b09d2d89c491e774b3955eb85e60cd886357887992e7b00e28b90b9e2ee7bcde

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-09-2023 18:59

Target

2023-08-23_ab83ad3e46a84101a82f627af8125099_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

203KB
MD5

ab83ad3e46a84101a82f627af8125099
SHA1

cdc2413fe1eadd6a6dd35fd710e326b0d385204f
SHA256

b09d2d89c491e774b3955eb85e60cd886357887992e7b00e28b90b9e2ee7bcde
SHA512

d9248c44e97e20e6980bc531675f9bbf340a1aeab5aff0615784dd6c895d97a4c26dd98d9947c4b67ba6b9ca6950cf7da2191c976975d3d3e56cc808be6565bb
SSDEEP

3072:PYaW8qUEflaASmkDs1oo8CUS5D+u73vqQ+z+F62hAxquMfgj5jdUC5eg:PFHEfoAaDQoo8CUwxTvhU+F66fgVj

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2904 2032 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2904	2032	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2768 wrote to memory of 2032	2768	rundll32.exe	rundll32.exe
PID 2768 wrote to memory of 2032	2768	rundll32.exe	rundll32.exe
PID 2768 wrote to memory of 2032	2768	rundll32.exe	rundll32.exe
PID 2768 wrote to memory of 2032	2768	rundll32.exe	rundll32.exe
PID 2768 wrote to memory of 2032	2768	rundll32.exe	rundll32.exe
PID 2768 wrote to memory of 2032	2768	rundll32.exe	rundll32.exe
PID 2768 wrote to memory of 2032	2768	rundll32.exe	rundll32.exe
PID 2032 wrote to memory of 2904	2032	rundll32.exe	WerFault.exe
PID 2032 wrote to memory of 2904	2032	rundll32.exe	WerFault.exe
PID 2032 wrote to memory of 2904	2032	rundll32.exe	WerFault.exe
PID 2032 wrote to memory of 2904	2032	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_ab83ad3e46a84101a82f627af8125099_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_ab83ad3e46a84101a82f627af8125099_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 232
3⤵
- Program crash
PID:2904