Analysis
-
max time kernel
125s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 05:40
Behavioral task
behavioral1
Sample
2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win10v2004-20230915-en
General
-
Target
2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll
-
Size
208KB
-
MD5
c099180b9ac8e6014750f1b99faba5ae
-
SHA1
c0d9acecd2f693c129ffbeb5ca0f5adcd0dd6186
-
SHA256
292ed4733505886910099b0ff50cf83999082d9cf73435a7c67fcf2e32092c68
-
SHA512
0b08d57d349b15ecfce1c482c6728364ac8b4fff34418a7f92f3df58db64aa208bd9b14b725540ea01413423e39a257d84512e74669357b301f168511e3fe345
-
SSDEEP
3072:LI6CqRCxffkClZ8Cqn7LQlRw6x+Y3CxT2DtK5jdUfY5:LIDff9D8CcXYRw6MT2DEj
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4308 4204 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4520 wrote to memory of 4204 4520 rundll32.exe rundll32.exe PID 4520 wrote to memory of 4204 4520 rundll32.exe rundll32.exe PID 4520 wrote to memory of 4204 4520 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-26_c099180b9ac8e6014750f1b99faba5ae_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 6323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4204 -ip 42041⤵