Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 00:33
Behavioral task
behavioral1
Sample
2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe
Resource
win7-20231129-en
General
-
Target
2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
40519c64e03a0fe6c0a59e7ecf008feb
-
SHA1
8dc22d65c8f1c805e776a9cb3b5e8b4af52a1285
-
SHA256
f160177f543ca6ab008a5b1701414de51726e418b5e3a27b73048776d235ee42
-
SHA512
b5efdffbf8be2e1b60b9df1088a270a139e719529025c661927c6d0adc814f8def64cd77ae0d47eb1d10dc64e1dbf544458c39b9dd9ecba4d86ddfb81c2fb04a
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUC:Q+856utgpPF8u/7C
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 4 IoCs
Detects the reflective loader used by Cobalt Strike.
Processes:
resource yara_rule C:\Windows\system\MVnNppt.exe cobalt_reflective_dll \Windows\system\CWWDuIR.exe cobalt_reflective_dll \Windows\system\LpyUcog.exe cobalt_reflective_dll C:\Windows\system\UaRkdvH.exe cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Detects Reflective DLL injection artifacts 4 IoCs
Processes:
resource yara_rule C:\Windows\system\MVnNppt.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\CWWDuIR.exe INDICATOR_SUSPICIOUS_ReflectiveLoader \Windows\system\LpyUcog.exe INDICATOR_SUSPICIOUS_ReflectiveLoader C:\Windows\system\UaRkdvH.exe INDICATOR_SUSPICIOUS_ReflectiveLoader -
UPX dump on OEP (original entry point) 29 IoCs
Processes:
resource yara_rule C:\Windows\system\LVYHduv.exe UPX C:\Windows\system\hgRgYao.exe UPX \Windows\system\hgRgYao.exe UPX \Windows\system\GiTBmZi.exe UPX C:\Windows\system\KmDBUtn.exe UPX \Windows\system\NvgScMj.exe UPX C:\Windows\system\MVnNppt.exe UPX \Windows\system\CWWDuIR.exe UPX C:\Windows\system\StPcVvv.exe UPX \Windows\system\MVnNppt.exe UPX \Windows\system\LpyUcog.exe UPX C:\Windows\system\UaRkdvH.exe UPX C:\Windows\system\AUWiRwX.exe UPX behavioral1/memory/2060-133-0x000000013F940000-0x000000013FC94000-memory.dmp UPX \Windows\system\LVYHduv.exe UPX behavioral1/memory/2744-135-0x000000013F650000-0x000000013F9A4000-memory.dmp UPX behavioral1/memory/3044-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp UPX behavioral1/memory/2132-137-0x000000013F770000-0x000000013FAC4000-memory.dmp UPX behavioral1/memory/1944-138-0x000000013F310000-0x000000013F664000-memory.dmp UPX behavioral1/memory/2668-139-0x000000013F7E0000-0x000000013FB34000-memory.dmp UPX behavioral1/memory/2596-140-0x000000013FF20000-0x0000000140274000-memory.dmp UPX behavioral1/memory/2712-141-0x000000013F410000-0x000000013F764000-memory.dmp UPX behavioral1/memory/2872-142-0x000000013FF60000-0x00000001402B4000-memory.dmp UPX behavioral1/memory/2820-143-0x000000013F8B0000-0x000000013FC04000-memory.dmp UPX behavioral1/memory/2488-144-0x000000013F960000-0x000000013FCB4000-memory.dmp UPX behavioral1/memory/2456-145-0x000000013F480000-0x000000013F7D4000-memory.dmp UPX behavioral1/memory/1524-146-0x000000013F200000-0x000000013F554000-memory.dmp UPX behavioral1/memory/1252-147-0x000000013FC70000-0x000000013FFC4000-memory.dmp UPX behavioral1/memory/2804-148-0x000000013FB30000-0x000000013FE84000-memory.dmp UPX -
XMRig Miner payload 43 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-2-0x000000013F940000-0x000000013FC94000-memory.dmp xmrig C:\Windows\system\LVYHduv.exe xmrig behavioral1/memory/2132-36-0x000000013F770000-0x000000013FAC4000-memory.dmp xmrig C:\Windows\system\hgRgYao.exe xmrig \Windows\system\hgRgYao.exe xmrig \Windows\system\GiTBmZi.exe xmrig behavioral1/memory/2872-64-0x000000013FF60000-0x00000001402B4000-memory.dmp xmrig C:\Windows\system\KmDBUtn.exe xmrig \Windows\system\NvgScMj.exe xmrig behavioral1/memory/2804-102-0x000000013FB30000-0x000000013FE84000-memory.dmp xmrig C:\Windows\system\MVnNppt.exe xmrig \Windows\system\CWWDuIR.exe xmrig C:\Windows\system\StPcVvv.exe xmrig \Windows\system\MVnNppt.exe xmrig behavioral1/memory/1252-89-0x000000013FC70000-0x000000013FFC4000-memory.dmp xmrig behavioral1/memory/2820-84-0x000000013F8B0000-0x000000013FC04000-memory.dmp xmrig \Windows\system\LpyUcog.exe xmrig behavioral1/memory/2456-79-0x000000013F480000-0x000000013F7D4000-memory.dmp xmrig C:\Windows\system\UaRkdvH.exe xmrig behavioral1/memory/1944-55-0x000000013F310000-0x000000013F664000-memory.dmp xmrig behavioral1/memory/2712-50-0x000000013F410000-0x000000013F764000-memory.dmp xmrig behavioral1/memory/2668-44-0x000000013F7E0000-0x000000013FB34000-memory.dmp xmrig behavioral1/memory/2596-41-0x000000013FF20000-0x0000000140274000-memory.dmp xmrig behavioral1/memory/3044-35-0x000000013F5A0000-0x000000013F8F4000-memory.dmp xmrig C:\Windows\system\AUWiRwX.exe xmrig behavioral1/memory/2060-133-0x000000013F940000-0x000000013FC94000-memory.dmp xmrig behavioral1/memory/2744-23-0x000000013F650000-0x000000013F9A4000-memory.dmp xmrig \Windows\system\ssKIOYz.exe xmrig \Windows\system\LVYHduv.exe xmrig behavioral1/memory/2744-135-0x000000013F650000-0x000000013F9A4000-memory.dmp xmrig behavioral1/memory/3044-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp xmrig behavioral1/memory/2132-137-0x000000013F770000-0x000000013FAC4000-memory.dmp xmrig behavioral1/memory/1944-138-0x000000013F310000-0x000000013F664000-memory.dmp xmrig behavioral1/memory/2668-139-0x000000013F7E0000-0x000000013FB34000-memory.dmp xmrig behavioral1/memory/2596-140-0x000000013FF20000-0x0000000140274000-memory.dmp xmrig behavioral1/memory/2712-141-0x000000013F410000-0x000000013F764000-memory.dmp xmrig behavioral1/memory/2872-142-0x000000013FF60000-0x00000001402B4000-memory.dmp xmrig behavioral1/memory/2820-143-0x000000013F8B0000-0x000000013FC04000-memory.dmp xmrig behavioral1/memory/2488-144-0x000000013F960000-0x000000013FCB4000-memory.dmp xmrig behavioral1/memory/2456-145-0x000000013F480000-0x000000013F7D4000-memory.dmp xmrig behavioral1/memory/1524-146-0x000000013F200000-0x000000013F554000-memory.dmp xmrig behavioral1/memory/1252-147-0x000000013FC70000-0x000000013FFC4000-memory.dmp xmrig behavioral1/memory/2804-148-0x000000013FB30000-0x000000013FE84000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
ZWWHgvh.exessKIOYz.exeLVYHduv.exeUHAiqUV.exexcWJwgA.exeAUWiRwX.exenduGlfI.exehgRgYao.exeGiTBmZi.exeUaRkdvH.exeFJygThd.exeKmDBUtn.exeLpyUcog.exeNvgScMj.exeauNCmEh.exeMVnNppt.exepORdPTn.exeFpWkxbn.exeStPcVvv.exeyLvXuyS.exeCWWDuIR.exepid process 2744 ZWWHgvh.exe 3044 ssKIOYz.exe 2132 LVYHduv.exe 1944 UHAiqUV.exe 2596 xcWJwgA.exe 2668 AUWiRwX.exe 2712 nduGlfI.exe 2872 hgRgYao.exe 2820 GiTBmZi.exe 2488 UaRkdvH.exe 2456 FJygThd.exe 1524 KmDBUtn.exe 1252 LpyUcog.exe 2804 NvgScMj.exe 2828 auNCmEh.exe 1436 MVnNppt.exe 636 pORdPTn.exe 1572 FpWkxbn.exe 772 StPcVvv.exe 2736 yLvXuyS.exe 2752 CWWDuIR.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exepid process 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/2060-2-0x000000013F940000-0x000000013FC94000-memory.dmp upx C:\Windows\system\ssKIOYz.exe upx C:\Windows\system\LVYHduv.exe upx behavioral1/memory/2132-36-0x000000013F770000-0x000000013FAC4000-memory.dmp upx C:\Windows\system\hgRgYao.exe upx \Windows\system\hgRgYao.exe upx \Windows\system\GiTBmZi.exe upx behavioral1/memory/2872-64-0x000000013FF60000-0x00000001402B4000-memory.dmp upx C:\Windows\system\KmDBUtn.exe upx behavioral1/memory/1524-88-0x000000013F200000-0x000000013F554000-memory.dmp upx \Windows\system\NvgScMj.exe upx behavioral1/memory/2804-102-0x000000013FB30000-0x000000013FE84000-memory.dmp upx C:\Windows\system\MVnNppt.exe upx C:\Windows\system\CWWDuIR.exe upx \Windows\system\CWWDuIR.exe upx C:\Windows\system\StPcVvv.exe upx \Windows\system\MVnNppt.exe upx behavioral1/memory/1252-89-0x000000013FC70000-0x000000013FFC4000-memory.dmp upx behavioral1/memory/2820-84-0x000000013F8B0000-0x000000013FC04000-memory.dmp upx \Windows\system\LpyUcog.exe upx behavioral1/memory/2456-79-0x000000013F480000-0x000000013F7D4000-memory.dmp upx behavioral1/memory/2488-72-0x000000013F960000-0x000000013FCB4000-memory.dmp upx C:\Windows\system\UaRkdvH.exe upx behavioral1/memory/1944-55-0x000000013F310000-0x000000013F664000-memory.dmp upx behavioral1/memory/2712-50-0x000000013F410000-0x000000013F764000-memory.dmp upx behavioral1/memory/2668-44-0x000000013F7E0000-0x000000013FB34000-memory.dmp upx behavioral1/memory/2596-41-0x000000013FF20000-0x0000000140274000-memory.dmp upx behavioral1/memory/3044-35-0x000000013F5A0000-0x000000013F8F4000-memory.dmp upx C:\Windows\system\AUWiRwX.exe upx behavioral1/memory/2060-133-0x000000013F940000-0x000000013FC94000-memory.dmp upx behavioral1/memory/2744-23-0x000000013F650000-0x000000013F9A4000-memory.dmp upx \Windows\system\ssKIOYz.exe upx \Windows\system\LVYHduv.exe upx behavioral1/memory/2744-135-0x000000013F650000-0x000000013F9A4000-memory.dmp upx behavioral1/memory/3044-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp upx behavioral1/memory/2132-137-0x000000013F770000-0x000000013FAC4000-memory.dmp upx behavioral1/memory/1944-138-0x000000013F310000-0x000000013F664000-memory.dmp upx behavioral1/memory/2668-139-0x000000013F7E0000-0x000000013FB34000-memory.dmp upx behavioral1/memory/2596-140-0x000000013FF20000-0x0000000140274000-memory.dmp upx behavioral1/memory/2712-141-0x000000013F410000-0x000000013F764000-memory.dmp upx behavioral1/memory/2872-142-0x000000013FF60000-0x00000001402B4000-memory.dmp upx behavioral1/memory/2820-143-0x000000013F8B0000-0x000000013FC04000-memory.dmp upx behavioral1/memory/2488-144-0x000000013F960000-0x000000013FCB4000-memory.dmp upx behavioral1/memory/2456-145-0x000000013F480000-0x000000013F7D4000-memory.dmp upx behavioral1/memory/1524-146-0x000000013F200000-0x000000013F554000-memory.dmp upx behavioral1/memory/1252-147-0x000000013FC70000-0x000000013FFC4000-memory.dmp upx behavioral1/memory/2804-148-0x000000013FB30000-0x000000013FE84000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\UaRkdvH.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\KmDBUtn.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\StPcVvv.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\CWWDuIR.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\MVnNppt.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pORdPTn.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ssKIOYz.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UHAiqUV.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xcWJwgA.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nduGlfI.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GiTBmZi.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FJygThd.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZWWHgvh.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LVYHduv.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\yLvXuyS.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\AUWiRwX.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\hgRgYao.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LpyUcog.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NvgScMj.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\auNCmEh.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FpWkxbn.exe 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exedescription pid process target process PID 2060 wrote to memory of 2744 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe ZWWHgvh.exe PID 2060 wrote to memory of 2744 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe ZWWHgvh.exe PID 2060 wrote to memory of 2744 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe ZWWHgvh.exe PID 2060 wrote to memory of 3044 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe ssKIOYz.exe PID 2060 wrote to memory of 3044 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe ssKIOYz.exe PID 2060 wrote to memory of 3044 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe ssKIOYz.exe PID 2060 wrote to memory of 2132 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe LVYHduv.exe PID 2060 wrote to memory of 2132 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe LVYHduv.exe PID 2060 wrote to memory of 2132 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe LVYHduv.exe PID 2060 wrote to memory of 1944 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe UHAiqUV.exe PID 2060 wrote to memory of 1944 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe UHAiqUV.exe PID 2060 wrote to memory of 1944 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe UHAiqUV.exe PID 2060 wrote to memory of 2596 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe xcWJwgA.exe PID 2060 wrote to memory of 2596 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe xcWJwgA.exe PID 2060 wrote to memory of 2596 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe xcWJwgA.exe PID 2060 wrote to memory of 2668 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe AUWiRwX.exe PID 2060 wrote to memory of 2668 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe AUWiRwX.exe PID 2060 wrote to memory of 2668 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe AUWiRwX.exe PID 2060 wrote to memory of 2712 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe nduGlfI.exe PID 2060 wrote to memory of 2712 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe nduGlfI.exe PID 2060 wrote to memory of 2712 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe nduGlfI.exe PID 2060 wrote to memory of 2872 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe hgRgYao.exe PID 2060 wrote to memory of 2872 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe hgRgYao.exe PID 2060 wrote to memory of 2872 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe hgRgYao.exe PID 2060 wrote to memory of 2820 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe GiTBmZi.exe PID 2060 wrote to memory of 2820 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe GiTBmZi.exe PID 2060 wrote to memory of 2820 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe GiTBmZi.exe PID 2060 wrote to memory of 2488 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe UaRkdvH.exe PID 2060 wrote to memory of 2488 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe UaRkdvH.exe PID 2060 wrote to memory of 2488 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe UaRkdvH.exe PID 2060 wrote to memory of 2456 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe FJygThd.exe PID 2060 wrote to memory of 2456 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe FJygThd.exe PID 2060 wrote to memory of 2456 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe FJygThd.exe PID 2060 wrote to memory of 1524 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe KmDBUtn.exe PID 2060 wrote to memory of 1524 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe KmDBUtn.exe PID 2060 wrote to memory of 1524 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe KmDBUtn.exe PID 2060 wrote to memory of 1252 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe LpyUcog.exe PID 2060 wrote to memory of 1252 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe LpyUcog.exe PID 2060 wrote to memory of 1252 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe LpyUcog.exe PID 2060 wrote to memory of 2804 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe NvgScMj.exe PID 2060 wrote to memory of 2804 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe NvgScMj.exe PID 2060 wrote to memory of 2804 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe NvgScMj.exe PID 2060 wrote to memory of 2828 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe auNCmEh.exe PID 2060 wrote to memory of 2828 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe auNCmEh.exe PID 2060 wrote to memory of 2828 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe auNCmEh.exe PID 2060 wrote to memory of 1436 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe MVnNppt.exe PID 2060 wrote to memory of 1436 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe MVnNppt.exe PID 2060 wrote to memory of 1436 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe MVnNppt.exe PID 2060 wrote to memory of 636 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe pORdPTn.exe PID 2060 wrote to memory of 636 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe pORdPTn.exe PID 2060 wrote to memory of 636 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe pORdPTn.exe PID 2060 wrote to memory of 1572 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe FpWkxbn.exe PID 2060 wrote to memory of 1572 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe FpWkxbn.exe PID 2060 wrote to memory of 1572 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe FpWkxbn.exe PID 2060 wrote to memory of 772 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe StPcVvv.exe PID 2060 wrote to memory of 772 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe StPcVvv.exe PID 2060 wrote to memory of 772 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe StPcVvv.exe PID 2060 wrote to memory of 2736 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe yLvXuyS.exe PID 2060 wrote to memory of 2736 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe yLvXuyS.exe PID 2060 wrote to memory of 2736 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe yLvXuyS.exe PID 2060 wrote to memory of 2752 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe CWWDuIR.exe PID 2060 wrote to memory of 2752 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe CWWDuIR.exe PID 2060 wrote to memory of 2752 2060 2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe CWWDuIR.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_40519c64e03a0fe6c0a59e7ecf008feb_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\System\ZWWHgvh.exeC:\Windows\System\ZWWHgvh.exe2⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\System\ssKIOYz.exeC:\Windows\System\ssKIOYz.exe2⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\System\LVYHduv.exeC:\Windows\System\LVYHduv.exe2⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\System\UHAiqUV.exeC:\Windows\System\UHAiqUV.exe2⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\System\xcWJwgA.exeC:\Windows\System\xcWJwgA.exe2⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\System\AUWiRwX.exeC:\Windows\System\AUWiRwX.exe2⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\System\nduGlfI.exeC:\Windows\System\nduGlfI.exe2⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\System\hgRgYao.exeC:\Windows\System\hgRgYao.exe2⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\System\GiTBmZi.exeC:\Windows\System\GiTBmZi.exe2⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\System\UaRkdvH.exeC:\Windows\System\UaRkdvH.exe2⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\System\FJygThd.exeC:\Windows\System\FJygThd.exe2⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\System\KmDBUtn.exeC:\Windows\System\KmDBUtn.exe2⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\System\LpyUcog.exeC:\Windows\System\LpyUcog.exe2⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\System\NvgScMj.exeC:\Windows\System\NvgScMj.exe2⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\System\auNCmEh.exeC:\Windows\System\auNCmEh.exe2⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\System\MVnNppt.exeC:\Windows\System\MVnNppt.exe2⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\System\pORdPTn.exeC:\Windows\System\pORdPTn.exe2⤵
- Executes dropped EXE
PID:636 -
C:\Windows\System\FpWkxbn.exeC:\Windows\System\FpWkxbn.exe2⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\System\StPcVvv.exeC:\Windows\System\StPcVvv.exe2⤵
- Executes dropped EXE
PID:772 -
C:\Windows\System\yLvXuyS.exeC:\Windows\System\yLvXuyS.exe2⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\System\CWWDuIR.exeC:\Windows\System\CWWDuIR.exe2⤵
- Executes dropped EXE
PID:2752
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD59d367348bc2b0a338371873ab92b5ce0
SHA17f656575ff1e475fc391f43341a8d5f4ac819b19
SHA25654a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309
SHA5128ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454
-
Filesize
576KB
MD52b325ba998218e1724cf0adeb30ee980
SHA191c91f972b93ca21c02dbae5cc375d4e1212c0a0
SHA2563b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9
SHA512d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5
-
Filesize
1.9MB
MD50b1dc771469fa6753e7aace834956918
SHA1ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA25660a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA5126ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60
-
Filesize
2.8MB
MD57ca4c7d08ec840a69d3101c638d4b72f
SHA19a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA51293ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b
-
Filesize
5.9MB
MD52999532dc35b49213ea1ffa0fdce5d12
SHA1ef43e59a954e41cd0180ed84faad7585b07377db
SHA2560ee4b22749bab39e71bc09cb3061d879611cd302ace5f52d0ee39806fc242cfa
SHA5123390b1a0356277742902797504aa40220556ffc2c1668d719d4a11fe617a089d12a6483eb05a231e0f0e41e230164474503313859fb63fd87f30bf0df1935ba3
-
Filesize
2.1MB
MD5fbb6a602f644dbf57142122f30692c9a
SHA18158aaa7168744874ea387599d6d2cead21e28a3
SHA2563ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe
-
Filesize
5.9MB
MD5b0446695b4f6959fd89a363b056867e1
SHA1a151e9cc9c24cdebc07f104d747406379efe19cd
SHA256ce470b3d75e279b518ce166ee9bbc38db16bea110ec8fb660a2c550d54c2e1ca
SHA512c86dc9b22ad90229c44185eb4e4950e1ab7d56741a7b48345cd57d5c9da0e8462ca09523b4069b58300170180b1a9e074d18956838a56f1c1427c1503d07190c
-
Filesize
1.6MB
MD52c29c56557704a5af675ac862b6acadc
SHA18095e9a472d534a6ef5dc3ab384273149ae12d48
SHA256ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d
SHA512f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049
-
Filesize
448KB
MD50642442db4acbbfb6037e06789624264
SHA1923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA2565d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA5127fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1
-
Filesize
5.9MB
MD5625ce47337ec454a33d1093ebb762a13
SHA1ae84a5a7af055e1dcd1cfa215ed4e31329213bf9
SHA256282cb2c6e835d7fbf977167a0015c254c6f44d191b45362715a418fa0b1c1910
SHA512a5e8a61c6450e5e1626fb9c41d48ecf1d923c7479852e4851e9cc9d9d7858d8bafec111b97d26417936ab43c946231ee3186a9980b45659b1912e80063179f2d
-
Filesize
1.7MB
MD5170dd624fc04fc3839f9c4b66a089ce7
SHA1689050489367e9d7989856de58d7dae4b3e867bb
SHA2562882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA5126c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a
-
Filesize
2.2MB
MD590be846177ebce09b1bfa8b40630684a
SHA143a2c66ff47d9e295f18f8c18fe76b69e8850154
SHA2562237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65
SHA512f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6
-
Filesize
5.9MB
MD5700f275fa85ed6a694cc643a3e6b2d07
SHA181d7f0b5782d4650c1ffc7f4ce129e2628efd0f3
SHA2569e676c985bfc2e0eebd92922b559476103dfa5b924653ac6ceb075c9d642299f
SHA512b94579b0ff3aa24dcf186b42ebb4cd1eb44ffa1cdd3f47e6b1a391d05e5994b7ad5eba921b0a20caed26a34ea5b55ddc1e96e64aab45e1e6708d46d079f15944
-
Filesize
2.0MB
MD5ce95ecfd82cad989d07f01bb5a4e0e62
SHA19c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084
-
Filesize
1.2MB
MD5711965c0ed770375b388ea9b5ea57c70
SHA121f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA5121805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428
-
Filesize
2.1MB
MD52543c4760bd9af7f70b7834411ab61af
SHA1ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA51237d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56
-
Filesize
832KB
MD5fe23d8f2a683ea3c37e211db5c47c198
SHA1c8d98757080f758fa71fe2947f967f4c2ba26b77
SHA256e791fb8dbe7f5a7d384dc32653c49cf355982fbc2394ea1e3030cd6ebb798cb8
SHA512ff5ab31bffe4dcd555455f3d81b2d9fca6cd687b604f37f4aa99e780677c84919321fd43b5fd13f9cb6081978b182fef58c2564f773d39cf2fefe33142ce3656