4a8862d41d74bb81df8aaad2664922e2afc22b0cbfe682894441f7ddbf07f30a

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08-09-2023 11:33

Target

2023-08-23_d12d9bcdb6f25681c8b84907e440f5ab_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

203KB
MD5

d12d9bcdb6f25681c8b84907e440f5ab
SHA1

a83407324e2f5c70c7fb9e9c03869942bddc3b5f
SHA256

4a8862d41d74bb81df8aaad2664922e2afc22b0cbfe682894441f7ddbf07f30a
SHA512

02ae948f4744f22d0e9543b24774c5ff8bbd9f60e9d7f7f1debb1aa5ce051afbb4dc95340aa3428164a430fc448f11383f197b56a0b25edac2780de8f4603390
SSDEEP

3072:PYaW8qUEflaASmkDs1oo8CUS5D+u73vqQ+z+F62hAxquMfgj5jdUH57R:PFHEfoAaDQoo8CUwxTvhU+F66fgVj

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2308 1736 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2308	1736	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2932 wrote to memory of 1736	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 1736	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 1736	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 1736	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 1736	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 1736	2932	rundll32.exe	rundll32.exe
PID 2932 wrote to memory of 1736	2932	rundll32.exe	rundll32.exe
PID 1736 wrote to memory of 2308	1736	rundll32.exe	WerFault.exe
PID 1736 wrote to memory of 2308	1736	rundll32.exe	WerFault.exe
PID 1736 wrote to memory of 2308	1736	rundll32.exe	WerFault.exe
PID 1736 wrote to memory of 2308	1736	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_d12d9bcdb6f25681c8b84907e440f5ab_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_d12d9bcdb6f25681c8b84907e440f5ab_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 232
3⤵
- Program crash
PID:2308