cobaltstrike | 87b06fcb599928c18ec9a51391ff20744d2a9cdeb1aa51f3dca1c67d0ac32e03

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

28e643087db47cd16c8de76bd02957f5
SHA1

94b94936c7e6b867f69179e1424099b3dc61660d
SHA256

87b06fcb599928c18ec9a51391ff20744d2a9cdeb1aa51f3dca1c67d0ac32e03
SHA512

032bc84a7be46243b014740b9e0a5d15a202ac9f54daeb62426e4dae2160a431df17ed4d2f7cd943894a17dcea202029b255c76bc8cfb058a35c60c07a72e295
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\jpLjcLp.exe	cobalt_reflective_dll
\Windows\system\ONndBvN.exe	cobalt_reflective_dll
\Windows\system\OzEIozu.exe	cobalt_reflective_dll
C:\Windows\system\oMNWeIT.exe	cobalt_reflective_dll
C:\Windows\system\porKgZa.exe	cobalt_reflective_dll
C:\Windows\system\tSbJpyk.exe	cobalt_reflective_dll
\Windows\system\SSeFsvH.exe	cobalt_reflective_dll
C:\Windows\system\ALEZJnw.exe	cobalt_reflective_dll
C:\Windows\system\vYJBaVn.exe	cobalt_reflective_dll
C:\Windows\system\YlryRku.exe	cobalt_reflective_dll
\Windows\system\OcIaILk.exe	cobalt_reflective_dll
\Windows\system\VqLwacH.exe	cobalt_reflective_dll
\Windows\system\YtUkRtP.exe	cobalt_reflective_dll
C:\Windows\system\bljDeQo.exe	cobalt_reflective_dll
C:\Windows\system\RtKodEw.exe	cobalt_reflective_dll
\Windows\system\xlffwcK.exe	cobalt_reflective_dll
\Windows\system\xJQaspf.exe	cobalt_reflective_dll
C:\Windows\system\bOxTNEk.exe	cobalt_reflective_dll
C:\Windows\system\JiAIeJp.exe	cobalt_reflective_dll
C:\Windows\system\PkAXEdM.exe	cobalt_reflective_dll
C:\Windows\system\TMTfqhV.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\jpLjcLp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ONndBvN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\OzEIozu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oMNWeIT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\porKgZa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tSbJpyk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\SSeFsvH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ALEZJnw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vYJBaVn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YlryRku.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\OcIaILk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\VqLwacH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\YtUkRtP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bljDeQo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RtKodEw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xlffwcK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\xJQaspf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bOxTNEk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JiAIeJp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PkAXEdM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TMTfqhV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2764-0-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
\Windows\system\jpLjcLp.exe	UPX
behavioral1/memory/2240-7-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
\Windows\system\ONndBvN.exe	UPX
\Windows\system\OzEIozu.exe	UPX
C:\Windows\system\oMNWeIT.exe	UPX
behavioral1/memory/2560-34-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
C:\Windows\system\porKgZa.exe	UPX
behavioral1/memory/3068-38-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
C:\Windows\system\tSbJpyk.exe	UPX
behavioral1/memory/2892-16-0x000000013F760000-0x000000013FAB1000-memory.dmp	UPX
behavioral1/memory/2980-27-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/memory/3012-42-0x000000013F4C0000-0x000000013F811000-memory.dmp	UPX
behavioral1/memory/2764-41-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
\Windows\system\SSeFsvH.exe	UPX
behavioral1/memory/2396-50-0x000000013F650000-0x000000013F9A1000-memory.dmp	UPX
behavioral1/memory/2892-51-0x000000013F760000-0x000000013FAB1000-memory.dmp	UPX
behavioral1/memory/2240-47-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
C:\Windows\system\ALEZJnw.exe	UPX
behavioral1/memory/2980-57-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/memory/2496-59-0x000000013F800000-0x000000013FB51000-memory.dmp	UPX
C:\Windows\system\vYJBaVn.exe	UPX
C:\Windows\system\YlryRku.exe	UPX
behavioral1/memory/2404-71-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
behavioral1/memory/2360-70-0x000000013FD30000-0x0000000140081000-memory.dmp	UPX
\Windows\system\OcIaILk.exe	UPX
behavioral1/memory/3068-77-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
behavioral1/memory/2560-74-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
behavioral1/memory/2192-78-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
\Windows\system\VqLwacH.exe	UPX
behavioral1/memory/3012-88-0x000000013F4C0000-0x000000013F811000-memory.dmp	UPX
behavioral1/memory/1696-89-0x000000013FF30000-0x0000000140281000-memory.dmp	UPX
\Windows\system\YtUkRtP.exe	UPX
behavioral1/memory/2428-109-0x000000013F160000-0x000000013F4B1000-memory.dmp	UPX
behavioral1/memory/608-108-0x000000013FBE0000-0x000000013FF31000-memory.dmp	UPX
C:\Windows\system\bljDeQo.exe	UPX
C:\Windows\system\RtKodEw.exe	UPX
\Windows\system\xlffwcK.exe	UPX
\Windows\system\xJQaspf.exe	UPX
C:\Windows\system\bOxTNEk.exe	UPX
C:\Windows\system\JiAIeJp.exe	UPX
C:\Windows\system\PkAXEdM.exe	UPX
C:\Windows\system\TMTfqhV.exe	UPX
behavioral1/memory/2360-149-0x000000013FD30000-0x0000000140081000-memory.dmp	UPX
behavioral1/memory/2764-150-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
behavioral1/memory/2192-153-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
behavioral1/memory/2100-165-0x000000013F660000-0x000000013F9B1000-memory.dmp	UPX
behavioral1/memory/2004-169-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
behavioral1/memory/1828-167-0x000000013FF90000-0x00000001402E1000-memory.dmp	UPX
behavioral1/memory/2084-166-0x000000013FDA0000-0x00000001400F1000-memory.dmp	UPX
behavioral1/memory/3008-164-0x000000013F610000-0x000000013F961000-memory.dmp	UPX
behavioral1/memory/1040-163-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/1732-170-0x000000013F8B0000-0x000000013FC01000-memory.dmp	UPX
behavioral1/memory/2764-176-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
behavioral1/memory/2892-201-0x000000013F760000-0x000000013FAB1000-memory.dmp	UPX
behavioral1/memory/2980-203-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/memory/2560-206-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
behavioral1/memory/2240-207-0x000000013FD50000-0x00000001400A1000-memory.dmp	UPX
behavioral1/memory/3068-214-0x000000013FD40000-0x0000000140091000-memory.dmp	UPX
behavioral1/memory/3012-218-0x000000013F4C0000-0x000000013F811000-memory.dmp	UPX
behavioral1/memory/2396-228-0x000000013F650000-0x000000013F9A1000-memory.dmp	UPX
behavioral1/memory/2496-230-0x000000013F800000-0x000000013FB51000-memory.dmp	UPX
behavioral1/memory/2404-232-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
behavioral1/memory/2360-238-0x000000013FD30000-0x0000000140081000-memory.dmp	UPX

XMRig Miner payload 42 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2764-41-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2396-50-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2892-51-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/2240-47-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2980-57-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2496-59-0x000000013F800000-0x000000013FB51000-memory.dmp	xmrig
behavioral1/memory/2404-71-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/3068-77-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2560-74-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/3012-88-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/1696-89-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/2428-109-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/608-108-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2764-113-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2764-145-0x000000013F800000-0x000000013FB51000-memory.dmp	xmrig
behavioral1/memory/2360-149-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2764-150-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2192-153-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2100-165-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2004-169-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2764-168-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/1828-167-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2084-166-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/3008-164-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/1040-163-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/1732-170-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2764-176-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2764-196-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2892-201-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/2980-203-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2560-206-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2240-207-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/3068-214-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/3012-218-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2396-228-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2496-230-0x000000013F800000-0x000000013FB51000-memory.dmp	xmrig
behavioral1/memory/2404-232-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/2360-238-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2192-237-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/1696-240-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/608-244-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2428-243-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

jpLjcLp.exeONndBvN.exeOzEIozu.exeoMNWeIT.exeporKgZa.exetSbJpyk.exeSSeFsvH.exeALEZJnw.exevYJBaVn.exeYlryRku.exeOcIaILk.exeVqLwacH.exebljDeQo.exeYtUkRtP.exeTMTfqhV.exePkAXEdM.exeRtKodEw.exeJiAIeJp.exexlffwcK.exebOxTNEk.exexJQaspf.exe

pid	process
2240	jpLjcLp.exe
2892	ONndBvN.exe
2980	OzEIozu.exe
2560	oMNWeIT.exe
3068	porKgZa.exe
3012	tSbJpyk.exe
2396	SSeFsvH.exe
2496	ALEZJnw.exe
2360	vYJBaVn.exe
2404	YlryRku.exe
2192	OcIaILk.exe
1696	VqLwacH.exe
2428	bljDeQo.exe
608	YtUkRtP.exe
1040	TMTfqhV.exe
3008	PkAXEdM.exe
2100	RtKodEw.exe
2084	JiAIeJp.exe
1828	xlffwcK.exe
2004	bOxTNEk.exe
1732	xJQaspf.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

pid	process
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2764-0-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
\Windows\system\jpLjcLp.exe	upx
behavioral1/memory/2240-7-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
\Windows\system\ONndBvN.exe	upx
\Windows\system\OzEIozu.exe	upx
C:\Windows\system\oMNWeIT.exe	upx
behavioral1/memory/2560-34-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
C:\Windows\system\porKgZa.exe	upx
behavioral1/memory/3068-38-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
C:\Windows\system\tSbJpyk.exe	upx
behavioral1/memory/2892-16-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/2980-27-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/3012-42-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2764-41-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
\Windows\system\SSeFsvH.exe	upx
behavioral1/memory/2396-50-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/2892-51-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/2240-47-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
C:\Windows\system\ALEZJnw.exe	upx
behavioral1/memory/2980-57-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2496-59-0x000000013F800000-0x000000013FB51000-memory.dmp	upx
C:\Windows\system\vYJBaVn.exe	upx
C:\Windows\system\YlryRku.exe	upx
behavioral1/memory/2404-71-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2360-70-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
\Windows\system\OcIaILk.exe	upx
behavioral1/memory/3068-77-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/2560-74-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2192-78-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
\Windows\system\VqLwacH.exe	upx
behavioral1/memory/3012-88-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/1696-89-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
\Windows\system\YtUkRtP.exe	upx
behavioral1/memory/2428-109-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/608-108-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
C:\Windows\system\bljDeQo.exe	upx
C:\Windows\system\RtKodEw.exe	upx
\Windows\system\xlffwcK.exe	upx
\Windows\system\xJQaspf.exe	upx
C:\Windows\system\bOxTNEk.exe	upx
C:\Windows\system\JiAIeJp.exe	upx
C:\Windows\system\PkAXEdM.exe	upx
C:\Windows\system\TMTfqhV.exe	upx
behavioral1/memory/2360-149-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2764-150-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2192-153-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2100-165-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2004-169-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/1828-167-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2084-166-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/3008-164-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/memory/1040-163-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/1732-170-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2764-176-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2892-201-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/2980-203-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2560-206-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2240-207-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/3068-214-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/3012-218-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2396-228-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/2496-230-0x000000013F800000-0x000000013FB51000-memory.dmp	upx
behavioral1/memory/2404-232-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2360-238-0x000000013FD30000-0x0000000140081000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\OzEIozu.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YlryRku.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VqLwacH.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TMTfqhV.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\porKgZa.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vYJBaVn.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OcIaILk.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YtUkRtP.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PkAXEdM.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ONndBvN.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tSbJpyk.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ALEZJnw.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bljDeQo.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JiAIeJp.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xlffwcK.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bOxTNEk.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xJQaspf.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jpLjcLp.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SSeFsvH.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RtKodEw.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oMNWeIT.exe	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2764 wrote to memory of 2240	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	jpLjcLp.exe
PID 2764 wrote to memory of 2240	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	jpLjcLp.exe
PID 2764 wrote to memory of 2240	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	jpLjcLp.exe
PID 2764 wrote to memory of 2892	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ONndBvN.exe
PID 2764 wrote to memory of 2892	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ONndBvN.exe
PID 2764 wrote to memory of 2892	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ONndBvN.exe
PID 2764 wrote to memory of 3068	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	porKgZa.exe
PID 2764 wrote to memory of 3068	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	porKgZa.exe
PID 2764 wrote to memory of 3068	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	porKgZa.exe
PID 2764 wrote to memory of 2980	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	OzEIozu.exe
PID 2764 wrote to memory of 2980	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	OzEIozu.exe
PID 2764 wrote to memory of 2980	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	OzEIozu.exe
PID 2764 wrote to memory of 3012	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	tSbJpyk.exe
PID 2764 wrote to memory of 3012	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	tSbJpyk.exe
PID 2764 wrote to memory of 3012	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	tSbJpyk.exe
PID 2764 wrote to memory of 2560	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	oMNWeIT.exe
PID 2764 wrote to memory of 2560	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	oMNWeIT.exe
PID 2764 wrote to memory of 2560	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	oMNWeIT.exe
PID 2764 wrote to memory of 2396	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	SSeFsvH.exe
PID 2764 wrote to memory of 2396	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	SSeFsvH.exe
PID 2764 wrote to memory of 2396	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	SSeFsvH.exe
PID 2764 wrote to memory of 2496	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ALEZJnw.exe
PID 2764 wrote to memory of 2496	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ALEZJnw.exe
PID 2764 wrote to memory of 2496	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	ALEZJnw.exe
PID 2764 wrote to memory of 2360	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	vYJBaVn.exe
PID 2764 wrote to memory of 2360	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	vYJBaVn.exe
PID 2764 wrote to memory of 2360	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	vYJBaVn.exe
PID 2764 wrote to memory of 2404	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	YlryRku.exe
PID 2764 wrote to memory of 2404	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	YlryRku.exe
PID 2764 wrote to memory of 2404	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	YlryRku.exe
PID 2764 wrote to memory of 2192	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	OcIaILk.exe
PID 2764 wrote to memory of 2192	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	OcIaILk.exe
PID 2764 wrote to memory of 2192	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	OcIaILk.exe
PID 2764 wrote to memory of 1696	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	VqLwacH.exe
PID 2764 wrote to memory of 1696	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	VqLwacH.exe
PID 2764 wrote to memory of 1696	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	VqLwacH.exe
PID 2764 wrote to memory of 608	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	YtUkRtP.exe
PID 2764 wrote to memory of 608	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	YtUkRtP.exe
PID 2764 wrote to memory of 608	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	YtUkRtP.exe
PID 2764 wrote to memory of 2428	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	bljDeQo.exe
PID 2764 wrote to memory of 2428	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	bljDeQo.exe
PID 2764 wrote to memory of 2428	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	bljDeQo.exe
PID 2764 wrote to memory of 1040	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	TMTfqhV.exe
PID 2764 wrote to memory of 1040	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	TMTfqhV.exe
PID 2764 wrote to memory of 1040	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	TMTfqhV.exe
PID 2764 wrote to memory of 3008	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	PkAXEdM.exe
PID 2764 wrote to memory of 3008	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	PkAXEdM.exe
PID 2764 wrote to memory of 3008	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	PkAXEdM.exe
PID 2764 wrote to memory of 2100	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	RtKodEw.exe
PID 2764 wrote to memory of 2100	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	RtKodEw.exe
PID 2764 wrote to memory of 2100	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	RtKodEw.exe
PID 2764 wrote to memory of 2084	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	JiAIeJp.exe
PID 2764 wrote to memory of 2084	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	JiAIeJp.exe
PID 2764 wrote to memory of 2084	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	JiAIeJp.exe
PID 2764 wrote to memory of 1828	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xlffwcK.exe
PID 2764 wrote to memory of 1828	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xlffwcK.exe
PID 2764 wrote to memory of 1828	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xlffwcK.exe
PID 2764 wrote to memory of 2004	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	bOxTNEk.exe
PID 2764 wrote to memory of 2004	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	bOxTNEk.exe
PID 2764 wrote to memory of 2004	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	bOxTNEk.exe
PID 2764 wrote to memory of 1732	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xJQaspf.exe
PID 2764 wrote to memory of 1732	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xJQaspf.exe
PID 2764 wrote to memory of 1732	2764	2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe	xJQaspf.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_28e643087db47cd16c8de76bd02957f5_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\System\jpLjcLp.exe
C:\Windows\System\jpLjcLp.exe
2⤵
- Executes dropped EXE
PID:2240

C:\Windows\System\ONndBvN.exe
C:\Windows\System\ONndBvN.exe
2⤵
- Executes dropped EXE
PID:2892

C:\Windows\System\porKgZa.exe
C:\Windows\System\porKgZa.exe
2⤵
- Executes dropped EXE
PID:3068

C:\Windows\System\OzEIozu.exe
C:\Windows\System\OzEIozu.exe
2⤵
- Executes dropped EXE
PID:2980

C:\Windows\System\tSbJpyk.exe
C:\Windows\System\tSbJpyk.exe
2⤵
- Executes dropped EXE
PID:3012

C:\Windows\System\oMNWeIT.exe
C:\Windows\System\oMNWeIT.exe
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\System\SSeFsvH.exe
C:\Windows\System\SSeFsvH.exe
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\System\ALEZJnw.exe
C:\Windows\System\ALEZJnw.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\vYJBaVn.exe
C:\Windows\System\vYJBaVn.exe
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\System\YlryRku.exe
C:\Windows\System\YlryRku.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\OcIaILk.exe
C:\Windows\System\OcIaILk.exe
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\System\VqLwacH.exe
C:\Windows\System\VqLwacH.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\System\YtUkRtP.exe
C:\Windows\System\YtUkRtP.exe
2⤵
- Executes dropped EXE
PID:608

C:\Windows\System\bljDeQo.exe
C:\Windows\System\bljDeQo.exe
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\System\TMTfqhV.exe
C:\Windows\System\TMTfqhV.exe
2⤵
- Executes dropped EXE
PID:1040

C:\Windows\System\PkAXEdM.exe
C:\Windows\System\PkAXEdM.exe
2⤵
- Executes dropped EXE
PID:3008

C:\Windows\System\RtKodEw.exe
C:\Windows\System\RtKodEw.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\System\JiAIeJp.exe
C:\Windows\System\JiAIeJp.exe
2⤵
- Executes dropped EXE
PID:2084

C:\Windows\System\xlffwcK.exe
C:\Windows\System\xlffwcK.exe
2⤵
- Executes dropped EXE
PID:1828

C:\Windows\System\bOxTNEk.exe
C:\Windows\System\bOxTNEk.exe
2⤵
- Executes dropped EXE
PID:2004

C:\Windows\System\xJQaspf.exe
C:\Windows\System\xJQaspf.exe
2⤵
- Executes dropped EXE
PID:1732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ALEZJnw.exe
Filesize
5.2MB

MD5
19445d1604958f4425ac87014fb45d0b

SHA1
4a8a99bf605dc79da641f0fe91f169df54b14ab9

SHA256
ab7fd401c1ef3bbf2e53ad06c7c6b9c30be3f7e688dca16e01c32b64e1b96d29

SHA512
66600eca3fcef45c214188536ed0e5354819d925476bf5b23641738b102169b6366dd8e237d7bbbb2a43129015f3ec80860200da08cdeb8f3f9921d5f65a19a7

Download Submit
C:\Windows\system\JiAIeJp.exe
Filesize
5.2MB

MD5
6623901f21a8161cd1c3534a1215bc2e

SHA1
dee2e5560e9896f326ee8ad9b18912ce0fb2a34e

SHA256
92c34c1c0684990a0b9f2878beea1bbb2f2439c71d50f41a9ab793478ac67a35

SHA512
14b170f68e4a462a75546bd5d5c5073fa35c0dcb87dfca3c0cd89f4ad2e670bb5eabc3e60a0f77155759d2b917c7d5629f93710054329d126ae9566f2bf7b591

Download Submit
C:\Windows\system\PkAXEdM.exe
Filesize
5.2MB

MD5
e8607d494f3163e74b043284bb16d80a

SHA1
07ce3601e41ba51459ff91950b37c9e45f7d6b56

SHA256
dddd48f3bfaae733491f396a4ca43a6a637131a7f1d8a827ac99f055049ea840

SHA512
374387ce09e4c8145fc8e32203e8cce00f976af6eb1ed433d5d7d905f7044149f0a41fe50987f9d7d197e34dd8ac60d6c9ee3e28d344fab156524ebe463cd6d3

Download Submit
C:\Windows\system\RtKodEw.exe
Filesize
5.2MB

MD5
c9e24dd7e91fa9ccc51a04aa52292c4f

SHA1
f96690ff2763f0cd3de5a3b7a54a47f31466df7f

SHA256
95ba8762bdc104f6c47f3d113291efb81e5b5bbb80a84fc6fd215d7d18c0dbd6

SHA512
1d7fa4e726f7f4d00f40922ed0d79c35941c432280c56bffebdc5c0a09cb3f8b49aad729230b0276e17d98d963a192e1650b7e567ee926ec31d9418f7d2f7848

Download Submit
C:\Windows\system\TMTfqhV.exe
Filesize
5.2MB

MD5
4d4eda07f896272d4f3ea3585480c3cd

SHA1
e68d58f20d9354376efcbed22a455a56fb487238

SHA256
b1bbf77187b1a2e6476ca2068a0dc2198875e279936bd6efe8fdeb72682a6bc8

SHA512
73961b3bd8200aeba2c84d37e512bb4f6a417762b22752ed0722f7a98efe5b697caca1207ff46c32953aa1455a7b162a309dbe2ddfbb89a065f29bff14ace503

Download Submit
C:\Windows\system\YlryRku.exe
Filesize
5.2MB

MD5
43844b5c23f2ef4ab897262d30a66558

SHA1
52cc8efd7c7e89011e30e444e710d8601aa80928

SHA256
dc756d5a8af09767475ce2aa53f65ee814daae77073e2b1f23dd4d8684e014b5

SHA512
5a28185c86b90f28714deeb9eefd64fc728f91547aeb1e33deb201fe549a5011de7b82c34dfd81c99ca96a34c1729419d4de0c87de7e9c75ce6c178a7962afad

Download Submit
C:\Windows\system\bOxTNEk.exe
Filesize
5.2MB

MD5
f74644400157a409cc7a4811ebb5bac2

SHA1
6332a7c4981db8a53bc7142737618047a41c7fc9

SHA256
b7dc0f3ab16273715cb59d22763716e48450f18636bdff9d8afe081a39633bec

SHA512
b3a665bc6915d3e6369e17e07a2e520493a643f6132e8188b7f702ceacef878a8a6738cfcfe4fc88ef79f6359649d6fd0cbee507b221ea145bc698a646fa6aab

Download Submit
C:\Windows\system\bljDeQo.exe
Filesize
5.2MB

MD5
98f5ffcbf627d6039634a41adf3124ac

SHA1
a40ddf6ff096fcfe49a8a89e2d5b43e3ab1a5f62

SHA256
f9009acdafd58c9c5fcf92d6aec802cc65f17481836d15b8bae4117cac7251c0

SHA512
ebb434dddd42a542b72f19dbe2884acb8eb8884e22022a20d7b54570290d7bdb230171351cea86938339f5776dc5a879b071823de87f103554b81536aea13225

Download Submit
C:\Windows\system\oMNWeIT.exe
Filesize
5.2MB

MD5
23adca9b8323dabbecd00e0be63f227b

SHA1
971997456104b15f2a27d3517e26a32d25c3e43e

SHA256
b90459cdd7413cc574970e5f76ea2d2cc4e565b68e59025ddcf835dbc1af2faf

SHA512
4352c8d27d7f39fec718f8ba60bbf4c09e4f71143701c4c85fa80b33e8a89d562f5772fab9eaa21a1459236044d43543fa83653622b381a0c107e444788328ea

Download Submit
C:\Windows\system\porKgZa.exe
Filesize
5.2MB

MD5
9c8b6fc8523a852c786d0415d84425ae

SHA1
feb89c703405394567f05863fac2b42756497f2c

SHA256
848cd38f457c31a478af6fc62a1624394c65cb7766a76a041836912d92154b54

SHA512
1c23e12e93f447730f7caf6b6f512f14a83e1d1ddc7dbff4577d49e3e403e26ab4901254698a7146077ac41bd25c9a8252e3da3553dd1b6cdc5906955b7e77d4

Download Submit
C:\Windows\system\tSbJpyk.exe
Filesize
5.2MB

MD5
3d3f46ebaceb0a8674e982b223dd89e1

SHA1
81dc42f67acf779b2b090e875caa1efc8c92706d

SHA256
d8e8b95f74cbfc90c759cb1e9f64226697d39adf9d357692c83e3cb63822709c

SHA512
bdff5f034c09e9195b1945e238d66c3e6254de4066a9398fe8b9090a41615fb77ccda143de350fb52726360a2cc49e22a377766294d983964f2771c07c642a61

Download Submit
C:\Windows\system\vYJBaVn.exe
Filesize
5.2MB

MD5
048959afd8fe7d642eb4c3201cd28ff8

SHA1
9bd350641dcf9fdf49f7971e49bc892db755cb10

SHA256
9d6dd8118666c081e8c5a289d4210e474232aecd54a8ff6667a8d5afe7b0e314

SHA512
bb8d33a1f5e5a2589f11fa2703666773215712be88b536b7f1b752a6dff489f0b92f97ef9738f20ce41b292a4aaabe8b15ceb5084b9c5d71a165e7439f48837d

Download Submit
\Windows\system\ONndBvN.exe
Filesize
5.2MB

MD5
1d7f514bea517ef69ae5c485910750f9

SHA1
4434509cf6cfd321417d711eaf96b6fa24eaaef1

SHA256
2457b472d68b52171aafca4820ba2ef60f0f2e12f6cbbd4301b2e6a2cebf5987

SHA512
c0d82f9726b232b13c5ce0ec9cf56d50bfe3c912a8e713664e452dca8d06e3aaa8f5da57adf5a6ba7ee1ba550927049d261ad4df40c20171bc070cc016f59912

Download Submit
\Windows\system\OcIaILk.exe
Filesize
5.2MB

MD5
27b3b532f7688a4702d0590d5fff872e

SHA1
3763e1227b09b0d32543558b7ffe3da540642c1c

SHA256
6f53f1c2943f35565ce6f8caf1618b84ce21ff5635acb1e5dfca41e00be0500f

SHA512
096fe0066bb0d09b00230e3569cc752cccb9615efed5e3bc745d327f3af09ae1aab88563b757b179ccf89fa6e68046b2e2d74e7c278b52e4baf9b75ba88c22f6

Download Submit
\Windows\system\OzEIozu.exe
Filesize
5.2MB

MD5
d5eebda05445005cd5f99e68b2ae33db

SHA1
c59a4044c970fb3bf4bc48154514ddfc7675c560

SHA256
bc6f637b0458277c98d5fb32eb98b8609f391a163a40b53826ab40e7093c53a8

SHA512
491034c5a4c24e642e6f61b6f9ddb8b0a47d874e467d10a45461bf4e1ec2b58af508c7ac2e7eedec8573cdcfe3b19cc822019ad5e190fd0de0f885a49c6f8a73

Download Submit
\Windows\system\SSeFsvH.exe
Filesize
5.2MB

MD5
1bef2e3e6d1dbaa0a5dbc25826f77608

SHA1
94bf2b5f8ba1c25b9189dd3e2ea8504f0cdd040e

SHA256
9f45b5089850f31d7d7d19b898acbb7742192996bd22021312eb99dcb33f3424

SHA512
2a44a83dc04d60674f29da65b033178ad40b5346040b0d75cd8b36a695693989dbf0c3c698e28b27022a90262a9629edb79b8fa32136990c84477afef39d6a86

Download Submit
\Windows\system\VqLwacH.exe
Filesize
5.2MB

MD5
63ac6b2bc6cdfff9c36ba4a8c1dbe0f3

SHA1
6709c1758a546e13887cce74f2a6fbe8fb5d3299

SHA256
dade9bb6ebd59521f63a0045e02f7ffdf773a48c76a9db921d46dc4229d0b9b8

SHA512
49ee536daace42e381e09f92b916615b0dc2639f522af96de10cd63b6f1014cbc6794b9f0f45f00155b43ae65bd85968703ac723310b8a51a61506e721c177e3

Download Submit
\Windows\system\YtUkRtP.exe
Filesize
5.2MB

MD5
21a9b2d1b47a9bca21e535c11728694e

SHA1
5c7a0e64a565b917f4f8565e67d50cc90c8469ad

SHA256
9dbc8a92159df6e73ae177edf27c303fb4244e0e5b337b3226b7db59d1f2807a

SHA512
16489a2627645a241fe2ba121a3a55f16efa237323d7ae91dff54c7f9612fbaf50b54d9c680de9c329ac1a7968a9912c7affe38a76efe030f71599d858d6aa1e

Download Submit
\Windows\system\jpLjcLp.exe
Filesize
5.2MB

MD5
2dbb9bbf3d6c432d858e48f5daa00db3

SHA1
10fb6471b0c70664032282e7620f276bb9a72336

SHA256
c6e4444a0ecffde6d65cce5cb81c076b790403bf8041c7104e791a8d4c882133

SHA512
0f691d080211fba88f048077ff5446c6e3eed8586a629b13f0b4a15f69361495254941366b7d7d0ed46312e6941eaa6c21f5821e539e615c27e6957fd73c3f31

Download Submit
\Windows\system\xJQaspf.exe
Filesize
5.2MB

MD5
cbc64f0860d00cdd75db58a83afaf9bf

SHA1
22b0e9d8c8a9507391af3309ceb5e36c55e409b8

SHA256
fbbb69b2ab9bb6d920cb37868f6b29fc3a37f179faaf7e47e4cd9dce14a1a76d

SHA512
e968b67707900071d2e20fc07ac9af8bb762d6b5cdd9467898552b8b5b278294956062d2a3fc341a5e5d84305c06bbb66514fc41c0dc3eb12d9c6ad4c9c1989d

Download Submit
\Windows\system\xlffwcK.exe
Filesize
5.2MB

MD5
f975c0fe7010264c64abf1ea6ad954b4

SHA1
87f0148d32256f5b27146c2f9f615215730f81da

SHA256
84819e371625641be2b9b3b77ce879e15402ecf7c6bbfb6edca45385f69a8180

SHA512
9e2401edc26bf58cdcbf9bd5db07f473ef7794822584600e1a3ee0e829beff1fb7230a62ae1712b45764b0129091d7b313ad93ea71dbb20411e68035f447a5a1

Download Submit
memory/608-244-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/608-108-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/1040-163-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1696-240-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/1696-89-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/1732-170-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/1828-167-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-169-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2084-166-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2100-165-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-237-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2192-78-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2192-153-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2240-207-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-47-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-7-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-70-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2360-149-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2360-238-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2396-50-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-228-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-232-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-71-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-109-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-243-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-59-0x000000013F800000-0x000000013FB51000-memory.dmp

Filesize
3.3MB

Download
memory/2496-230-0x000000013F800000-0x000000013FB51000-memory.dmp

Filesize
3.3MB

Download
memory/2560-74-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2560-206-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2560-34-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2764-168-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2764-113-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2764-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2764-145-0x000000013F800000-0x000000013FB51000-memory.dmp

Filesize
3.3MB

Download
memory/2764-148-0x0000000002260000-0x00000000025B1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-12-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-150-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-0-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-41-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-22-0x0000000002260000-0x00000000025B1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-106-0x0000000002260000-0x00000000025B1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-32-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2764-107-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-75-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2764-58-0x000000013F800000-0x000000013FB51000-memory.dmp

Filesize
3.3MB

Download
memory/2764-69-0x0000000002260000-0x00000000025B1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-176-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-187-0x0000000002260000-0x00000000025B1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-196-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2764-33-0x0000000002260000-0x00000000025B1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-16-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-201-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-51-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-57-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2980-203-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2980-27-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/3008-164-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/3012-42-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/3012-218-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/3012-88-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/3068-38-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/3068-214-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/3068-77-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download