cobaltstrike | d1ca88bb6b1d8d01c8b090ef65e654b66779606e322ef60527899080aa242720

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

efe30ff2f84fbab3245b804f15f756d9
SHA1

43a65294eb5ce760d92ea74519c6c8f23ade96f3
SHA256

d1ca88bb6b1d8d01c8b090ef65e654b66779606e322ef60527899080aa242720
SHA512

9e5d909525fbfe7cc56830ecfd940e628d664fb00c81a9bb7095617331eb155daa3ea377881a580b6d6366b6ef08c985e1232124fc9066a7c35fd43e08fdd78a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUZ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\YJSwloR.exe	cobalt_reflective_dll
C:\Windows\system\BIUZePV.exe	cobalt_reflective_dll
\Windows\system\KjlnZNB.exe	cobalt_reflective_dll
C:\Windows\system\ZxpLSNm.exe	cobalt_reflective_dll
\Windows\system\kddHvii.exe	cobalt_reflective_dll
C:\Windows\system\JMHyxdt.exe	cobalt_reflective_dll
\Windows\system\KSJqNdr.exe	cobalt_reflective_dll
\Windows\system\gjpOKmY.exe	cobalt_reflective_dll
C:\Windows\system\corUHlX.exe	cobalt_reflective_dll
C:\Windows\system\hPLIgXp.exe	cobalt_reflective_dll
C:\Windows\system\CofbsWI.exe	cobalt_reflective_dll
\Windows\system\zBrLEFf.exe	cobalt_reflective_dll
C:\Windows\system\fieJDfY.exe	cobalt_reflective_dll
C:\Windows\system\AmPCShY.exe	cobalt_reflective_dll
C:\Windows\system\LoBERYi.exe	cobalt_reflective_dll
C:\Windows\system\gxLimUl.exe	cobalt_reflective_dll
C:\Windows\system\puAuEtX.exe	cobalt_reflective_dll
C:\Windows\system\PcUQECU.exe	cobalt_reflective_dll
C:\Windows\system\kdmITJJ.exe	cobalt_reflective_dll
C:\Windows\system\zdIsRGf.exe	cobalt_reflective_dll
C:\Windows\system\CIIfWgb.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\YJSwloR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BIUZePV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\KjlnZNB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZxpLSNm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\kddHvii.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JMHyxdt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\KSJqNdr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\gjpOKmY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\corUHlX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hPLIgXp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CofbsWI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zBrLEFf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fieJDfY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AmPCShY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LoBERYi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gxLimUl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\puAuEtX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PcUQECU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kdmITJJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zdIsRGf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CIIfWgb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2228-0-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX
\Windows\system\YJSwloR.exe	UPX
C:\Windows\system\BIUZePV.exe	UPX
behavioral1/memory/1976-15-0x000000013F050000-0x000000013F3A1000-memory.dmp	UPX
behavioral1/memory/2200-8-0x000000013F160000-0x000000013F4B1000-memory.dmp	UPX
\Windows\system\KjlnZNB.exe	UPX
C:\Windows\system\ZxpLSNm.exe	UPX
\Windows\system\kddHvii.exe	UPX
C:\Windows\system\JMHyxdt.exe	UPX
behavioral1/memory/2628-26-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
behavioral1/memory/2776-37-0x000000013FF90000-0x00000001402E1000-memory.dmp	UPX
\Windows\system\KSJqNdr.exe	UPX
behavioral1/memory/2228-46-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX
\Windows\system\gjpOKmY.exe	UPX
C:\Windows\system\corUHlX.exe	UPX
behavioral1/memory/2540-60-0x000000013F590000-0x000000013F8E1000-memory.dmp	UPX
behavioral1/memory/2372-66-0x000000013F9F0000-0x000000013FD41000-memory.dmp	UPX
C:\Windows\system\hPLIgXp.exe	UPX
behavioral1/memory/2864-84-0x000000013F890000-0x000000013FBE1000-memory.dmp	UPX
C:\Windows\system\CofbsWI.exe	UPX
behavioral1/memory/1756-99-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
\Windows\system\zBrLEFf.exe	UPX
C:\Windows\system\fieJDfY.exe	UPX
C:\Windows\system\AmPCShY.exe	UPX
C:\Windows\system\LoBERYi.exe	UPX
C:\Windows\system\gxLimUl.exe	UPX
C:\Windows\system\puAuEtX.exe	UPX
behavioral1/memory/2656-137-0x000000013FCD0000-0x0000000140021000-memory.dmp	UPX
C:\Windows\system\PcUQECU.exe	UPX
behavioral1/memory/2776-97-0x000000013FF90000-0x00000001402E1000-memory.dmp	UPX
C:\Windows\system\kdmITJJ.exe	UPX
behavioral1/memory/3004-92-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/2748-90-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX
behavioral1/memory/2724-82-0x000000013F050000-0x000000013F3A1000-memory.dmp	UPX
behavioral1/memory/1792-76-0x000000013FE60000-0x00000001401B1000-memory.dmp	UPX
behavioral1/memory/2628-74-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
behavioral1/memory/1976-73-0x000000013F050000-0x000000013F3A1000-memory.dmp	UPX
C:\Windows\system\zdIsRGf.exe	UPX
behavioral1/memory/2576-138-0x000000013FFF0000-0x0000000140341000-memory.dmp	UPX
C:\Windows\system\CIIfWgb.exe	UPX
behavioral1/memory/2200-58-0x000000013F160000-0x000000013F4B1000-memory.dmp	UPX
behavioral1/memory/2576-56-0x000000013FFF0000-0x0000000140341000-memory.dmp	UPX
behavioral1/memory/2656-51-0x000000013FCD0000-0x0000000140021000-memory.dmp	UPX
behavioral1/memory/2228-139-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX
behavioral1/memory/2540-152-0x000000013F590000-0x000000013F8E1000-memory.dmp	UPX
behavioral1/memory/2864-151-0x000000013F890000-0x000000013FBE1000-memory.dmp	UPX
behavioral1/memory/3004-153-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/1792-150-0x000000013FE60000-0x00000001401B1000-memory.dmp	UPX
behavioral1/memory/2372-149-0x000000013F9F0000-0x000000013FD41000-memory.dmp	UPX
behavioral1/memory/1756-154-0x000000013FFC0000-0x0000000140311000-memory.dmp	UPX
behavioral1/memory/2268-156-0x000000013FBB0000-0x000000013FF01000-memory.dmp	UPX
behavioral1/memory/2508-159-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
behavioral1/memory/1636-161-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/2860-160-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
behavioral1/memory/2708-158-0x000000013F3B0000-0x000000013F701000-memory.dmp	UPX
behavioral1/memory/768-157-0x000000013F8D0000-0x000000013FC21000-memory.dmp	UPX
behavioral1/memory/844-155-0x000000013FE30000-0x0000000140181000-memory.dmp	UPX
behavioral1/memory/2228-163-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX
behavioral1/memory/1976-216-0x000000013F050000-0x000000013F3A1000-memory.dmp	UPX
behavioral1/memory/2200-218-0x000000013F160000-0x000000013F4B1000-memory.dmp	UPX
behavioral1/memory/2724-220-0x000000013F050000-0x000000013F3A1000-memory.dmp	UPX
behavioral1/memory/2628-222-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
behavioral1/memory/2776-224-0x000000013FF90000-0x00000001402E1000-memory.dmp	UPX
behavioral1/memory/2748-226-0x000000013FB10000-0x000000013FE61000-memory.dmp	UPX

XMRig Miner payload 41 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2228-46-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2228-98-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2656-137-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/2776-97-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2748-90-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2724-82-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2228-75-0x0000000002230000-0x0000000002581000-memory.dmp	xmrig
behavioral1/memory/2628-74-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/1976-73-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2576-138-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2200-58-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2228-139-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2540-152-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/2864-151-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/3004-153-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/1792-150-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2372-149-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/1756-154-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2268-156-0x000000013FBB0000-0x000000013FF01000-memory.dmp	xmrig
behavioral1/memory/2508-159-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/1636-161-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2860-160-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2708-158-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/768-157-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/844-155-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2228-163-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2228-185-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/1976-216-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2200-218-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2724-220-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2628-222-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2776-224-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2748-226-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2576-228-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2656-230-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/2372-232-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2540-234-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/1792-236-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2864-238-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/3004-240-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/1756-250-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

YJSwloR.exeBIUZePV.exeZxpLSNm.exeKjlnZNB.exekddHvii.exeJMHyxdt.exeKSJqNdr.exegjpOKmY.exeCIIfWgb.execorUHlX.exezdIsRGf.exehPLIgXp.exeCofbsWI.exekdmITJJ.exePcUQECU.exepuAuEtX.exegxLimUl.exezBrLEFf.exeAmPCShY.exeLoBERYi.exefieJDfY.exe

pid	process
2200	YJSwloR.exe
1976	BIUZePV.exe
2628	ZxpLSNm.exe
2724	KjlnZNB.exe
2748	kddHvii.exe
2776	JMHyxdt.exe
2656	KSJqNdr.exe
2576	gjpOKmY.exe
2540	CIIfWgb.exe
2372	corUHlX.exe
1792	zdIsRGf.exe
2864	hPLIgXp.exe
3004	CofbsWI.exe
1756	kdmITJJ.exe
844	PcUQECU.exe
2268	puAuEtX.exe
768	gxLimUl.exe
2708	zBrLEFf.exe
2508	AmPCShY.exe
2860	LoBERYi.exe
1636	fieJDfY.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

pid	process
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2228-0-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
\Windows\system\YJSwloR.exe	upx
C:\Windows\system\BIUZePV.exe	upx
behavioral1/memory/1976-15-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/2200-8-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
\Windows\system\KjlnZNB.exe	upx
C:\Windows\system\ZxpLSNm.exe	upx
\Windows\system\kddHvii.exe	upx
C:\Windows\system\JMHyxdt.exe	upx
behavioral1/memory/2628-26-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/2776-37-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
\Windows\system\KSJqNdr.exe	upx
behavioral1/memory/2228-46-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
\Windows\system\gjpOKmY.exe	upx
C:\Windows\system\corUHlX.exe	upx
behavioral1/memory/2540-60-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2372-66-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
C:\Windows\system\hPLIgXp.exe	upx
behavioral1/memory/2864-84-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
C:\Windows\system\CofbsWI.exe	upx
behavioral1/memory/1756-99-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
\Windows\system\zBrLEFf.exe	upx
C:\Windows\system\fieJDfY.exe	upx
C:\Windows\system\AmPCShY.exe	upx
C:\Windows\system\LoBERYi.exe	upx
C:\Windows\system\gxLimUl.exe	upx
C:\Windows\system\puAuEtX.exe	upx
behavioral1/memory/2656-137-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
C:\Windows\system\PcUQECU.exe	upx
behavioral1/memory/2776-97-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
C:\Windows\system\kdmITJJ.exe	upx
behavioral1/memory/3004-92-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2748-90-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2724-82-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/1792-76-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2628-74-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/1976-73-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
C:\Windows\system\zdIsRGf.exe	upx
behavioral1/memory/2576-138-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
C:\Windows\system\CIIfWgb.exe	upx
behavioral1/memory/2200-58-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2576-56-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/2656-51-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
behavioral1/memory/2228-139-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2540-152-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2864-151-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/3004-153-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/1792-150-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2372-149-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/1756-154-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/2268-156-0x000000013FBB0000-0x000000013FF01000-memory.dmp	upx
behavioral1/memory/2508-159-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/1636-161-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2860-160-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2708-158-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/memory/768-157-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/844-155-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/2228-163-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/1976-216-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/2200-218-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2724-220-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/2628-222-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/2776-224-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2748-226-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\YJSwloR.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gjpOKmY.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zdIsRGf.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fieJDfY.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hPLIgXp.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PcUQECU.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gxLimUl.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KjlnZNB.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CofbsWI.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kdmITJJ.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BIUZePV.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZxpLSNm.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kddHvii.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JMHyxdt.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KSJqNdr.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CIIfWgb.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\corUHlX.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\puAuEtX.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zBrLEFf.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AmPCShY.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LoBERYi.exe	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2228 wrote to memory of 2200	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	YJSwloR.exe
PID 2228 wrote to memory of 2200	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	YJSwloR.exe
PID 2228 wrote to memory of 2200	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	YJSwloR.exe
PID 2228 wrote to memory of 1976	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	BIUZePV.exe
PID 2228 wrote to memory of 1976	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	BIUZePV.exe
PID 2228 wrote to memory of 1976	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	BIUZePV.exe
PID 2228 wrote to memory of 2628	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	ZxpLSNm.exe
PID 2228 wrote to memory of 2628	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	ZxpLSNm.exe
PID 2228 wrote to memory of 2628	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	ZxpLSNm.exe
PID 2228 wrote to memory of 2724	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	KjlnZNB.exe
PID 2228 wrote to memory of 2724	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	KjlnZNB.exe
PID 2228 wrote to memory of 2724	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	KjlnZNB.exe
PID 2228 wrote to memory of 2748	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	kddHvii.exe
PID 2228 wrote to memory of 2748	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	kddHvii.exe
PID 2228 wrote to memory of 2748	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	kddHvii.exe
PID 2228 wrote to memory of 2776	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	JMHyxdt.exe
PID 2228 wrote to memory of 2776	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	JMHyxdt.exe
PID 2228 wrote to memory of 2776	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	JMHyxdt.exe
PID 2228 wrote to memory of 2656	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	KSJqNdr.exe
PID 2228 wrote to memory of 2656	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	KSJqNdr.exe
PID 2228 wrote to memory of 2656	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	KSJqNdr.exe
PID 2228 wrote to memory of 2576	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	gjpOKmY.exe
PID 2228 wrote to memory of 2576	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	gjpOKmY.exe
PID 2228 wrote to memory of 2576	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	gjpOKmY.exe
PID 2228 wrote to memory of 2540	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	CIIfWgb.exe
PID 2228 wrote to memory of 2540	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	CIIfWgb.exe
PID 2228 wrote to memory of 2540	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	CIIfWgb.exe
PID 2228 wrote to memory of 2372	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	corUHlX.exe
PID 2228 wrote to memory of 2372	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	corUHlX.exe
PID 2228 wrote to memory of 2372	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	corUHlX.exe
PID 2228 wrote to memory of 1792	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	zdIsRGf.exe
PID 2228 wrote to memory of 1792	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	zdIsRGf.exe
PID 2228 wrote to memory of 1792	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	zdIsRGf.exe
PID 2228 wrote to memory of 2864	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	hPLIgXp.exe
PID 2228 wrote to memory of 2864	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	hPLIgXp.exe
PID 2228 wrote to memory of 2864	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	hPLIgXp.exe
PID 2228 wrote to memory of 3004	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	CofbsWI.exe
PID 2228 wrote to memory of 3004	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	CofbsWI.exe
PID 2228 wrote to memory of 3004	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	CofbsWI.exe
PID 2228 wrote to memory of 1756	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	kdmITJJ.exe
PID 2228 wrote to memory of 1756	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	kdmITJJ.exe
PID 2228 wrote to memory of 1756	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	kdmITJJ.exe
PID 2228 wrote to memory of 844	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	PcUQECU.exe
PID 2228 wrote to memory of 844	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	PcUQECU.exe
PID 2228 wrote to memory of 844	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	PcUQECU.exe
PID 2228 wrote to memory of 2268	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	puAuEtX.exe
PID 2228 wrote to memory of 2268	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	puAuEtX.exe
PID 2228 wrote to memory of 2268	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	puAuEtX.exe
PID 2228 wrote to memory of 768	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	gxLimUl.exe
PID 2228 wrote to memory of 768	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	gxLimUl.exe
PID 2228 wrote to memory of 768	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	gxLimUl.exe
PID 2228 wrote to memory of 2708	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	zBrLEFf.exe
PID 2228 wrote to memory of 2708	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	zBrLEFf.exe
PID 2228 wrote to memory of 2708	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	zBrLEFf.exe
PID 2228 wrote to memory of 2508	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	AmPCShY.exe
PID 2228 wrote to memory of 2508	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	AmPCShY.exe
PID 2228 wrote to memory of 2508	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	AmPCShY.exe
PID 2228 wrote to memory of 2860	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	LoBERYi.exe
PID 2228 wrote to memory of 2860	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	LoBERYi.exe
PID 2228 wrote to memory of 2860	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	LoBERYi.exe
PID 2228 wrote to memory of 1636	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	fieJDfY.exe
PID 2228 wrote to memory of 1636	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	fieJDfY.exe
PID 2228 wrote to memory of 1636	2228	2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe	fieJDfY.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_efe30ff2f84fbab3245b804f15f756d9_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\System\YJSwloR.exe
C:\Windows\System\YJSwloR.exe
2⤵
- Executes dropped EXE
PID:2200

C:\Windows\System\BIUZePV.exe
C:\Windows\System\BIUZePV.exe
2⤵
- Executes dropped EXE
PID:1976

C:\Windows\System\ZxpLSNm.exe
C:\Windows\System\ZxpLSNm.exe
2⤵
- Executes dropped EXE
PID:2628

C:\Windows\System\KjlnZNB.exe
C:\Windows\System\KjlnZNB.exe
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\System\kddHvii.exe
C:\Windows\System\kddHvii.exe
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\System\JMHyxdt.exe
C:\Windows\System\JMHyxdt.exe
2⤵
- Executes dropped EXE
PID:2776

C:\Windows\System\KSJqNdr.exe
C:\Windows\System\KSJqNdr.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\gjpOKmY.exe
C:\Windows\System\gjpOKmY.exe
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\System\CIIfWgb.exe
C:\Windows\System\CIIfWgb.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\corUHlX.exe
C:\Windows\System\corUHlX.exe
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\System\zdIsRGf.exe
C:\Windows\System\zdIsRGf.exe
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\System\hPLIgXp.exe
C:\Windows\System\hPLIgXp.exe
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\System\CofbsWI.exe
C:\Windows\System\CofbsWI.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\kdmITJJ.exe
C:\Windows\System\kdmITJJ.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System\PcUQECU.exe
C:\Windows\System\PcUQECU.exe
2⤵
- Executes dropped EXE
PID:844

C:\Windows\System\puAuEtX.exe
C:\Windows\System\puAuEtX.exe
2⤵
- Executes dropped EXE
PID:2268

C:\Windows\System\gxLimUl.exe
C:\Windows\System\gxLimUl.exe
2⤵
- Executes dropped EXE
PID:768

C:\Windows\System\zBrLEFf.exe
C:\Windows\System\zBrLEFf.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\System\AmPCShY.exe
C:\Windows\System\AmPCShY.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\System\LoBERYi.exe
C:\Windows\System\LoBERYi.exe
2⤵
- Executes dropped EXE
PID:2860

C:\Windows\System\fieJDfY.exe
C:\Windows\System\fieJDfY.exe
2⤵
- Executes dropped EXE
PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AmPCShY.exe

Filesize
5.2MB

MD5
277823605880a5f3fbacbc8ada02af51

SHA1
ef42827acf76905dadd76fd4f39242854219f08b

SHA256
11a269d65e110782c7b7c950515f2c7bead6e6a42158847342f05670609be248

SHA512
50ca395b9fd622ba1410bc3d4fda2e2dfa179626849624d10e321783e31b63e10db713e52c5102b13fa0d801e11f2af52625046436717fa7a748e2ac533b6939

Download Submit
C:\Windows\system\BIUZePV.exe

Filesize
5.2MB

MD5
7a5d9fb062fb07b3fad5b86fe8bc838d

SHA1
b1da21ab57af8bc3d928ae29a3d4d999cb41b285

SHA256
f3e7b4211f06981d61ba58eba45da019f11bf8cf40e869611a96af57b398a869

SHA512
f7763803afeae0a242916d5545341bf7b091f12d3b1fe2fb5d0891f6bfb3470c219064dc5c32bfc9eb93aaaee4329f200579d5c5b2c92f875d429f692c432103

Download Submit
C:\Windows\system\CIIfWgb.exe

Filesize
5.2MB

MD5
570c706cb271f0f07d9d36df156c6896

SHA1
92eadc1fc048affb6ff4ae00d4eb767513c95b24

SHA256
0eed32195f97803a5e3f5e33210bbc16e237ce97393d971ad56fd6c0e7fb9b07

SHA512
82f7dc92e61324b75e946d6058205e6059b8f451ecaae3087ac4188c458c3543c24eb0203760be37de85d60c81f8259a2f0dc92af92dbed69078f6acadd9a106

Download Submit
C:\Windows\system\CofbsWI.exe

Filesize
5.2MB

MD5
8bdf481eb4a8e426c472184dc06c525c

SHA1
47a89c196b48d6d64cbee28cc3c69c6dc0406fb1

SHA256
225ce2a53f34c206dcac42cfbfa407c8a4f6f0eff449f38fd8118f95aa5d15ba

SHA512
d21cf0a65551642c148f986d22fbed99fe0027cc805524b20c6efd1156b6300f7de9f76ec041023f7851e638ffd73f12fd372a6e82ae07fde9c826700d934683

Download Submit
C:\Windows\system\JMHyxdt.exe

Filesize
5.2MB

MD5
2623721bdcb9b227c22c6cad00a0e06c

SHA1
4b79261c8f7b5cd2599528dd58388528f220f4f0

SHA256
9c219bef3ecf0c291fb657255e7c734582415baa631d3b606d222b7d37875612

SHA512
ee9fed66671d34a00d0cc6a2f09cdded22202d6f9f3674b0e4da2c92051e755b92ede67e1df873e3d1406824cd4fdd89cd8fb301c0fc35438b16a5ef597594f1

Download Submit
C:\Windows\system\LoBERYi.exe

Filesize
5.2MB

MD5
e4f5bd0c71d0d1ddf550de66dcc846ba

SHA1
70afd915b75092675a94e6b0b7afaf08d2d90943

SHA256
d96d9504d71b277b890d70270261c17222d4f74393f0aaa96f98643438ba92a0

SHA512
7d6c90e243b11dcf383c3f7634921904fbf9a639a694390386268d74b42112844863361ecfba26fe91268cc10b9b4e54dc2dea9009c81afac8b52342b93c1a2e

Download Submit
C:\Windows\system\PcUQECU.exe

Filesize
5.2MB

MD5
19a2e6e1425f46965f19adb0e9c92676

SHA1
bc05d53d9c4b4b2f82d89de6455b1ea1f9d81bfd

SHA256
60ed0d8f51752d151c46ff6af02750a66e8bfa72ed33e3af6ed4929f6acc6924

SHA512
a1edd8d8765a19296a8f3e324b83478a70b6e61fe93f7118676574759a4868ba919d818964d8b2480e583e7f5aec4315b042563a1734b9dfa318ad77a7f3aeaf

Download Submit
C:\Windows\system\ZxpLSNm.exe

Filesize
5.2MB

MD5
edc1a03baa0197e40b9e112cb7c0f3cf

SHA1
f5889ac60be33bc0601539f54347307be5e2db0c

SHA256
e645d87792033f509ef5333813320eb3f0d2911e37c696b9b015a633eec609f8

SHA512
ee857f4727394232f8c9bf5c0f71dd552e622ada578bdfccc4a3f4895b1c41a1ead6b4f3978fbfdff4ae0036fd7b33b59effff2d7454b0de6e268698bc59a9ca

Download Submit
C:\Windows\system\corUHlX.exe

Filesize
5.2MB

MD5
f647977990bbac75c78f92c8752a9b24

SHA1
00ec3ab56614dae7fb6904f832fb05bd32dac9bc

SHA256
be233617403f30dd93ecc192700105d61e5eee7bb85b7bcf28c60b5cd8552de2

SHA512
0db0ee7804ddfde04c50273c35919f020fe345f8b6367b6601a721810b4493701c9fb0b5c631235db5c0f0b2872ae23f19ed7f8ff9f02394db623eeb9dce1a53

Download Submit
C:\Windows\system\fieJDfY.exe

Filesize
5.2MB

MD5
f1b0b8c091dbbd8b9f3f802c6315386a

SHA1
5d5e2f204d0c63787dd1165ba87584db4521514d

SHA256
3579adee02b8eeeb125be414fe02406bbd3abe7c6ce90f6f4003f6fbb04fea13

SHA512
16fa5d8f671ef07edf0c1158cfb83f36140ea96590cbe0ae16948e7c9dfade679d4ff07b1df6c926f735bd0fc273a43cc9ed4e3c542b85ed737ad4d6e35a7120

Download Submit
C:\Windows\system\gxLimUl.exe

Filesize
5.2MB

MD5
546b7749fcea97365887bb3a541c5c87

SHA1
020ab5ba0e6305f032907fc1b2414a0c3d3066b8

SHA256
3b825cf3528a00e6e8cd27ee4eb0cb90fa02afd84bae94cfb4ebe3b1617cf4ae

SHA512
b46c5757e1be49678a629646f307774306eb455a218a3d4adbf5c9a68111afd7bbcc9371506ce4e317b172868d25d6c1692c7c5997eda8202684a389809ec5d9

Download Submit
C:\Windows\system\hPLIgXp.exe

Filesize
5.2MB

MD5
b10026f7dbb67edfc31b891a82180728

SHA1
68d998b33abe17cf084ec7f118e4bda0806b8d76

SHA256
09cbbe9fa74f83b6ee209a7970d8154de762a58a2ae008c295bd48d68100725b

SHA512
3c4c848f79e20045dc9580cc0d8b9067c190cae00fae7d312688b82ae662039f2f2f593a9fee17b9f820531e2a0c297cfadaa0c86ecbc8f10b29d5145407f033

Download Submit
C:\Windows\system\kdmITJJ.exe

Filesize
5.2MB

MD5
4f871152976225292e71061ae61ac776

SHA1
d2c9ef0a366797c2998bbc818b8e5808e5a3c227

SHA256
cc0fc7ff6b780104a2930a1d9c1fe79f4fc02ebab851c61e3d1f614ba0566739

SHA512
a279290ecd3fe1180f30fc783993451ffb8e93f614f7080028ad74dba1248d3c27ccb2b259ca6077b8726dc754f9f37a7745e5408d9d84eb849e6cb6e840ea40

Download Submit
C:\Windows\system\puAuEtX.exe

Filesize
5.2MB

MD5
c42c0e4d7d0bf24657f7f2ba577addea

SHA1
257092530484b94d81e0d807eddd55ab9ad01b97

SHA256
c6cf2c3c19f097001dfcc12357e6f88eb43cc8f370291a91a8aa7d4e0b22494a

SHA512
067aeabd194757fadda9b8ef7a69fff213b15acfd01142719699f345fef311b38aed2be752dde8f027c4820f0154bd3a42a832c8436ad1ef6b039c42a9799632

Download Submit
C:\Windows\system\zdIsRGf.exe

Filesize
5.2MB

MD5
f73c70dac7282f987c152b741a1c193d

SHA1
2ccc3c1e6a11664c7427e5b1174d8e987fca2ff6

SHA256
24f44e97415d7b316face3b569373c9fae59a78d6b99bb38f826fb9b86d300c7

SHA512
8b46aa1b0a18fa4020a3ff91b7b4860ff6671643c2bc1a0f460f7bc9bd2abf16fc6e70f1942d8d2dd0d34586ec4de6e5ea7e0c6f4ce715144cf451487ba42229

Download Submit
\Windows\system\KSJqNdr.exe

Filesize
5.2MB

MD5
c652efc792523ec87dea99546af371bb

SHA1
5fb2cc302649aa53b1de3c909213df28f315051a

SHA256
feaa313ce4e9d6c6aab855f17af9b665884495339ad1b0c26e6c089989edb6e4

SHA512
2dba7e840770ac7d9554402602c83d835126b666b6979eda16f70df54aa38f6731468a1e1ff4d4aa9e45f3025057993f90cc62bb7579a0d54874971de1692b83

Download Submit
\Windows\system\KjlnZNB.exe

Filesize
5.2MB

MD5
82f79f2804a6716e79afbc26d91c4c46

SHA1
9a3085605da9223f48a36d590897fe04ad0302db

SHA256
c75dc8e5d9e6db4dc853a7c5dbdb2f1273e2387eb5233fd2eb14655586995273

SHA512
c2294a8d6b6088ea93626eea8562ff1ff31255488903f644fc13c9f27fe0b8a11aa9ce2e8602523911d2a17c5644a429aaf99c9e952eb6ac4095a2b026fa9e72

Download Submit
\Windows\system\YJSwloR.exe

Filesize
5.2MB

MD5
a94fa0dc7900f4e89ddc62fa0cb72715

SHA1
5c03beceb504d1dbeec9cdfbffd735e0592f76da

SHA256
b95de91bd23b323adb4e8cb0106bae9068599d5a7636d9f6bce202a2f22675ca

SHA512
0f94315614950b35b42fc2c054f1e51f9debdd046cb6a4d4f38c0b6b937a672f931cc66e0ee8bdd7813925791e17051d27473747d5a79bce27e01617f88633dc

Download Submit
\Windows\system\gjpOKmY.exe

Filesize
5.2MB

MD5
26482954794f885465f48f3d56aacfa2

SHA1
acaded68ede7ca4439037ce6607e759dfbad2e58

SHA256
7726c3c7c88cbfbb8b90d0c1d65acbfd3e38358b8e166926427b5d1daf2ac7b5

SHA512
846600960a5021bacc92a5309d7fd86213cc450cb22ca4cb6b361a8bb40cbee3d6fc5a8a86b3d71c68058b98534ecf863f41005e0eb78596353c051e60901c8a

Download Submit
\Windows\system\kddHvii.exe

Filesize
5.2MB

MD5
0504a1c878b1a0dc0022e3e1213ba6e9

SHA1
caab54682b0a7bebeba87fb96f92a6722ae3eda5

SHA256
a74769aca0aa2d75143c038d50490f80f661e1bb08e52f87513f29e60f6b56d3

SHA512
15114b6f8ec204ea5b679205e12687374d55c206387c4c229a598b9620c989238ffbd9259bd2c427f103075d534e8cd9bde515fd64d890dd3d61271aa09e5147

Download Submit
\Windows\system\zBrLEFf.exe

Filesize
5.2MB

MD5
ba626e94c5eb632f4ed51275d614c91e

SHA1
f67ec81da01a6e53c2161984dbfec8fe1744d54b

SHA256
50b8d235aea53b6774ee67d256cc0b9d98b284548237adbf5a6cd1ffe2d8576a

SHA512
bf288e2e2b750442e179fe50789045c2add80c054e10e2e10f87ee399a361a37ade2153a795a05dbfa71451f73f0688f55bacc6bf395855739d2a0f84a4cd4fc

Download Submit
memory/768-157-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/844-155-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/1636-161-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-99-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/1756-154-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/1756-250-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/1792-236-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-150-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-76-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-15-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-73-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-216-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-8-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-58-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-218-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-162-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2228-75-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2228-31-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2228-21-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2228-91-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2228-30-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-83-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2228-46-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2228-0-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2228-163-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2228-185-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2228-105-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2228-12-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2228-139-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2228-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2228-65-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/2228-57-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2228-98-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2268-156-0x000000013FBB0000-0x000000013FF01000-memory.dmp

Filesize
3.3MB

Download
memory/2372-66-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2372-232-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2372-149-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2508-159-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2540-60-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-234-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2540-152-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2576-56-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2576-138-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2576-228-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2628-74-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-222-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-26-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-230-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/2656-51-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/2656-137-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/2708-158-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2724-82-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-220-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-226-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2748-90-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2776-224-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-97-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-37-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-160-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2864-84-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-238-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-151-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/3004-92-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/3004-153-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/3004-240-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download