xmrig | 498a563a0f11daf349933479fc6b2fe66ac957a431b46231f44b555d4d18c238

Analysis

max time kernel
136s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 00:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

34f65d2b240e6dab1ac7d9e9db6b85b1
SHA1

eb1a14ab07bd35941c7f89b09420a99d207d3c88
SHA256

498a563a0f11daf349933479fc6b2fe66ac957a431b46231f44b555d4d18c238
SHA512

2cd0e8715adb9e996179174d9b0992269f7a74b2cafdcbcd39dcc3bebb904f6874f09a14167761bc0de781d71a84a8308fc3548e62afeae59a7e23d917fe3505
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUn:Q+856utgpPF8u/7n

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral1/memory/1820-129-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/2816-131-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/files/0x0006000000016a9a-106.dat	UPX
behavioral1/files/0x002e000000015653-42.dat	UPX

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/2240-0-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/1820-129-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/2816-131-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/files/0x0006000000016a9a-106.dat	xmrig
behavioral1/memory/2020-52-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/files/0x002e000000015653-42.dat	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2632	KVudNkc.exe
2572	GHHZWBb.exe
2596	jyPjONa.exe
2568	HtxCCml.exe
2184	yjcsLzy.exe
2708	inTmuHt.exe
2484	LcmuFIk.exe
2020	ToCWlVb.exe
3024	kFBatxN.exe
1820	mIysSvo.exe
2816	UgVWtDr.exe
2904	cjjkxXC.exe
2664	GrAURwK.exe
2508	lcWmNtd.exe
2496	bukZvhk.exe
2652	ldtNPdF.exe
2648	VjosAfq.exe
2628	lxeBJNz.exe
3056	KqqcHnu.exe
2504	rGlrrDP.exe
2676	ZkLMwNB.exe

Loads dropped DLL 21 IoCs

pid	Process
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2240-0-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/files/0x000c000000014b27-5.dat	upx
behavioral1/memory/2632-13-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/files/0x002e00000001508a-12.dat	upx
behavioral1/files/0x0007000000015be6-28.dat	upx
behavioral1/memory/2568-35-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/memory/2184-38-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/2708-45-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2484-48-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/3024-102-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/1820-129-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/files/0x0006000000016a9a-125.dat	upx
behavioral1/memory/2816-131-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/files/0x0006000000016a9a-106.dat	upx
behavioral1/files/0x0006000000015e3a-81.dat	upx
behavioral1/memory/2020-52-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/files/0x002e000000015653-42.dat	upx
behavioral1/memory/2596-29-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2572-19-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2596-132-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2240-133-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2568-134-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/memory/2020-135-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/2632-136-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2572-137-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2596-138-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2708-141-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2568-140-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/memory/2484-142-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2020-143-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/2184-139-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/3024-144-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/1820-145-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/2816-146-0x000000013F610000-0x000000013F964000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yjcsLzy.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LcmuFIk.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kFBatxN.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mIysSvo.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ldtNPdF.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KqqcHnu.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZkLMwNB.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\inTmuHt.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ToCWlVb.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lcWmNtd.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UgVWtDr.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lxeBJNz.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rGlrrDP.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KVudNkc.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GHHZWBb.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bukZvhk.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cjjkxXC.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VjosAfq.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jyPjONa.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HtxCCml.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GrAURwK.exe	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2632	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	29
PID 2240 wrote to memory of 2632	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	29
PID 2240 wrote to memory of 2632	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	29
PID 2240 wrote to memory of 2572	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	30
PID 2240 wrote to memory of 2572	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	30
PID 2240 wrote to memory of 2572	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	30
PID 2240 wrote to memory of 2596	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	31
PID 2240 wrote to memory of 2596	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	31
PID 2240 wrote to memory of 2596	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	31
PID 2240 wrote to memory of 2568	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	32
PID 2240 wrote to memory of 2568	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	32
PID 2240 wrote to memory of 2568	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	32
PID 2240 wrote to memory of 2184	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	33
PID 2240 wrote to memory of 2184	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	33
PID 2240 wrote to memory of 2184	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	33
PID 2240 wrote to memory of 2708	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	34
PID 2240 wrote to memory of 2708	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	34
PID 2240 wrote to memory of 2708	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	34
PID 2240 wrote to memory of 2484	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	35
PID 2240 wrote to memory of 2484	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	35
PID 2240 wrote to memory of 2484	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	35
PID 2240 wrote to memory of 2020	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	36
PID 2240 wrote to memory of 2020	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	36
PID 2240 wrote to memory of 2020	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	36
PID 2240 wrote to memory of 2508	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	37
PID 2240 wrote to memory of 2508	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	37
PID 2240 wrote to memory of 2508	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	37
PID 2240 wrote to memory of 3024	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	38
PID 2240 wrote to memory of 3024	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	38
PID 2240 wrote to memory of 3024	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	38
PID 2240 wrote to memory of 2496	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	39
PID 2240 wrote to memory of 2496	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	39
PID 2240 wrote to memory of 2496	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	39
PID 2240 wrote to memory of 1820	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	40
PID 2240 wrote to memory of 1820	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	40
PID 2240 wrote to memory of 1820	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	40
PID 2240 wrote to memory of 2652	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	41
PID 2240 wrote to memory of 2652	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	41
PID 2240 wrote to memory of 2652	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	41
PID 2240 wrote to memory of 2816	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	42
PID 2240 wrote to memory of 2816	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	42
PID 2240 wrote to memory of 2816	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	42
PID 2240 wrote to memory of 2628	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	43
PID 2240 wrote to memory of 2628	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	43
PID 2240 wrote to memory of 2628	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	43
PID 2240 wrote to memory of 2904	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	44
PID 2240 wrote to memory of 2904	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	44
PID 2240 wrote to memory of 2904	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	44
PID 2240 wrote to memory of 3056	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	45
PID 2240 wrote to memory of 3056	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	45
PID 2240 wrote to memory of 3056	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	45
PID 2240 wrote to memory of 2664	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	46
PID 2240 wrote to memory of 2664	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	46
PID 2240 wrote to memory of 2664	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	46
PID 2240 wrote to memory of 2504	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	47
PID 2240 wrote to memory of 2504	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	47
PID 2240 wrote to memory of 2504	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	47
PID 2240 wrote to memory of 2648	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	48
PID 2240 wrote to memory of 2648	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	48
PID 2240 wrote to memory of 2648	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	48
PID 2240 wrote to memory of 2676	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	49
PID 2240 wrote to memory of 2676	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	49
PID 2240 wrote to memory of 2676	2240	2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_34f65d2b240e6dab1ac7d9e9db6b85b1_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System\KVudNkc.exe
  C:\Windows\System\KVudNkc.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\GHHZWBb.exe
  C:\Windows\System\GHHZWBb.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\jyPjONa.exe
  C:\Windows\System\jyPjONa.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\HtxCCml.exe
  C:\Windows\System\HtxCCml.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\yjcsLzy.exe
  C:\Windows\System\yjcsLzy.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\inTmuHt.exe
  C:\Windows\System\inTmuHt.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\LcmuFIk.exe
  C:\Windows\System\LcmuFIk.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\ToCWlVb.exe
  C:\Windows\System\ToCWlVb.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\lcWmNtd.exe
  C:\Windows\System\lcWmNtd.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\kFBatxN.exe
  C:\Windows\System\kFBatxN.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\bukZvhk.exe
  C:\Windows\System\bukZvhk.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\mIysSvo.exe
  C:\Windows\System\mIysSvo.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\ldtNPdF.exe
  C:\Windows\System\ldtNPdF.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\UgVWtDr.exe
  C:\Windows\System\UgVWtDr.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\lxeBJNz.exe
  C:\Windows\System\lxeBJNz.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\cjjkxXC.exe
  C:\Windows\System\cjjkxXC.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\KqqcHnu.exe
  C:\Windows\System\KqqcHnu.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\GrAURwK.exe
  C:\Windows\System\GrAURwK.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\rGlrrDP.exe
  C:\Windows\System\rGlrrDP.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\VjosAfq.exe
  C:\Windows\System\VjosAfq.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\ZkLMwNB.exe
  C:\Windows\System\ZkLMwNB.exe
  2⤵
  - Executes dropped EXE
  PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GHHZWBb.exe

Filesize
448KB

MD5
0642442db4acbbfb6037e06789624264

SHA1
923aee440a6887c7a7a8a78085aa492b2cdcee65

SHA256
5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

SHA512
7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

Download Submit
C:\Windows\system\KVudNkc.exe

Filesize
128KB

MD5
7ce4ba1725e83a50f64ba525f8815dcf

SHA1
b1714a2d23cfc42c18c37e1546ac0908d8252c04

SHA256
9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

SHA512
2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

Download Submit
C:\Windows\system\LcmuFIk.exe

Filesize
1.4MB

MD5
0003cb25d8e5fcf51d1ea8407b9410fc

SHA1
fc0940ac8a56e45a19f31c325aba00f814dae439

SHA256
f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2

SHA512
3e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87

Download Submit
C:\Windows\system\ZkLMwNB.exe

Filesize
640KB

MD5
469aca0e2abc33bcc5100f89b3196890

SHA1
b77c2be76b0bcd5c1640c82143bf4ae8abf6ed35

SHA256
8e4d419e754f89fae1d30741df9483d06709f6d20541cbce976b97c6b74f264f

SHA512
bb8f27156094a7b200e5c1844466de9827240ad5c62598ca983899918fcfddc76480438ab7ff457f4059655d26f5dee65f9d3ba57dc850a7e0c1c267d7e2bdae

Download Submit
C:\Windows\system\jyPjONa.exe

Filesize
2.4MB

MD5
ffafad94c04d076c16e861ff07a4cb57

SHA1
c3501d64aef8c1b093200710a06e749c69db782a

SHA256
8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295

SHA512
64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700

Download Submit
C:\Windows\system\kFBatxN.exe

Filesize
384KB

MD5
6207c08555e637186de329c9179e16d9

SHA1
09098b1d2cbfb2ab317439f6c4fc0121d5b8f70a

SHA256
90e60744ec9da51fba847be626db348bca6bdaf98ac91b116446f5b42433003b

SHA512
a17015ce5be9dbe107f45a5361c78d0722d3574d1684f1ab5a78044304a8f13b281179a8bde4be29c0529678da2d8332817db568d46fd1e81541274c1a2a6ea7

Download Submit
C:\Windows\system\yjcsLzy.exe

Filesize
512KB

MD5
6b5887af4274a78686a788865765637c

SHA1
5afc15e6fcbc11377bbabbda47ff43f6ebedd369

SHA256
ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

SHA512
4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

Download Submit
\Windows\system\GrAURwK.exe

Filesize
2.3MB

MD5
9d367348bc2b0a338371873ab92b5ce0

SHA1
7f656575ff1e475fc391f43341a8d5f4ac819b19

SHA256
54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309

SHA512
8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454

Download Submit
\Windows\system\ZkLMwNB.exe

Filesize
1.1MB

MD5
d872631fef320bcfe95799f5b4c466cb

SHA1
451a1400f207f69d35ba907e243aed76879dcd2c

SHA256
2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438

SHA512
2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d

Download Submit
memory/1820-129-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/1820-145-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2020-143-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2020-135-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2020-52-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2184-38-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-139-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-59-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2240-82-0x000000013F840000-0x000000013FB94000-memory.dmp

Filesize
3.3MB

Download
memory/2240-112-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2240-111-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2240-110-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2240-109-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2240-108-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2240-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2240-0-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2240-95-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2240-133-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2240-44-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-55-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-53-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2240-54-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2240-8-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2240-113-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2484-142-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-48-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-140-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-134-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-35-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2572-19-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2572-137-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-132-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-138-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-29-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2632-136-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2632-13-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2708-141-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2708-45-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2816-131-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2816-146-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/3024-102-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-144-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download