Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 01:43

General

  • Target

    2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    4255859d1910c64892a46db2c71a6145

  • SHA1

    06129659169e3453fdba7b95204a3403266b42a5

  • SHA256

    ceab942ce0f34d496e9bc456dffff321cbe25a88c5872fdd8b59fdf88a89b368

  • SHA512

    9f305a30819dbc3716e857fcdc161db607ef683e5fbde7ac2742a7024252edee86a59cf52dd2c347ed17f8659396cf555a2b9071e1b534054b0eecf127650060

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUe:Q+856utgpPF8u/7e

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • UPX dump on OEP (original entry point) 6 IoCs
  • XMRig Miner payload 20 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 62 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-07_4255859d1910c64892a46db2c71a6145_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\System\LVUxBpM.exe
      C:\Windows\System\LVUxBpM.exe
      2⤵
      • Executes dropped EXE
      PID:3624
    • C:\Windows\System\xEonPre.exe
      C:\Windows\System\xEonPre.exe
      2⤵
      • Executes dropped EXE
      PID:1176
    • C:\Windows\System\OeyFlxe.exe
      C:\Windows\System\OeyFlxe.exe
      2⤵
      • Executes dropped EXE
      PID:1804
    • C:\Windows\System\xOrzLHe.exe
      C:\Windows\System\xOrzLHe.exe
      2⤵
      • Executes dropped EXE
      PID:208
    • C:\Windows\System\mMomgcf.exe
      C:\Windows\System\mMomgcf.exe
      2⤵
      • Executes dropped EXE
      PID:4824
    • C:\Windows\System\WobcRnx.exe
      C:\Windows\System\WobcRnx.exe
      2⤵
      • Executes dropped EXE
      PID:3668
    • C:\Windows\System\MfCoHdg.exe
      C:\Windows\System\MfCoHdg.exe
      2⤵
      • Executes dropped EXE
      PID:4688
    • C:\Windows\System\eyVKxxT.exe
      C:\Windows\System\eyVKxxT.exe
      2⤵
      • Executes dropped EXE
      PID:544
    • C:\Windows\System\WPccKzt.exe
      C:\Windows\System\WPccKzt.exe
      2⤵
      • Executes dropped EXE
      PID:4812
    • C:\Windows\System\TgTWcfc.exe
      C:\Windows\System\TgTWcfc.exe
      2⤵
      • Executes dropped EXE
      PID:3660
    • C:\Windows\System\iYbvcpk.exe
      C:\Windows\System\iYbvcpk.exe
      2⤵
      • Executes dropped EXE
      PID:1688
    • C:\Windows\System\iuqHQns.exe
      C:\Windows\System\iuqHQns.exe
      2⤵
      • Executes dropped EXE
      PID:4536
    • C:\Windows\System\JLupGEA.exe
      C:\Windows\System\JLupGEA.exe
      2⤵
      • Executes dropped EXE
      PID:5108
    • C:\Windows\System\Jtdrhcd.exe
      C:\Windows\System\Jtdrhcd.exe
      2⤵
      • Executes dropped EXE
      PID:2292
    • C:\Windows\System\HCfTmfe.exe
      C:\Windows\System\HCfTmfe.exe
      2⤵
      • Executes dropped EXE
      PID:4504
    • C:\Windows\System\ZcrGNoP.exe
      C:\Windows\System\ZcrGNoP.exe
      2⤵
      • Executes dropped EXE
      PID:940
    • C:\Windows\System\DfVRHtb.exe
      C:\Windows\System\DfVRHtb.exe
      2⤵
      • Executes dropped EXE
      PID:1496
    • C:\Windows\System\pvRluMw.exe
      C:\Windows\System\pvRluMw.exe
      2⤵
      • Executes dropped EXE
      PID:740
    • C:\Windows\System\slJLaCF.exe
      C:\Windows\System\slJLaCF.exe
      2⤵
      • Executes dropped EXE
      PID:636
    • C:\Windows\System\xOYVyGL.exe
      C:\Windows\System\xOYVyGL.exe
      2⤵
      • Executes dropped EXE
      PID:412
    • C:\Windows\System\uCSqTCl.exe
      C:\Windows\System\uCSqTCl.exe
      2⤵
      • Executes dropped EXE
      PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\Jtdrhcd.exe

    Filesize

    384KB

    MD5

    6207c08555e637186de329c9179e16d9

    SHA1

    09098b1d2cbfb2ab317439f6c4fc0121d5b8f70a

    SHA256

    90e60744ec9da51fba847be626db348bca6bdaf98ac91b116446f5b42433003b

    SHA512

    a17015ce5be9dbe107f45a5361c78d0722d3574d1684f1ab5a78044304a8f13b281179a8bde4be29c0529678da2d8332817db568d46fd1e81541274c1a2a6ea7

  • C:\Windows\System\LVUxBpM.exe

    Filesize

    448KB

    MD5

    0642442db4acbbfb6037e06789624264

    SHA1

    923aee440a6887c7a7a8a78085aa492b2cdcee65

    SHA256

    5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

    SHA512

    7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

  • C:\Windows\System\uCSqTCl.exe

    Filesize

    192KB

    MD5

    4a486a2a371d8db348dc0ad03e9fd9f0

    SHA1

    edd912c5d606628022dc3216eaf2db7c93554ff7

    SHA256

    93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b

    SHA512

    deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

  • C:\Windows\System\xEonPre.exe

    Filesize

    128KB

    MD5

    7ce4ba1725e83a50f64ba525f8815dcf

    SHA1

    b1714a2d23cfc42c18c37e1546ac0908d8252c04

    SHA256

    9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

    SHA512

    2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

  • memory/208-26-0x00007FF7FBAA0000-0x00007FF7FBDF4000-memory.dmp

    Filesize

    3.3MB

  • memory/208-146-0x00007FF7FBAA0000-0x00007FF7FBDF4000-memory.dmp

    Filesize

    3.3MB

  • memory/412-142-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp

    Filesize

    3.3MB

  • memory/412-129-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp

    Filesize

    3.3MB

  • memory/412-163-0x00007FF7A5760000-0x00007FF7A5AB4000-memory.dmp

    Filesize

    3.3MB

  • memory/544-114-0x00007FF635A10000-0x00007FF635D64000-memory.dmp

    Filesize

    3.3MB

  • memory/544-49-0x00007FF635A10000-0x00007FF635D64000-memory.dmp

    Filesize

    3.3MB

  • memory/544-150-0x00007FF635A10000-0x00007FF635D64000-memory.dmp

    Filesize

    3.3MB

  • memory/556-1-0x0000026725680000-0x0000026725690000-memory.dmp

    Filesize

    64KB

  • memory/556-62-0x00007FF7CED20000-0x00007FF7CF074000-memory.dmp

    Filesize

    3.3MB

  • memory/556-0-0x00007FF7CED20000-0x00007FF7CF074000-memory.dmp

    Filesize

    3.3MB

  • memory/636-161-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp

    Filesize

    3.3MB

  • memory/636-124-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp

    Filesize

    3.3MB

  • memory/740-119-0x00007FF62D4B0000-0x00007FF62D804000-memory.dmp

    Filesize

    3.3MB

  • memory/740-160-0x00007FF62D4B0000-0x00007FF62D804000-memory.dmp

    Filesize

    3.3MB

  • memory/940-102-0x00007FF714490000-0x00007FF7147E4000-memory.dmp

    Filesize

    3.3MB

  • memory/940-140-0x00007FF714490000-0x00007FF7147E4000-memory.dmp

    Filesize

    3.3MB

  • memory/940-157-0x00007FF714490000-0x00007FF7147E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1176-144-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1176-74-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1176-14-0x00007FF7C9150000-0x00007FF7C94A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1496-141-0x00007FF664240000-0x00007FF664594000-memory.dmp

    Filesize

    3.3MB

  • memory/1496-159-0x00007FF664240000-0x00007FF664594000-memory.dmp

    Filesize

    3.3MB

  • memory/1496-111-0x00007FF664240000-0x00007FF664594000-memory.dmp

    Filesize

    3.3MB

  • memory/1688-135-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1688-154-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1688-68-0x00007FF78E470000-0x00007FF78E7C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1804-86-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp

    Filesize

    3.3MB

  • memory/1804-20-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp

    Filesize

    3.3MB

  • memory/1804-145-0x00007FF658BC0000-0x00007FF658F14000-memory.dmp

    Filesize

    3.3MB

  • memory/2292-155-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp

    Filesize

    3.3MB

  • memory/2292-90-0x00007FF75A2C0000-0x00007FF75A614000-memory.dmp

    Filesize

    3.3MB

  • memory/2888-136-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp

    Filesize

    3.3MB

  • memory/2888-162-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp

    Filesize

    3.3MB

  • memory/3624-8-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp

    Filesize

    3.3MB

  • memory/3624-67-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp

    Filesize

    3.3MB

  • memory/3624-143-0x00007FF6FCD70000-0x00007FF6FD0C4000-memory.dmp

    Filesize

    3.3MB

  • memory/3660-66-0x00007FF772670000-0x00007FF7729C4000-memory.dmp

    Filesize

    3.3MB

  • memory/3660-152-0x00007FF772670000-0x00007FF7729C4000-memory.dmp

    Filesize

    3.3MB

  • memory/3668-148-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp

    Filesize

    3.3MB

  • memory/3668-39-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp

    Filesize

    3.3MB

  • memory/3668-105-0x00007FF7E71E0000-0x00007FF7E7534000-memory.dmp

    Filesize

    3.3MB

  • memory/4504-139-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp

    Filesize

    3.3MB

  • memory/4504-158-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp

    Filesize

    3.3MB

  • memory/4504-94-0x00007FF7D6990000-0x00007FF7D6CE4000-memory.dmp

    Filesize

    3.3MB

  • memory/4536-137-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4536-78-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4536-153-0x00007FF7773A0000-0x00007FF7776F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4688-149-0x00007FF60A7B0000-0x00007FF60AB04000-memory.dmp

    Filesize

    3.3MB

  • memory/4688-44-0x00007FF60A7B0000-0x00007FF60AB04000-memory.dmp

    Filesize

    3.3MB

  • memory/4812-55-0x00007FF6715B0000-0x00007FF671904000-memory.dmp

    Filesize

    3.3MB

  • memory/4812-151-0x00007FF6715B0000-0x00007FF671904000-memory.dmp

    Filesize

    3.3MB

  • memory/4812-123-0x00007FF6715B0000-0x00007FF671904000-memory.dmp

    Filesize

    3.3MB

  • memory/4824-147-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp

    Filesize

    3.3MB

  • memory/4824-99-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp

    Filesize

    3.3MB

  • memory/4824-32-0x00007FF65EE10000-0x00007FF65F164000-memory.dmp

    Filesize

    3.3MB

  • memory/5108-89-0x00007FF663450000-0x00007FF6637A4000-memory.dmp

    Filesize

    3.3MB

  • memory/5108-138-0x00007FF663450000-0x00007FF6637A4000-memory.dmp

    Filesize

    3.3MB

  • memory/5108-156-0x00007FF663450000-0x00007FF6637A4000-memory.dmp

    Filesize

    3.3MB