Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11-10-2023 05:40
Behavioral task
behavioral1
Sample
2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win10v2004-20230915-en
General
-
Target
2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll
-
Size
208KB
-
MD5
c099180b9ac8e6014750f1b99faba5ae
-
SHA1
c0d9acecd2f693c129ffbeb5ca0f5adcd0dd6186
-
SHA256
292ed4733505886910099b0ff50cf83999082d9cf73435a7c67fcf2e32092c68
-
SHA512
0b08d57d349b15ecfce1c482c6728364ac8b4fff34418a7f92f3df58db64aa208bd9b14b725540ea01413423e39a257d84512e74669357b301f168511e3fe345
-
SSDEEP
3072:LI6CqRCxffkClZ8Cqn7LQlRw6x+Y3CxT2DtK5jdUfY5:LIDff9D8CcXYRw6MT2DEj
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2732 2120 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3020 wrote to memory of 2120 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2120 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2120 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2120 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2120 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2120 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 2120 3020 rundll32.exe rundll32.exe PID 2120 wrote to memory of 2732 2120 rundll32.exe WerFault.exe PID 2120 wrote to memory of 2732 2120 rundll32.exe WerFault.exe PID 2120 wrote to memory of 2732 2120 rundll32.exe WerFault.exe PID 2120 wrote to memory of 2732 2120 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 2323⤵
- Program crash