Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
31-10-2023 18:02
Behavioral task
behavioral1
Sample
NEAS.2023-09-08_bd2d2b10c846de69f8315fffce519d7a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.2023-09-08_bd2d2b10c846de69f8315fffce519d7a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Resource
win10v2004-20231023-en
General
-
Target
NEAS.2023-09-08_bd2d2b10c846de69f8315fffce519d7a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
-
Size
208KB
-
MD5
bd2d2b10c846de69f8315fffce519d7a
-
SHA1
ae0592d36bd4ac85ca43eeb532ba8351604e64d8
-
SHA256
d0d57a7f4b63ba6b0cffdb9681f4757f0c6a8f6296d30a45bc959f3c315ce1e9
-
SHA512
b8f59bed64b4e1ab7b196743434299a1ca819a496319c8c13fc79647d359a70164119a89ed74db506b3273111fba93008cc7315b4794e7edb7aceb59be898ffe
-
SSDEEP
3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUAY5M6:LIDff9D8C6XYRw6MT2DEjy
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2476 2204 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2524 wrote to memory of 2204 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 2204 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 2204 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 2204 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 2204 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 2204 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 2204 2524 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2476 2204 rundll32.exe WerFault.exe PID 2204 wrote to memory of 2476 2204 rundll32.exe WerFault.exe PID 2204 wrote to memory of 2476 2204 rundll32.exe WerFault.exe PID 2204 wrote to memory of 2476 2204 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_bd2d2b10c846de69f8315fffce519d7a_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_bd2d2b10c846de69f8315fffce519d7a_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 2323⤵
- Program crash