cobaltstrike | c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b

Analysis

max time kernel
150s
max time network
153s
platform
windows10_x64
resource
win10v20201028
submitted
10/11/2020, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
Size

5.2MB
MD5

00a7a0b8639276c3235e6cff2d89f0c9
SHA1

7a90d70928681a626f89d27b08691e949f2d4631
SHA256

c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b
SHA512

7190f244570295031f1640551a1ed6f2b43420a23a67a3e3c1776fc5b2adb683da85848191554389d1afd731ab2dd973ea44fce6600a58f599189cd8e2a04765

Score

10^/10

cobaltstrike xmrig backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
day
0
dns_idle
0
dns_sleep
0
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
0
maxdns
255
month
0
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
256
unknown5
0
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Cobalt Strike reflective loader 42 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000000687-1.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000000687-3.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001ab9a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001ab9a-4.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001ab9b-7.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001ab9b-8.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001ab9f-10.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001ab9f-11.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba0-13.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba0-14.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba1-16.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba1-17.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba2-19.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba2-20.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba3-22.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba3-23.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba4-25.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba4-26.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba5-29.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba5-28.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba6-31.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba6-32.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba7-34.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba7-36.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba8-37.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba8-38.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba9-40.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001aba9-41.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abaa-44.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abaa-43.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abab-46.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abac-48.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abae-53.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abaf-54.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abaf-57.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abb0-58.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abb0-60.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abb1-61.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abae-55.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abac-51.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abab-50.dat	cobalt_reflective_dll
behavioral2/files/0x000100000001abb1-62.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 21 IoCs

pid	Process
2036	WkKdvsc.exe
2156	FHDCXPe.exe
2860	JPSKfTO.exe
3792	fyyUQIs.exe
3964	lDcuepA.exe
2224	OpYwlsR.exe
1704	oXgzGmu.exe
3760	yWBqRlD.exe
2572	XWPMQia.exe
3304	QxECfYt.exe
200	daRzkIT.exe
3468	LHuVxxU.exe
748	iZLiWub.exe
2956	rhTuxHD.exe
1376	SLKpYsm.exe
2720	LnqFfiJ.exe
3472	aPFnaIg.exe
1380	aWuyBSq.exe
388	DJunsad.exe
2208	ekrOVPA.exe
3552	OthBdPk.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000000687-1.dat	upx
behavioral2/files/0x0008000000000687-3.dat	upx
behavioral2/files/0x000200000001ab9a-5.dat	upx
behavioral2/files/0x000200000001ab9a-4.dat	upx
behavioral2/files/0x000200000001ab9b-7.dat	upx
behavioral2/files/0x000200000001ab9b-8.dat	upx
behavioral2/files/0x000100000001ab9f-10.dat	upx
behavioral2/files/0x000100000001ab9f-11.dat	upx
behavioral2/files/0x000100000001aba0-13.dat	upx
behavioral2/files/0x000100000001aba0-14.dat	upx
behavioral2/files/0x000100000001aba1-16.dat	upx
behavioral2/files/0x000100000001aba1-17.dat	upx
behavioral2/files/0x000100000001aba2-19.dat	upx
behavioral2/files/0x000100000001aba2-20.dat	upx
behavioral2/files/0x000100000001aba3-22.dat	upx
behavioral2/files/0x000100000001aba3-23.dat	upx
behavioral2/files/0x000100000001aba4-25.dat	upx
behavioral2/files/0x000100000001aba4-26.dat	upx
behavioral2/files/0x000100000001aba5-29.dat	upx
behavioral2/files/0x000100000001aba5-28.dat	upx
behavioral2/files/0x000100000001aba6-31.dat	upx
behavioral2/files/0x000100000001aba6-32.dat	upx
behavioral2/files/0x000100000001aba7-34.dat	upx
behavioral2/files/0x000100000001aba7-36.dat	upx
behavioral2/files/0x000100000001aba8-37.dat	upx
behavioral2/files/0x000100000001aba8-38.dat	upx
behavioral2/files/0x000100000001aba9-40.dat	upx
behavioral2/files/0x000100000001aba9-41.dat	upx
behavioral2/files/0x000100000001abaa-44.dat	upx
behavioral2/files/0x000100000001abaa-43.dat	upx
behavioral2/files/0x000100000001abab-46.dat	upx
behavioral2/files/0x000100000001abac-48.dat	upx
behavioral2/files/0x000100000001abae-53.dat	upx
behavioral2/files/0x000100000001abaf-54.dat	upx
behavioral2/files/0x000100000001abaf-57.dat	upx
behavioral2/files/0x000100000001abb0-58.dat	upx
behavioral2/files/0x000100000001abb0-60.dat	upx
behavioral2/files/0x000100000001abb1-61.dat	upx
behavioral2/files/0x000100000001abae-55.dat	upx
behavioral2/files/0x000100000001abac-51.dat	upx
behavioral2/files/0x000100000001abab-50.dat	upx
behavioral2/files/0x000100000001abb1-62.dat	upx

JavaScript code in executable 42 IoCs

resource	yara_rule
behavioral2/files/0x0008000000000687-1.dat	js
behavioral2/files/0x0008000000000687-3.dat	js
behavioral2/files/0x000200000001ab9a-5.dat	js
behavioral2/files/0x000200000001ab9a-4.dat	js
behavioral2/files/0x000200000001ab9b-7.dat	js
behavioral2/files/0x000200000001ab9b-8.dat	js
behavioral2/files/0x000100000001ab9f-10.dat	js
behavioral2/files/0x000100000001ab9f-11.dat	js
behavioral2/files/0x000100000001aba0-13.dat	js
behavioral2/files/0x000100000001aba0-14.dat	js
behavioral2/files/0x000100000001aba1-16.dat	js
behavioral2/files/0x000100000001aba1-17.dat	js
behavioral2/files/0x000100000001aba2-19.dat	js
behavioral2/files/0x000100000001aba2-20.dat	js
behavioral2/files/0x000100000001aba3-22.dat	js
behavioral2/files/0x000100000001aba3-23.dat	js
behavioral2/files/0x000100000001aba4-25.dat	js
behavioral2/files/0x000100000001aba4-26.dat	js
behavioral2/files/0x000100000001aba5-29.dat	js
behavioral2/files/0x000100000001aba5-28.dat	js
behavioral2/files/0x000100000001aba6-31.dat	js
behavioral2/files/0x000100000001aba6-32.dat	js
behavioral2/files/0x000100000001aba7-34.dat	js
behavioral2/files/0x000100000001aba7-36.dat	js
behavioral2/files/0x000100000001aba8-37.dat	js
behavioral2/files/0x000100000001aba8-38.dat	js
behavioral2/files/0x000100000001aba9-40.dat	js
behavioral2/files/0x000100000001aba9-41.dat	js
behavioral2/files/0x000100000001abaa-44.dat	js
behavioral2/files/0x000100000001abaa-43.dat	js
behavioral2/files/0x000100000001abab-46.dat	js
behavioral2/files/0x000100000001abac-48.dat	js
behavioral2/files/0x000100000001abae-53.dat	js
behavioral2/files/0x000100000001abaf-54.dat	js
behavioral2/files/0x000100000001abaf-57.dat	js
behavioral2/files/0x000100000001abb0-58.dat	js
behavioral2/files/0x000100000001abb0-60.dat	js
behavioral2/files/0x000100000001abb1-61.dat	js
behavioral2/files/0x000100000001abae-55.dat	js
behavioral2/files/0x000100000001abac-51.dat	js
behavioral2/files/0x000100000001abab-50.dat	js
behavioral2/files/0x000100000001abb1-62.dat	js

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lDcuepA.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\XWPMQia.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\iZLiWub.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\rhTuxHD.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\DJunsad.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\OpYwlsR.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\daRzkIT.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\LHuVxxU.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\LnqFfiJ.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\aPFnaIg.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\WkKdvsc.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\FHDCXPe.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\SLKpYsm.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\OthBdPk.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\ekrOVPA.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\JPSKfTO.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\fyyUQIs.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\oXgzGmu.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\yWBqRlD.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\QxECfYt.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
File created	C:\Windows\System\aWuyBSq.exe	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
Token: SeLockMemoryPrivilege	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2036	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	72
PID 592 wrote to memory of 2036	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	72
PID 592 wrote to memory of 2156	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	73
PID 592 wrote to memory of 2156	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	73
PID 592 wrote to memory of 2860	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	75
PID 592 wrote to memory of 2860	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	75
PID 592 wrote to memory of 3792	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	76
PID 592 wrote to memory of 3792	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	76
PID 592 wrote to memory of 3964	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	77
PID 592 wrote to memory of 3964	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	77
PID 592 wrote to memory of 2224	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	79
PID 592 wrote to memory of 2224	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	79
PID 592 wrote to memory of 1704	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	80
PID 592 wrote to memory of 1704	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	80
PID 592 wrote to memory of 3760	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	81
PID 592 wrote to memory of 3760	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	81
PID 592 wrote to memory of 2572	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	82
PID 592 wrote to memory of 2572	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	82
PID 592 wrote to memory of 3304	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	84
PID 592 wrote to memory of 3304	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	84
PID 592 wrote to memory of 200	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	85
PID 592 wrote to memory of 200	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	85
PID 592 wrote to memory of 3468	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	86
PID 592 wrote to memory of 3468	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	86
PID 592 wrote to memory of 748	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	87
PID 592 wrote to memory of 748	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	87
PID 592 wrote to memory of 2956	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	88
PID 592 wrote to memory of 2956	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	88
PID 592 wrote to memory of 1376	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	89
PID 592 wrote to memory of 1376	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	89
PID 592 wrote to memory of 2720	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	90
PID 592 wrote to memory of 2720	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	90
PID 592 wrote to memory of 3472	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	91
PID 592 wrote to memory of 3472	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	91
PID 592 wrote to memory of 1380	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	92
PID 592 wrote to memory of 1380	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	92
PID 592 wrote to memory of 388	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	93
PID 592 wrote to memory of 388	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	93
PID 592 wrote to memory of 2208	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	95
PID 592 wrote to memory of 2208	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	95
PID 592 wrote to memory of 3552	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	96
PID 592 wrote to memory of 3552	592	c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe	96

C:\Users\Admin\AppData\Local\Temp\c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe
"C:\Users\Admin\AppData\Local\Temp\c4b4b072f43bd4eece79bf1db74b26a859dc1f873389a3828e39b1bc207f7f8b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\System\WkKdvsc.exe
  C:\Windows\System\WkKdvsc.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\FHDCXPe.exe
  C:\Windows\System\FHDCXPe.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\JPSKfTO.exe
  C:\Windows\System\JPSKfTO.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\fyyUQIs.exe
  C:\Windows\System\fyyUQIs.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\lDcuepA.exe
  C:\Windows\System\lDcuepA.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\OpYwlsR.exe
  C:\Windows\System\OpYwlsR.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\oXgzGmu.exe
  C:\Windows\System\oXgzGmu.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\yWBqRlD.exe
  C:\Windows\System\yWBqRlD.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\XWPMQia.exe
  C:\Windows\System\XWPMQia.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\QxECfYt.exe
  C:\Windows\System\QxECfYt.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\daRzkIT.exe
  C:\Windows\System\daRzkIT.exe
  2⤵
  - Executes dropped EXE
  PID:200
- C:\Windows\System\LHuVxxU.exe
  C:\Windows\System\LHuVxxU.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\iZLiWub.exe
  C:\Windows\System\iZLiWub.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\rhTuxHD.exe
  C:\Windows\System\rhTuxHD.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\SLKpYsm.exe
  C:\Windows\System\SLKpYsm.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\LnqFfiJ.exe
  C:\Windows\System\LnqFfiJ.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\aPFnaIg.exe
  C:\Windows\System\aPFnaIg.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\aWuyBSq.exe
  C:\Windows\System\aWuyBSq.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\DJunsad.exe
  C:\Windows\System\DJunsad.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\ekrOVPA.exe
  C:\Windows\System\ekrOVPA.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\OthBdPk.exe
  C:\Windows\System\OthBdPk.exe
  2⤵
  - Executes dropped EXE
  PID:3552

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads