d0d57a7f4b63ba6b0cffdb9681f4757f0c6a8f6296d30a45bc959f3c315ce1e9

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 18:02

Target

NEAS.2023-09-08_bd2d2b10c846de69f8315fffce519d7a_cobalt-strike_cobaltstrike_meterpreter_JC.dll
Size

208KB
MD5

bd2d2b10c846de69f8315fffce519d7a
SHA1

ae0592d36bd4ac85ca43eeb532ba8351604e64d8
SHA256

d0d57a7f4b63ba6b0cffdb9681f4757f0c6a8f6296d30a45bc959f3c315ce1e9
SHA512

b8f59bed64b4e1ab7b196743434299a1ca819a496319c8c13fc79647d359a70164119a89ed74db506b3273111fba93008cc7315b4794e7edb7aceb59be898ffe
SSDEEP

3072:LI6CqRCxffkClZ8Ccn7LQlRw6x+Y3CxT2DtK5jdUAY5M6:LIDff9D8C6XYRw6MT2DEjy

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2476 2204 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2476	2204	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2524 wrote to memory of 2204	2524	rundll32.exe	rundll32.exe
PID 2524 wrote to memory of 2204	2524	rundll32.exe	rundll32.exe
PID 2524 wrote to memory of 2204	2524	rundll32.exe	rundll32.exe
PID 2524 wrote to memory of 2204	2524	rundll32.exe	rundll32.exe
PID 2524 wrote to memory of 2204	2524	rundll32.exe	rundll32.exe
PID 2524 wrote to memory of 2204	2524	rundll32.exe	rundll32.exe
PID 2524 wrote to memory of 2204	2524	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 2476	2204	rundll32.exe	WerFault.exe
PID 2204 wrote to memory of 2476	2204	rundll32.exe	WerFault.exe
PID 2204 wrote to memory of 2476	2204	rundll32.exe	WerFault.exe
PID 2204 wrote to memory of 2476	2204	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_bd2d2b10c846de69f8315fffce519d7a_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-08_bd2d2b10c846de69f8315fffce519d7a_cobalt-strike_cobaltstrike_meterpreter_JC.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 232
3⤵
- Program crash
PID:2476