Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2023 13:06
Behavioral task
behavioral1
Sample
2023-08-23_f72097c7cdb3a41f6fd11402afd01cf7_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-23_f72097c7cdb3a41f6fd11402afd01cf7_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win10v2004-20230831-en
General
-
Target
2023-08-23_f72097c7cdb3a41f6fd11402afd01cf7_cobalt-strike_cobaltstrike_meterpreter_JC.dll
-
Size
208KB
-
MD5
f72097c7cdb3a41f6fd11402afd01cf7
-
SHA1
40ea47e50264289b909973c4de952c905571f54c
-
SHA256
66fbca7ccd6ad83211c2338e60d0c0324c0e44ce113a5ee979f61b025243fcac
-
SHA512
2a1385f1aafdd8e9e72cd3279cba651e606ec09bc05b44c58a5a35d9b04b95c23a67b0356cc12e06aead119ba79ac18f2c950cea7f534879dac7167ae89fdec1
-
SSDEEP
3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUmY5C:LIDff9D8C6XYRw6MT2DEj
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4480 4640 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4880 wrote to memory of 4640 4880 rundll32.exe rundll32.exe PID 4880 wrote to memory of 4640 4880 rundll32.exe rundll32.exe PID 4880 wrote to memory of 4640 4880 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_f72097c7cdb3a41f6fd11402afd01cf7_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-23_f72097c7cdb3a41f6fd11402afd01cf7_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#12⤵PID:4640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 6323⤵
- Program crash
PID:4480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4640 -ip 46401⤵PID:3700