xmrig | f1f68b45e8c1fabbb2bed26b3982f91a4eb4dfb9fd204c9cdb05ca3ded0bc6b6

Analysis

max time kernel
134s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 19:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

affd17e18c2d0fc92265133b5c3863f8
SHA1

72321fa247397d2d99202acaf688d3fd54487da4
SHA256

f1f68b45e8c1fabbb2bed26b3982f91a4eb4dfb9fd204c9cdb05ca3ded0bc6b6
SHA512

c4cdff5dd872deba3a830248e898c0eeb3461d5eeff207c461de0e463d36d6d49009fcc17e853cc9149543af8799c7dd7947a54352e4d994991aaa4cae1d4f59
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUu:Q+856utgpPF8u/7u

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 20 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023400-4.dat	UPX
behavioral2/files/0x0007000000023408-11.dat	UPX
behavioral2/files/0x0007000000023408-18.dat	UPX
behavioral2/files/0x0007000000023409-23.dat	UPX
behavioral2/files/0x000700000002340a-29.dat	UPX
behavioral2/files/0x000700000002340a-30.dat	UPX
behavioral2/files/0x000700000002340b-35.dat	UPX
behavioral2/files/0x000700000002340c-39.dat	UPX
behavioral2/files/0x000700000002340f-59.dat	UPX
behavioral2/files/0x0007000000023411-73.dat	UPX
behavioral2/files/0x000700000002341a-123.dat	UPX
behavioral2/files/0x0007000000023419-119.dat	UPX
behavioral2/files/0x0007000000023416-98.dat	UPX
behavioral2/files/0x0007000000023415-93.dat	UPX
behavioral2/files/0x0007000000023414-87.dat	UPX
behavioral2/files/0x0007000000023413-82.dat	UPX
behavioral2/files/0x000700000002340c-40.dat	UPX
behavioral2/files/0x0007000000023408-17.dat	UPX
behavioral2/files/0x0007000000023407-12.dat	UPX
behavioral2/files/0x0007000000023407-10.dat	UPX

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral2/memory/3392-0-0x00007FF613480000-0x00007FF6137D4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023400-4.dat	xmrig
behavioral2/files/0x0007000000023408-11.dat	xmrig
behavioral2/files/0x0007000000023408-18.dat	xmrig
behavioral2/files/0x0007000000023409-23.dat	xmrig
behavioral2/memory/2720-26-0x00007FF694BB0000-0x00007FF694F04000-memory.dmp	xmrig
behavioral2/files/0x000700000002340a-29.dat	xmrig
behavioral2/files/0x000700000002340a-30.dat	xmrig
behavioral2/files/0x000700000002340b-35.dat	xmrig
behavioral2/files/0x000700000002340c-39.dat	xmrig
behavioral2/memory/4920-41-0x00007FF7EB7F0000-0x00007FF7EBB44000-memory.dmp	xmrig
behavioral2/memory/3964-44-0x00007FF653070000-0x00007FF6533C4000-memory.dmp	xmrig
behavioral2/memory/3280-47-0x00007FF6059A0000-0x00007FF605CF4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340f-59.dat	xmrig
behavioral2/memory/4544-68-0x00007FF6754B0000-0x00007FF675804000-memory.dmp	xmrig
behavioral2/files/0x0007000000023411-73.dat	xmrig
behavioral2/memory/3668-95-0x00007FF7AFAD0000-0x00007FF7AFE24000-memory.dmp	xmrig
behavioral2/memory/4624-117-0x00007FF7AF100000-0x00007FF7AF454000-memory.dmp	xmrig
behavioral2/memory/1156-124-0x00007FF6ECC00000-0x00007FF6ECF54000-memory.dmp	xmrig
behavioral2/memory/4120-126-0x00007FF7AC220000-0x00007FF7AC574000-memory.dmp	xmrig
behavioral2/memory/1612-125-0x00007FF77D9B0000-0x00007FF77DD04000-memory.dmp	xmrig
behavioral2/files/0x000700000002341a-123.dat	xmrig
behavioral2/files/0x0007000000023419-119.dat	xmrig
behavioral2/memory/1800-109-0x00007FF77E680000-0x00007FF77E9D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023416-98.dat	xmrig
behavioral2/files/0x0007000000023415-93.dat	xmrig
behavioral2/files/0x0007000000023414-87.dat	xmrig
behavioral2/files/0x0007000000023413-82.dat	xmrig
behavioral2/memory/712-63-0x00007FF709B70000-0x00007FF709EC4000-memory.dmp	xmrig
behavioral2/memory/1152-61-0x00007FF7C8270000-0x00007FF7C85C4000-memory.dmp	xmrig
behavioral2/memory/2792-52-0x00007FF69AB50000-0x00007FF69AEA4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340c-40.dat	xmrig
behavioral2/files/0x0007000000023408-17.dat	xmrig
behavioral2/memory/3124-15-0x00007FF793250000-0x00007FF7935A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023407-12.dat	xmrig
behavioral2/files/0x0007000000023407-10.dat	xmrig
behavioral2/memory/4996-8-0x00007FF6A4280000-0x00007FF6A45D4000-memory.dmp	xmrig
behavioral2/memory/2720-130-0x00007FF694BB0000-0x00007FF694F04000-memory.dmp	xmrig
behavioral2/memory/3964-132-0x00007FF653070000-0x00007FF6533C4000-memory.dmp	xmrig
behavioral2/memory/4920-131-0x00007FF7EB7F0000-0x00007FF7EBB44000-memory.dmp	xmrig
behavioral2/memory/4120-134-0x00007FF7AC220000-0x00007FF7AC574000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4996	aqBciPS.exe
3124	rUuWMQU.exe
1648	CbrphSs.exe
2720	BgOQFvx.exe
4920	vOuXnyu.exe
3280	EDNohEt.exe
3964	vSNHTXB.exe
2792	NMNuYOp.exe
1152	CnTgrVl.exe
712	FmoIOKG.exe
4544	oIGUwhj.exe
1452	VdkRjqC.exe
1800	pRrwbra.exe
3668	vmtvdsI.exe
2728	kybdDoB.exe
1460	zeuXveV.exe
4624	CJbHyIU.exe
2508	oHtNiAA.exe
1156	GfcfWZp.exe
1612	xlRFCNH.exe
4120	cRSTSCN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3392-0-0x00007FF613480000-0x00007FF6137D4000-memory.dmp	upx
behavioral2/files/0x0009000000023400-4.dat	upx
behavioral2/files/0x0007000000023408-11.dat	upx
behavioral2/files/0x0007000000023408-18.dat	upx
behavioral2/files/0x0007000000023409-23.dat	upx
behavioral2/files/0x0007000000023409-24.dat	upx
behavioral2/memory/2720-26-0x00007FF694BB0000-0x00007FF694F04000-memory.dmp	upx
behavioral2/files/0x000700000002340a-29.dat	upx
behavioral2/files/0x000700000002340a-30.dat	upx
behavioral2/files/0x000700000002340b-35.dat	upx
behavioral2/files/0x000700000002340c-39.dat	upx
behavioral2/memory/4920-41-0x00007FF7EB7F0000-0x00007FF7EBB44000-memory.dmp	upx
behavioral2/memory/3964-44-0x00007FF653070000-0x00007FF6533C4000-memory.dmp	upx
behavioral2/memory/3280-47-0x00007FF6059A0000-0x00007FF605CF4000-memory.dmp	upx
behavioral2/files/0x000700000002340f-59.dat	upx
behavioral2/memory/4544-68-0x00007FF6754B0000-0x00007FF675804000-memory.dmp	upx
behavioral2/files/0x0007000000023411-73.dat	upx
behavioral2/memory/3668-95-0x00007FF7AFAD0000-0x00007FF7AFE24000-memory.dmp	upx
behavioral2/memory/2728-113-0x00007FF7A1D10000-0x00007FF7A2064000-memory.dmp	upx
behavioral2/memory/4624-117-0x00007FF7AF100000-0x00007FF7AF454000-memory.dmp	upx
behavioral2/memory/1156-124-0x00007FF6ECC00000-0x00007FF6ECF54000-memory.dmp	upx
behavioral2/memory/4120-126-0x00007FF7AC220000-0x00007FF7AC574000-memory.dmp	upx
behavioral2/memory/1612-125-0x00007FF77D9B0000-0x00007FF77DD04000-memory.dmp	upx
behavioral2/files/0x000700000002341a-123.dat	upx
behavioral2/memory/2508-121-0x00007FF79A4D0000-0x00007FF79A824000-memory.dmp	upx
behavioral2/files/0x0007000000023419-119.dat	upx
behavioral2/memory/1800-109-0x00007FF77E680000-0x00007FF77E9D4000-memory.dmp	upx
behavioral2/files/0x0007000000023418-107.dat	upx
behavioral2/memory/3392-105-0x00007FF613480000-0x00007FF6137D4000-memory.dmp	upx
behavioral2/memory/1460-100-0x00007FF7B9A70000-0x00007FF7B9DC4000-memory.dmp	upx
behavioral2/files/0x0007000000023416-98.dat	upx
behavioral2/files/0x0007000000023415-93.dat	upx
behavioral2/files/0x0007000000023414-87.dat	upx
behavioral2/memory/1452-84-0x00007FF65F500000-0x00007FF65F854000-memory.dmp	upx
behavioral2/files/0x0007000000023413-82.dat	upx
behavioral2/memory/712-63-0x00007FF709B70000-0x00007FF709EC4000-memory.dmp	upx
behavioral2/memory/1152-61-0x00007FF7C8270000-0x00007FF7C85C4000-memory.dmp	upx
behavioral2/memory/2792-52-0x00007FF69AB50000-0x00007FF69AEA4000-memory.dmp	upx
behavioral2/files/0x000700000002340c-40.dat	upx
behavioral2/memory/1648-20-0x00007FF6FB160000-0x00007FF6FB4B4000-memory.dmp	upx
behavioral2/files/0x0007000000023408-17.dat	upx
behavioral2/memory/3124-15-0x00007FF793250000-0x00007FF7935A4000-memory.dmp	upx
behavioral2/files/0x0007000000023407-12.dat	upx
behavioral2/files/0x0007000000023407-10.dat	upx
behavioral2/memory/4996-8-0x00007FF6A4280000-0x00007FF6A45D4000-memory.dmp	upx
behavioral2/memory/3124-129-0x00007FF793250000-0x00007FF7935A4000-memory.dmp	upx
behavioral2/memory/2720-130-0x00007FF694BB0000-0x00007FF694F04000-memory.dmp	upx
behavioral2/memory/3964-132-0x00007FF653070000-0x00007FF6533C4000-memory.dmp	upx
behavioral2/memory/4920-131-0x00007FF7EB7F0000-0x00007FF7EBB44000-memory.dmp	upx
behavioral2/memory/4120-134-0x00007FF7AC220000-0x00007FF7AC574000-memory.dmp	upx
behavioral2/memory/1612-133-0x00007FF77D9B0000-0x00007FF77DD04000-memory.dmp	upx
behavioral2/memory/4996-135-0x00007FF6A4280000-0x00007FF6A45D4000-memory.dmp	upx
behavioral2/memory/3124-136-0x00007FF793250000-0x00007FF7935A4000-memory.dmp	upx
behavioral2/memory/1648-137-0x00007FF6FB160000-0x00007FF6FB4B4000-memory.dmp	upx
behavioral2/memory/2720-138-0x00007FF694BB0000-0x00007FF694F04000-memory.dmp	upx
behavioral2/memory/4920-139-0x00007FF7EB7F0000-0x00007FF7EBB44000-memory.dmp	upx
behavioral2/memory/3280-140-0x00007FF6059A0000-0x00007FF605CF4000-memory.dmp	upx
behavioral2/memory/3964-142-0x00007FF653070000-0x00007FF6533C4000-memory.dmp	upx
behavioral2/memory/712-144-0x00007FF709B70000-0x00007FF709EC4000-memory.dmp	upx
behavioral2/memory/1152-143-0x00007FF7C8270000-0x00007FF7C85C4000-memory.dmp	upx
behavioral2/memory/4544-145-0x00007FF6754B0000-0x00007FF675804000-memory.dmp	upx
behavioral2/memory/2792-141-0x00007FF69AB50000-0x00007FF69AEA4000-memory.dmp	upx
behavioral2/memory/1452-146-0x00007FF65F500000-0x00007FF65F854000-memory.dmp	upx
behavioral2/memory/1800-147-0x00007FF77E680000-0x00007FF77E9D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EDNohEt.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CJbHyIU.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oIGUwhj.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VdkRjqC.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pRrwbra.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kybdDoB.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aqBciPS.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rUuWMQU.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NMNuYOp.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CnTgrVl.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CbrphSs.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BgOQFvx.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zeuXveV.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oHtNiAA.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GfcfWZp.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xlRFCNH.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cRSTSCN.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vOuXnyu.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vSNHTXB.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FmoIOKG.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vmtvdsI.exe	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4996	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	84
PID 3392 wrote to memory of 4996	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	84
PID 3392 wrote to memory of 3124	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	85
PID 3392 wrote to memory of 3124	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	85
PID 3392 wrote to memory of 1648	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	87
PID 3392 wrote to memory of 1648	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	87
PID 3392 wrote to memory of 2720	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	88
PID 3392 wrote to memory of 2720	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	88
PID 3392 wrote to memory of 4920	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	89
PID 3392 wrote to memory of 4920	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	89
PID 3392 wrote to memory of 3280	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	90
PID 3392 wrote to memory of 3280	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	90
PID 3392 wrote to memory of 3964	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	91
PID 3392 wrote to memory of 3964	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	91
PID 3392 wrote to memory of 2792	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	92
PID 3392 wrote to memory of 2792	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	92
PID 3392 wrote to memory of 1152	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	93
PID 3392 wrote to memory of 1152	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	93
PID 3392 wrote to memory of 712	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	94
PID 3392 wrote to memory of 712	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	94
PID 3392 wrote to memory of 4544	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	95
PID 3392 wrote to memory of 4544	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	95
PID 3392 wrote to memory of 1452	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	96
PID 3392 wrote to memory of 1452	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	96
PID 3392 wrote to memory of 1800	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	97
PID 3392 wrote to memory of 1800	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	97
PID 3392 wrote to memory of 3668	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	98
PID 3392 wrote to memory of 3668	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	98
PID 3392 wrote to memory of 2728	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	99
PID 3392 wrote to memory of 2728	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	99
PID 3392 wrote to memory of 1460	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	100
PID 3392 wrote to memory of 1460	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	100
PID 3392 wrote to memory of 4624	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	101
PID 3392 wrote to memory of 4624	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	101
PID 3392 wrote to memory of 2508	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	102
PID 3392 wrote to memory of 2508	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	102
PID 3392 wrote to memory of 1156	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	103
PID 3392 wrote to memory of 1156	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	103
PID 3392 wrote to memory of 1612	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	104
PID 3392 wrote to memory of 1612	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	104
PID 3392 wrote to memory of 4120	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	105
PID 3392 wrote to memory of 4120	3392	2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_affd17e18c2d0fc92265133b5c3863f8_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\System\aqBciPS.exe
  C:\Windows\System\aqBciPS.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\rUuWMQU.exe
  C:\Windows\System\rUuWMQU.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\CbrphSs.exe
  C:\Windows\System\CbrphSs.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\BgOQFvx.exe
  C:\Windows\System\BgOQFvx.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\vOuXnyu.exe
  C:\Windows\System\vOuXnyu.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\EDNohEt.exe
  C:\Windows\System\EDNohEt.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\vSNHTXB.exe
  C:\Windows\System\vSNHTXB.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\NMNuYOp.exe
  C:\Windows\System\NMNuYOp.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\CnTgrVl.exe
  C:\Windows\System\CnTgrVl.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\FmoIOKG.exe
  C:\Windows\System\FmoIOKG.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System\oIGUwhj.exe
  C:\Windows\System\oIGUwhj.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\VdkRjqC.exe
  C:\Windows\System\VdkRjqC.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\pRrwbra.exe
  C:\Windows\System\pRrwbra.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\vmtvdsI.exe
  C:\Windows\System\vmtvdsI.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\kybdDoB.exe
  C:\Windows\System\kybdDoB.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\zeuXveV.exe
  C:\Windows\System\zeuXveV.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\CJbHyIU.exe
  C:\Windows\System\CJbHyIU.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\oHtNiAA.exe
  C:\Windows\System\oHtNiAA.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\GfcfWZp.exe
  C:\Windows\System\GfcfWZp.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\xlRFCNH.exe
  C:\Windows\System\xlRFCNH.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\cRSTSCN.exe
  C:\Windows\System\cRSTSCN.exe
  2⤵
  - Executes dropped EXE
  PID:4120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BgOQFvx.exe

Filesize
1.2MB

MD5
3ed5a609fc99609f477b127cb1075f8e

SHA1
efbe9eae011603d0818e0ea87d848f4505a8ca00

SHA256
f5c7ed548f4ba98079252e02c14f981d3b1b5468313f0be262b25ccc06a1f939

SHA512
adf3c7526c8d008f32ef1391728203330e532d5ab3157f9a2a7fe21b8a1324527c1ba05f5b2198a9d7b1cc621dddfe091207ec334b309442cd5608fc15d0fd18

Download Submit
C:\Windows\System\BgOQFvx.exe

Filesize
448KB

MD5
0642442db4acbbfb6037e06789624264

SHA1
923aee440a6887c7a7a8a78085aa492b2cdcee65

SHA256
5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

SHA512
7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

Download Submit
C:\Windows\System\CJbHyIU.exe

Filesize
1.6MB

MD5
f6ff4c79fa50312984b28acf9df8b485

SHA1
ea8c94c5fb7d5a222208954414bff59a1f492384

SHA256
501f88a21bb09f2dc11708c01cf07a26cdfce7ccb8ec833482e3aa37d1b894b7

SHA512
946e73dcdcd0c4b17379f0ad152b580506f42a00e5c5e85896476fb36345c4fc3d897474ec8e9c8ef85050e7c174d2c64c8c10475bb748200de9f548eb0ceb9c

Download Submit
C:\Windows\System\CbrphSs.exe

Filesize
1.9MB

MD5
ca2c8fc23ac2c4dd58545d16927e5bef

SHA1
b94b35150eb75787af3ce6aea401e04f2ec70fc4

SHA256
51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef

SHA512
1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

Download Submit
C:\Windows\System\CbrphSs.exe

Filesize
1024KB

MD5
aa84df2aa4d3e405cfa711ea45f76832

SHA1
f9d4c6b07df318263e7c10c93fe5aee7c1ed449f

SHA256
35f254698cefc343a5afa8e1f4afbd2f4e15c9dea7be1bc9d3cdc9a25b594ef4

SHA512
40f8b842b8711e2a819c83c44eea2c12af01ba9972546d0cb7e21121b875f8bed7da028e78b61c94b16de95a951cf536d7b2db14fba809cc0242849570fa0f9d

Download Submit
C:\Windows\System\CbrphSs.exe

Filesize
1.7MB

MD5
170dd624fc04fc3839f9c4b66a089ce7

SHA1
689050489367e9d7989856de58d7dae4b3e867bb

SHA256
2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b

SHA512
6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

Download Submit
C:\Windows\System\EDNohEt.exe

Filesize
1.8MB

MD5
c665d55523745ebd550a2c4296ad8ec9

SHA1
43f72a8e93454ded742dbec7a7c84f59cb0d6520

SHA256
4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b

SHA512
57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

Download Submit
C:\Windows\System\FmoIOKG.exe

Filesize
1.4MB

MD5
d97939e7759d9307f9eaf0d8918eba95

SHA1
12c61fef52f0fd06026becd4921bdb4f54b880b5

SHA256
c2a8fd656ce934ba0938d6b9d21954c48c0b2661eda466f5c4e9be62e4c2f657

SHA512
29000522b29d463094669a814e5ab09084f3920f905f01bb0c9ca85deb9c75d2cf18f8b81d5ac7b82427975dd12de0dac245946fcf8aba34f067f41d3147fb6f

Download Submit
C:\Windows\System\GfcfWZp.exe

Filesize
576KB

MD5
2b325ba998218e1724cf0adeb30ee980

SHA1
91c91f972b93ca21c02dbae5cc375d4e1212c0a0

SHA256
3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9

SHA512
d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

Download Submit
C:\Windows\System\VdkRjqC.exe

Filesize
1.6MB

MD5
1d3a027708a48a3c73a911f7d1532fca

SHA1
f960fd40bf0cf951600c386a6a9501a01e54ab51

SHA256
f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda

SHA512
4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539

Download Submit
C:\Windows\System\aqBciPS.exe

Filesize
2.1MB

MD5
2543c4760bd9af7f70b7834411ab61af

SHA1
ed963cb76a076b222f6cdae99e8563d4444f6351

SHA256
c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001

SHA512
37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

Download Submit
C:\Windows\System\aqBciPS.exe

Filesize
2.2MB

MD5
793d9918288b75a71d1ea73538325744

SHA1
b6b4f37b73c0017168a72257085e8ff3f8116dde

SHA256
2a28a5f47a1b9f038db60f0db42a3e2739bccce2f6d6851e3fb16ea9022858ab

SHA512
0d06da43a2ebec4e6b41ba3b888fdb95660bd17715e9d4665d15f15e201b0e2b4eca12e76ad4bb43220a19bb52bcfcda912c6295e4fea8f8f8f3c04ff10f1410

Download Submit
C:\Windows\System\cRSTSCN.exe

Filesize
1.2MB

MD5
711965c0ed770375b388ea9b5ea57c70

SHA1
21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2

SHA256
c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666

SHA512
1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

Download Submit
C:\Windows\System\kybdDoB.exe

Filesize
1.4MB

MD5
24258baaef0362f49034eb848bacbd57

SHA1
fe4ab6d21eb84e440b2c8756d55219a5180e8fbf

SHA256
79b41b5d40ccd14e269700bfaf44348d53eb7c7fb73b0e8da1ff9ac44fbc1650

SHA512
d33321b7a54fed7519d1a2b4aba32c1416896a7e02e3f26a053abae2e387ffd490462a910d468a53445196d1dbfaab44416526ed274bba5738419ce871fa091a

Download Submit
C:\Windows\System\rUuWMQU.exe

Filesize
1.9MB

MD5
6aabe2e748cee6d07f24c026461cb48a

SHA1
fe435ec8690de5aed611e8b6e996882f126c4bb9

SHA256
551c2573568f6ad35d10f80b58ca4997f5dba80ae615fb3a522cbfb755fa022a

SHA512
13d999d941baed2473792d915bae6ed172cd29ce935c44fff65629b650c371ebe29b735b83455a9a37b0fdfa4912df807a91d4e5572cd52076bb1f8b14ed1cf5

Download Submit
C:\Windows\System\rUuWMQU.exe

Filesize
1.8MB

MD5
36b4afb6360e03e362f62a58a7fb0fdd

SHA1
b45fa7ad416feeded83a1fd2f3ba2ea378aa74a9

SHA256
fc3d5aa25191993f9d325a5dd19224e9680b98b98eecf85efe0ebba49e024cab

SHA512
c686fc875550fc09d86559ed465f6c8840ccfff94b32765bfc3843c68287d2612a502ecf750aa031133d64f320bd5a8dc21866f2b1f2c0b221ba119a67b85490

Download Submit
C:\Windows\System\vOuXnyu.exe

Filesize
1.6MB

MD5
406e15fbce10811301a9a6bd94182927

SHA1
1ee02793d985d25b88c92af5bc12644dd749f3e8

SHA256
0a9cf5785bc9fb8804d531938855a70c0cb0166ded43eaccbadce39afca20a04

SHA512
4c4a794a951c9b94e2eed96a3f1631682e86a7de718bea4bea375230cb4e37a7ea8cfe7a554584f72386f49743bf7669333e064e82deeaca3bdb653734b1268c

Download Submit
C:\Windows\System\vOuXnyu.exe

Filesize
1.6MB

MD5
327dd6244bc5f8a28d919977455d4a3a

SHA1
1227318bb74fac692f09688ef46f2e1fdc4688df

SHA256
7f87235e9ff264ea8e583dd5846e8ce41e0a86ad67d01a118f2f4135dcd49070

SHA512
710348371b5f71434f9bb302cc0513d9765052911ad10a69fe54633ca83755ccf7c1d0790bf348b05758afe35b97ff25f18d6c09faf8d5a0dcfe7d97235f0ffb

Download Submit
C:\Windows\System\vSNHTXB.exe

Filesize
1.4MB

MD5
0003cb25d8e5fcf51d1ea8407b9410fc

SHA1
fc0940ac8a56e45a19f31c325aba00f814dae439

SHA256
f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2

SHA512
3e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87

Download Submit
C:\Windows\System\vSNHTXB.exe

Filesize
1.6MB

MD5
dbe2d7f85ad3c7bd4959ade13f28f2bc

SHA1
414247da48cdae2216e40865267459dacfaff411

SHA256
878fbdca84cef8c0f59ac51449403284dc3c36b09573c40146f9d21da44c2b30

SHA512
aaf0dd1d7425ceaea102a24c731f9e94bdf5585534ddce81ecd97029a45491655eaa5f947433d4901e9a3749dce685f7ba744681aaa2a446684fc317ea904a77

Download Submit
C:\Windows\System\vmtvdsI.exe

Filesize
1.1MB

MD5
77d342e094e8c44945c30e252052d3d2

SHA1
435f0c0262bb1a2bffb37aaf3aeda05c0fbd192c

SHA256
f9ebbeda584af64f32074540277bff106e7c51261de49027473f6fa1ffb39b0d

SHA512
311c6b08bf25770a5feda8a4c7c7c86131304872a10de66d43488b290bc56c97d6306256cfd35a6a6417e099fe0e2b7b2e28aae79b8f1ff05d8a7b9846681f6f

Download Submit
C:\Windows\System\xlRFCNH.exe

Filesize
1.1MB

MD5
3c90c2f250bb2f2a0b2b0d84a76d90b6

SHA1
592a1c403bcca9367301fdd6d0053ffa966d8139

SHA256
e9b77f7f68ca67c5dc06c5e8b359f5015816a8801f1224c2364438564dc0400b

SHA512
977c97219518fa48470c706578f56d23105ee7200ba44a555f72794ca4a9281e65da64b5957db1f96a5505e08bf9e5880f1f0c0b5ddb70d27e7596c5d32ddac0

Download Submit
C:\Windows\System\zeuXveV.exe

Filesize
1.6MB

MD5
2c29c56557704a5af675ac862b6acadc

SHA1
8095e9a472d534a6ef5dc3ab384273149ae12d48

SHA256
ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d

SHA512
f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049

Download Submit
memory/712-144-0x00007FF709B70000-0x00007FF709EC4000-memory.dmp

Filesize
3.3MB

Download
memory/712-63-0x00007FF709B70000-0x00007FF709EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-143-0x00007FF7C8270000-0x00007FF7C85C4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-61-0x00007FF7C8270000-0x00007FF7C85C4000-memory.dmp

Filesize
3.3MB

Download
memory/1156-124-0x00007FF6ECC00000-0x00007FF6ECF54000-memory.dmp

Filesize
3.3MB

Download
memory/1156-153-0x00007FF6ECC00000-0x00007FF6ECF54000-memory.dmp

Filesize
3.3MB

Download
memory/1452-84-0x00007FF65F500000-0x00007FF65F854000-memory.dmp

Filesize
3.3MB

Download
memory/1452-146-0x00007FF65F500000-0x00007FF65F854000-memory.dmp

Filesize
3.3MB

Download
memory/1460-149-0x00007FF7B9A70000-0x00007FF7B9DC4000-memory.dmp

Filesize
3.3MB

Download
memory/1460-100-0x00007FF7B9A70000-0x00007FF7B9DC4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-125-0x00007FF77D9B0000-0x00007FF77DD04000-memory.dmp

Filesize
3.3MB

Download
memory/1612-133-0x00007FF77D9B0000-0x00007FF77DD04000-memory.dmp

Filesize
3.3MB

Download
memory/1612-155-0x00007FF77D9B0000-0x00007FF77DD04000-memory.dmp

Filesize
3.3MB

Download
memory/1648-137-0x00007FF6FB160000-0x00007FF6FB4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1648-20-0x00007FF6FB160000-0x00007FF6FB4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1800-109-0x00007FF77E680000-0x00007FF77E9D4000-memory.dmp

Filesize
3.3MB

Download
memory/1800-147-0x00007FF77E680000-0x00007FF77E9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2508-152-0x00007FF79A4D0000-0x00007FF79A824000-memory.dmp

Filesize
3.3MB

Download
memory/2508-121-0x00007FF79A4D0000-0x00007FF79A824000-memory.dmp

Filesize
3.3MB

Download
memory/2720-26-0x00007FF694BB0000-0x00007FF694F04000-memory.dmp

Filesize
3.3MB

Download
memory/2720-138-0x00007FF694BB0000-0x00007FF694F04000-memory.dmp

Filesize
3.3MB

Download
memory/2720-130-0x00007FF694BB0000-0x00007FF694F04000-memory.dmp

Filesize
3.3MB

Download
memory/2728-113-0x00007FF7A1D10000-0x00007FF7A2064000-memory.dmp

Filesize
3.3MB

Download
memory/2728-150-0x00007FF7A1D10000-0x00007FF7A2064000-memory.dmp

Filesize
3.3MB

Download
memory/2792-52-0x00007FF69AB50000-0x00007FF69AEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-141-0x00007FF69AB50000-0x00007FF69AEA4000-memory.dmp

Filesize
3.3MB

Download
memory/3124-136-0x00007FF793250000-0x00007FF7935A4000-memory.dmp

Filesize
3.3MB

Download
memory/3124-129-0x00007FF793250000-0x00007FF7935A4000-memory.dmp

Filesize
3.3MB

Download
memory/3124-15-0x00007FF793250000-0x00007FF7935A4000-memory.dmp

Filesize
3.3MB

Download
memory/3280-47-0x00007FF6059A0000-0x00007FF605CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3280-140-0x00007FF6059A0000-0x00007FF605CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3392-105-0x00007FF613480000-0x00007FF6137D4000-memory.dmp

Filesize
3.3MB

Download
memory/3392-0-0x00007FF613480000-0x00007FF6137D4000-memory.dmp

Filesize
3.3MB

Download
memory/3392-1-0x000001FC63D90000-0x000001FC63DA0000-memory.dmp

Filesize
64KB

Download
memory/3668-95-0x00007FF7AFAD0000-0x00007FF7AFE24000-memory.dmp

Filesize
3.3MB

Download
memory/3668-148-0x00007FF7AFAD0000-0x00007FF7AFE24000-memory.dmp

Filesize
3.3MB

Download
memory/3964-142-0x00007FF653070000-0x00007FF6533C4000-memory.dmp

Filesize
3.3MB

Download
memory/3964-44-0x00007FF653070000-0x00007FF6533C4000-memory.dmp

Filesize
3.3MB

Download
memory/3964-132-0x00007FF653070000-0x00007FF6533C4000-memory.dmp

Filesize
3.3MB

Download
memory/4120-154-0x00007FF7AC220000-0x00007FF7AC574000-memory.dmp

Filesize
3.3MB

Download
memory/4120-126-0x00007FF7AC220000-0x00007FF7AC574000-memory.dmp

Filesize
3.3MB

Download
memory/4120-134-0x00007FF7AC220000-0x00007FF7AC574000-memory.dmp

Filesize
3.3MB

Download
memory/4544-145-0x00007FF6754B0000-0x00007FF675804000-memory.dmp

Filesize
3.3MB

Download
memory/4544-68-0x00007FF6754B0000-0x00007FF675804000-memory.dmp

Filesize
3.3MB

Download
memory/4624-117-0x00007FF7AF100000-0x00007FF7AF454000-memory.dmp

Filesize
3.3MB

Download
memory/4624-151-0x00007FF7AF100000-0x00007FF7AF454000-memory.dmp

Filesize
3.3MB

Download
memory/4920-131-0x00007FF7EB7F0000-0x00007FF7EBB44000-memory.dmp

Filesize
3.3MB

Download
memory/4920-139-0x00007FF7EB7F0000-0x00007FF7EBB44000-memory.dmp

Filesize
3.3MB

Download
memory/4920-41-0x00007FF7EB7F0000-0x00007FF7EBB44000-memory.dmp

Filesize
3.3MB

Download
memory/4996-8-0x00007FF6A4280000-0x00007FF6A45D4000-memory.dmp

Filesize
3.3MB

Download
memory/4996-135-0x00007FF6A4280000-0x00007FF6A45D4000-memory.dmp

Filesize
3.3MB

Download