Analysis

  • max time kernel
    135s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 01:27

General

  • Target

    2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    43e581d2add9eafd3d8e055b1642febe

  • SHA1

    008bc787b5bc4e86295cad69007d86e8881bb3a8

  • SHA256

    49c290d36105bc1b692bc5161866e963c6210b67b6787f6ba34e0ac303b6a80c

  • SHA512

    b842da622bc30957a4114c16c8f6c5991f26959411faa0c61a695475ac41475fb14404a873339876c83352678c7bb39ffc440be54740b3b6eae88e25f46c41e7

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUQ:Q+856utgpPF8u/7Q

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • UPX dump on OEP (original entry point) 29 IoCs
  • XMRig Miner payload 48 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 49 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\System\plnbMBN.exe
      C:\Windows\System\plnbMBN.exe
      2⤵
      • Executes dropped EXE
      PID:1072
    • C:\Windows\System\qlWioWI.exe
      C:\Windows\System\qlWioWI.exe
      2⤵
      • Executes dropped EXE
      PID:2744
    • C:\Windows\System\aPMoWoQ.exe
      C:\Windows\System\aPMoWoQ.exe
      2⤵
      • Executes dropped EXE
      PID:2896
    • C:\Windows\System\viqZqXT.exe
      C:\Windows\System\viqZqXT.exe
      2⤵
      • Executes dropped EXE
      PID:2512
    • C:\Windows\System\xZKUoEO.exe
      C:\Windows\System\xZKUoEO.exe
      2⤵
      • Executes dropped EXE
      PID:2628
    • C:\Windows\System\bgacZLK.exe
      C:\Windows\System\bgacZLK.exe
      2⤵
      • Executes dropped EXE
      PID:2656
    • C:\Windows\System\kVCvaOY.exe
      C:\Windows\System\kVCvaOY.exe
      2⤵
      • Executes dropped EXE
      PID:2148
    • C:\Windows\System\YJzyvhe.exe
      C:\Windows\System\YJzyvhe.exe
      2⤵
      • Executes dropped EXE
      PID:1760
    • C:\Windows\System\brWaMmK.exe
      C:\Windows\System\brWaMmK.exe
      2⤵
      • Executes dropped EXE
      PID:2724
    • C:\Windows\System\cejEZIz.exe
      C:\Windows\System\cejEZIz.exe
      2⤵
      • Executes dropped EXE
      PID:2528
    • C:\Windows\System\SONQKWN.exe
      C:\Windows\System\SONQKWN.exe
      2⤵
      • Executes dropped EXE
      PID:2368
    • C:\Windows\System\nbumVaJ.exe
      C:\Windows\System\nbumVaJ.exe
      2⤵
      • Executes dropped EXE
      PID:1672
    • C:\Windows\System\PxjSrtP.exe
      C:\Windows\System\PxjSrtP.exe
      2⤵
      • Executes dropped EXE
      PID:456
    • C:\Windows\System\nEqzteT.exe
      C:\Windows\System\nEqzteT.exe
      2⤵
      • Executes dropped EXE
      PID:2640
    • C:\Windows\System\fbTAGhe.exe
      C:\Windows\System\fbTAGhe.exe
      2⤵
      • Executes dropped EXE
      PID:2564
    • C:\Windows\System\liWZxVO.exe
      C:\Windows\System\liWZxVO.exe
      2⤵
      • Executes dropped EXE
      PID:1488
    • C:\Windows\System\UEoFWja.exe
      C:\Windows\System\UEoFWja.exe
      2⤵
      • Executes dropped EXE
      PID:1904
    • C:\Windows\System\ALYGqcZ.exe
      C:\Windows\System\ALYGqcZ.exe
      2⤵
      • Executes dropped EXE
      PID:1128
    • C:\Windows\System\JsmAhjn.exe
      C:\Windows\System\JsmAhjn.exe
      2⤵
      • Executes dropped EXE
      PID:1920
    • C:\Windows\System\UcKimEK.exe
      C:\Windows\System\UcKimEK.exe
      2⤵
      • Executes dropped EXE
      PID:1824
    • C:\Windows\System\RMlvkRq.exe
      C:\Windows\System\RMlvkRq.exe
      2⤵
      • Executes dropped EXE
      PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\SONQKWN.exe

    Filesize

    5.3MB

    MD5

    e8c4508a392ccf08590d3627a36cc3c3

    SHA1

    3a57dd6c92ebc54582acaafd15cc9311eb0d15a2

    SHA256

    cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d

    SHA512

    f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

  • C:\Windows\system\UEoFWja.exe

    Filesize

    5.9MB

    MD5

    f6cdfb3d88537b367792cbd894bd98ed

    SHA1

    3d3f99c94c72c456dffcf949bc5d30603a7e936c

    SHA256

    05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86

    SHA512

    0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

  • C:\Windows\system\YJzyvhe.exe

    Filesize

    2.1MB

    MD5

    2543c4760bd9af7f70b7834411ab61af

    SHA1

    ed963cb76a076b222f6cdae99e8563d4444f6351

    SHA256

    c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001

    SHA512

    37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

  • C:\Windows\system\aPMoWoQ.exe

    Filesize

    2.3MB

    MD5

    9d367348bc2b0a338371873ab92b5ce0

    SHA1

    7f656575ff1e475fc391f43341a8d5f4ac819b19

    SHA256

    54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309

    SHA512

    8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454

  • C:\Windows\system\brWaMmK.exe

    Filesize

    1.1MB

    MD5

    cefe7ebbcbdc6a5e5023e2ad8530b25b

    SHA1

    6e0d7ab1a6ddd7ee739d050791a70816c80e15a8

    SHA256

    6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475

    SHA512

    93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844

  • C:\Windows\system\kVCvaOY.exe

    Filesize

    2.8MB

    MD5

    7ca4c7d08ec840a69d3101c638d4b72f

    SHA1

    9a0bd3c709f755b63121fadc936f446aec1e7ee6

    SHA256

    ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7

    SHA512

    93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

  • C:\Windows\system\viqZqXT.exe

    Filesize

    5.4MB

    MD5

    8003c8ca1c6255c4a9df50b61d369786

    SHA1

    ef521c59d5519424152618453d9a1ec413a267cf

    SHA256

    caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8

    SHA512

    0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

  • \Windows\system\ALYGqcZ.exe

    Filesize

    1.9MB

    MD5

    0b1dc771469fa6753e7aace834956918

    SHA1

    ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7

    SHA256

    60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6

    SHA512

    6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

  • \Windows\system\RMlvkRq.exe

    Filesize

    5.8MB

    MD5

    984a8cf637fc9f46a5be1646493a183b

    SHA1

    eff3045fcb5d0b4a9321004fdd3e94f3f336f5af

    SHA256

    0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068

    SHA512

    f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

  • \Windows\system\YJzyvhe.exe

    Filesize

    512KB

    MD5

    6b5887af4274a78686a788865765637c

    SHA1

    5afc15e6fcbc11377bbabbda47ff43f6ebedd369

    SHA256

    ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

    SHA512

    4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

  • \Windows\system\aPMoWoQ.exe

    Filesize

    1.2MB

    MD5

    711965c0ed770375b388ea9b5ea57c70

    SHA1

    21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2

    SHA256

    c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666

    SHA512

    1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

  • \Windows\system\cejEZIz.exe

    Filesize

    4.3MB

    MD5

    182702f8c189f2105671b3b193ea01bd

    SHA1

    5cbe4a492c7f661166b4ece7955c0ec73fadc31d

    SHA256

    a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f

    SHA512

    81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1

  • \Windows\system\kVCvaOY.exe

    Filesize

    448KB

    MD5

    0642442db4acbbfb6037e06789624264

    SHA1

    923aee440a6887c7a7a8a78085aa492b2cdcee65

    SHA256

    5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

    SHA512

    7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

  • \Windows\system\nEqzteT.exe

    Filesize

    2.0MB

    MD5

    ce95ecfd82cad989d07f01bb5a4e0e62

    SHA1

    9c404e62c6a147d88e2c4214a4a0c1206972e9c1

    SHA256

    593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576

    SHA512

    c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

  • \Windows\system\plnbMBN.exe

    Filesize

    1.8MB

    MD5

    4ebd1901e669a14d40cee031fd206e82

    SHA1

    48b4d9303ce77228a3ead5a9a71386291542a98f

    SHA256

    877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1

    SHA512

    c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

  • \Windows\system\qlWioWI.exe

    Filesize

    2.1MB

    MD5

    fbb6a602f644dbf57142122f30692c9a

    SHA1

    8158aaa7168744874ea387599d6d2cead21e28a3

    SHA256

    3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d

    SHA512

    594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

  • \Windows\system\xZKUoEO.exe

    Filesize

    2.7MB

    MD5

    93bacfc3d845f374627b012c3a61a1e5

    SHA1

    f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae

    SHA256

    4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d

    SHA512

    63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

  • memory/456-150-0x000000013FF30000-0x0000000140284000-memory.dmp

    Filesize

    3.3MB

  • memory/456-91-0x000000013FF30000-0x0000000140284000-memory.dmp

    Filesize

    3.3MB

  • memory/1072-13-0x000000013F540000-0x000000013F894000-memory.dmp

    Filesize

    3.3MB

  • memory/1072-138-0x000000013F540000-0x000000013F894000-memory.dmp

    Filesize

    3.3MB

  • memory/1672-89-0x000000013FF40000-0x0000000140294000-memory.dmp

    Filesize

    3.3MB

  • memory/1672-149-0x000000013FF40000-0x0000000140294000-memory.dmp

    Filesize

    3.3MB

  • memory/1760-76-0x000000013F830000-0x000000013FB84000-memory.dmp

    Filesize

    3.3MB

  • memory/1760-144-0x000000013F830000-0x000000013FB84000-memory.dmp

    Filesize

    3.3MB

  • memory/2148-145-0x000000013F8D0000-0x000000013FC24000-memory.dmp

    Filesize

    3.3MB

  • memory/2148-70-0x000000013F8D0000-0x000000013FC24000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-86-0x000000013FFA0000-0x00000001402F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-134-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-1-0x0000000000300000-0x0000000000310000-memory.dmp

    Filesize

    64KB

  • memory/2240-25-0x0000000002230000-0x0000000002584000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-67-0x000000013F8D0000-0x000000013FC24000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-97-0x000000013FED0000-0x0000000140224000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-51-0x000000013F650000-0x000000013F9A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-61-0x000000013F510000-0x000000013F864000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-136-0x0000000002230000-0x0000000002584000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-124-0x000000013F6F0000-0x000000013FA44000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-90-0x000000013FF30000-0x0000000140284000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-0-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-85-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-88-0x000000013FF40000-0x0000000140294000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-77-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-8-0x000000013F540000-0x000000013F894000-memory.dmp

    Filesize

    3.3MB

  • memory/2240-74-0x000000013F830000-0x000000013FB84000-memory.dmp

    Filesize

    3.3MB

  • memory/2368-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2368-148-0x000000013FFA0000-0x00000001402F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2512-141-0x000000013F650000-0x000000013F9A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2512-27-0x000000013F650000-0x000000013F9A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2512-137-0x000000013F650000-0x000000013F9A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2528-81-0x000000013F030000-0x000000013F384000-memory.dmp

    Filesize

    3.3MB

  • memory/2528-146-0x000000013F030000-0x000000013F384000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-142-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-60-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-111-0x000000013FED0000-0x0000000140224000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-151-0x000000013FED0000-0x0000000140224000-memory.dmp

    Filesize

    3.3MB

  • memory/2656-143-0x000000013F510000-0x000000013F864000-memory.dmp

    Filesize

    3.3MB

  • memory/2656-65-0x000000013F510000-0x000000013F864000-memory.dmp

    Filesize

    3.3MB

  • memory/2724-147-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2724-80-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2744-139-0x000000013F4B0000-0x000000013F804000-memory.dmp

    Filesize

    3.3MB

  • memory/2744-15-0x000000013F4B0000-0x000000013F804000-memory.dmp

    Filesize

    3.3MB

  • memory/2744-135-0x000000013F4B0000-0x000000013F804000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-140-0x000000013F340000-0x000000013F694000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-28-0x000000013F340000-0x000000013F694000-memory.dmp

    Filesize

    3.3MB