3877b3cc_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 232
3⤵
- Program crash
PID:3000