0656e195b038acae78a5f0bd2c7f54bc7453ce2b248599e01082df0cbef2f544

Analysis

max time kernel
118s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 20:43

Target

2023-08-25_e8291d75e5dcfb3096f4bdaa13ccabf0_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

218KB
MD5

e8291d75e5dcfb3096f4bdaa13ccabf0
SHA1

3ab63d4c4f8d3cf262841db601869ce3c2a47e80
SHA256

0656e195b038acae78a5f0bd2c7f54bc7453ce2b248599e01082df0cbef2f544
SHA512

e3d0236e1cd4b973de9f02b20610a3fa01755cc73c85b1bbf4430cfdf4dcbc78e9383d278c542b96af3656a3459ac60e531f9b3808849879befcf434552d71f5
SSDEEP

3072:sjOnlxzSQPohlI4qd8Iw04H5iS++Jf+l3wvy/MfLi/hJjNU25D:sj4PPoXI4w8I1+in+RoAPfLi/nj

Score

3^/10

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	1680	WerFault.exe	28

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1680	2116	rundll32.exe	28
PID 2116 wrote to memory of 1680	2116	rundll32.exe	28
PID 2116 wrote to memory of 1680	2116	rundll32.exe	28
PID 2116 wrote to memory of 1680	2116	rundll32.exe	28
PID 2116 wrote to memory of 1680	2116	rundll32.exe	28
PID 2116 wrote to memory of 1680	2116	rundll32.exe	28
PID 2116 wrote to memory of 1680	2116	rundll32.exe	28
PID 1680 wrote to memory of 2696	1680	rundll32.exe	29
PID 1680 wrote to memory of 2696	1680	rundll32.exe	29
PID 1680 wrote to memory of 2696	1680	rundll32.exe	29
PID 1680 wrote to memory of 2696	1680	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-25_e8291d75e5dcfb3096f4bdaa13ccabf0_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2023-08-25_e8291d75e5dcfb3096f4bdaa13ccabf0_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 196
    3⤵
    - Program crash
    PID:2696