d0b6158d598c5a364e241f6e38d7f2136120a5e8f2c972bd3fb43f2f44c667b0

Analysis

max time kernel
123s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2023 15:02

Target

NEAS.2023-09-08_4f2a9a8f21396df7187d6be0e0fac136_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

208KB
MD5

4f2a9a8f21396df7187d6be0e0fac136
SHA1

4536ce867403c88869ddd20fece011275b0d18b0
SHA256

d0b6158d598c5a364e241f6e38d7f2136120a5e8f2c972bd3fb43f2f44c667b0
SHA512

d980a0fd4f95e0439e97b401c6e64d994dada8862c108f9a66e8462bfe716d7b118cb843d41f03b9795df7d9af22f5e0a2d84ef5b156184887848540f76dcc6b
SSDEEP

3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUTY58:LIDff9D8C6XYRw6MT2DEj

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4240 1648 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4240	1648	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2764 wrote to memory of 1648	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 1648	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 1648	2764	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_4f2a9a8f21396df7187d6be0e0fac136_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_4f2a9a8f21396df7187d6be0e0fac136_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 632
    3⤵
    - Program crash
    PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1648 -ip 1648
1⤵
PID:3984