Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 01:27
Behavioral task
behavioral1
Sample
2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe
Resource
win7-20240221-en
General
-
Target
2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
43e581d2add9eafd3d8e055b1642febe
-
SHA1
008bc787b5bc4e86295cad69007d86e8881bb3a8
-
SHA256
49c290d36105bc1b692bc5161866e963c6210b67b6787f6ba34e0ac303b6a80c
-
SHA512
b842da622bc30957a4114c16c8f6c5991f26959411faa0c61a695475ac41475fb14404a873339876c83352678c7bb39ffc440be54740b3b6eae88e25f46c41e7
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUQ:Q+856utgpPF8u/7Q
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
UPX dump on OEP (original entry point) 29 IoCs
Processes:
resource yara_rule \Windows\system\plnbMBN.exe UPX \Windows\system\qlWioWI.exe UPX \Windows\system\aPMoWoQ.exe UPX C:\Windows\system\viqZqXT.exe UPX behavioral1/memory/2528-81-0x000000013F030000-0x000000013F384000-memory.dmp UPX \Windows\system\nEqzteT.exe UPX C:\Windows\system\UEoFWja.exe UPX \Windows\system\RMlvkRq.exe UPX \Windows\system\ALYGqcZ.exe UPX behavioral1/memory/456-91-0x000000013FF30000-0x0000000140284000-memory.dmp UPX behavioral1/memory/1672-89-0x000000013FF40000-0x0000000140294000-memory.dmp UPX behavioral1/memory/2368-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp UPX C:\Windows\system\SONQKWN.exe UPX behavioral1/memory/2628-60-0x000000013FBA0000-0x000000013FEF4000-memory.dmp UPX C:\Windows\system\YJzyvhe.exe UPX C:\Windows\system\brWaMmK.exe UPX \Windows\system\cejEZIz.exe UPX C:\Windows\system\kVCvaOY.exe UPX \Windows\system\xZKUoEO.exe UPX C:\Windows\system\aPMoWoQ.exe UPX behavioral1/memory/2744-135-0x000000013F4B0000-0x000000013F804000-memory.dmp UPX behavioral1/memory/2744-139-0x000000013F4B0000-0x000000013F804000-memory.dmp UPX behavioral1/memory/2896-140-0x000000013F340000-0x000000013F694000-memory.dmp UPX behavioral1/memory/2512-141-0x000000013F650000-0x000000013F9A4000-memory.dmp UPX behavioral1/memory/2628-142-0x000000013FBA0000-0x000000013FEF4000-memory.dmp UPX behavioral1/memory/2656-143-0x000000013F510000-0x000000013F864000-memory.dmp UPX behavioral1/memory/2368-148-0x000000013FFA0000-0x00000001402F4000-memory.dmp UPX behavioral1/memory/1672-149-0x000000013FF40000-0x0000000140294000-memory.dmp UPX behavioral1/memory/2148-145-0x000000013F8D0000-0x000000013FC24000-memory.dmp UPX -
XMRig Miner payload 48 IoCs
Processes:
resource yara_rule behavioral1/memory/2240-0-0x000000013F190000-0x000000013F4E4000-memory.dmp xmrig \Windows\system\plnbMBN.exe xmrig \Windows\system\qlWioWI.exe xmrig behavioral1/memory/1072-13-0x000000013F540000-0x000000013F894000-memory.dmp xmrig \Windows\system\aPMoWoQ.exe xmrig C:\Windows\system\viqZqXT.exe xmrig behavioral1/memory/2896-28-0x000000013F340000-0x000000013F694000-memory.dmp xmrig behavioral1/memory/1760-76-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig behavioral1/memory/2528-81-0x000000013F030000-0x000000013F384000-memory.dmp xmrig behavioral1/memory/2240-90-0x000000013FF30000-0x0000000140284000-memory.dmp xmrig \Windows\system\nEqzteT.exe xmrig C:\Windows\system\UEoFWja.exe xmrig \Windows\system\RMlvkRq.exe xmrig \Windows\system\ALYGqcZ.exe xmrig behavioral1/memory/2640-111-0x000000013FED0000-0x0000000140224000-memory.dmp xmrig behavioral1/memory/456-91-0x000000013FF30000-0x0000000140284000-memory.dmp xmrig behavioral1/memory/1672-89-0x000000013FF40000-0x0000000140294000-memory.dmp xmrig behavioral1/memory/2368-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp xmrig behavioral1/memory/2724-80-0x000000013FB60000-0x000000013FEB4000-memory.dmp xmrig C:\Windows\system\SONQKWN.exe xmrig behavioral1/memory/2148-70-0x000000013F8D0000-0x000000013FC24000-memory.dmp xmrig behavioral1/memory/2656-65-0x000000013F510000-0x000000013F864000-memory.dmp xmrig behavioral1/memory/2628-60-0x000000013FBA0000-0x000000013FEF4000-memory.dmp xmrig C:\Windows\system\YJzyvhe.exe xmrig C:\Windows\system\brWaMmK.exe xmrig \Windows\system\cejEZIz.exe xmrig C:\Windows\system\kVCvaOY.exe xmrig \Windows\system\xZKUoEO.exe xmrig behavioral1/memory/2512-27-0x000000013F650000-0x000000013F9A4000-memory.dmp xmrig C:\Windows\system\aPMoWoQ.exe xmrig behavioral1/memory/2744-15-0x000000013F4B0000-0x000000013F804000-memory.dmp xmrig behavioral1/memory/2240-134-0x000000013F190000-0x000000013F4E4000-memory.dmp xmrig behavioral1/memory/2744-135-0x000000013F4B0000-0x000000013F804000-memory.dmp xmrig behavioral1/memory/2512-137-0x000000013F650000-0x000000013F9A4000-memory.dmp xmrig behavioral1/memory/1072-138-0x000000013F540000-0x000000013F894000-memory.dmp xmrig behavioral1/memory/2744-139-0x000000013F4B0000-0x000000013F804000-memory.dmp xmrig behavioral1/memory/2896-140-0x000000013F340000-0x000000013F694000-memory.dmp xmrig behavioral1/memory/2512-141-0x000000013F650000-0x000000013F9A4000-memory.dmp xmrig behavioral1/memory/2628-142-0x000000013FBA0000-0x000000013FEF4000-memory.dmp xmrig behavioral1/memory/2656-143-0x000000013F510000-0x000000013F864000-memory.dmp xmrig behavioral1/memory/2724-147-0x000000013FB60000-0x000000013FEB4000-memory.dmp xmrig behavioral1/memory/2368-148-0x000000013FFA0000-0x00000001402F4000-memory.dmp xmrig behavioral1/memory/1672-149-0x000000013FF40000-0x0000000140294000-memory.dmp xmrig behavioral1/memory/1760-144-0x000000013F830000-0x000000013FB84000-memory.dmp xmrig behavioral1/memory/2528-146-0x000000013F030000-0x000000013F384000-memory.dmp xmrig behavioral1/memory/2148-145-0x000000013F8D0000-0x000000013FC24000-memory.dmp xmrig behavioral1/memory/456-150-0x000000013FF30000-0x0000000140284000-memory.dmp xmrig behavioral1/memory/2640-151-0x000000013FED0000-0x0000000140224000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
plnbMBN.exeqlWioWI.exeaPMoWoQ.exeviqZqXT.exexZKUoEO.exebgacZLK.exekVCvaOY.exeYJzyvhe.exebrWaMmK.execejEZIz.exeSONQKWN.exenbumVaJ.exePxjSrtP.exenEqzteT.exefbTAGhe.exeliWZxVO.exeUEoFWja.exeALYGqcZ.exeJsmAhjn.exeRMlvkRq.exeUcKimEK.exepid process 1072 plnbMBN.exe 2744 qlWioWI.exe 2896 aPMoWoQ.exe 2512 viqZqXT.exe 2628 xZKUoEO.exe 2656 bgacZLK.exe 2148 kVCvaOY.exe 1760 YJzyvhe.exe 2724 brWaMmK.exe 2528 cejEZIz.exe 2368 SONQKWN.exe 1672 nbumVaJ.exe 456 PxjSrtP.exe 2640 nEqzteT.exe 2564 fbTAGhe.exe 1488 liWZxVO.exe 1904 UEoFWja.exe 1128 ALYGqcZ.exe 1920 JsmAhjn.exe 2040 RMlvkRq.exe 1824 UcKimEK.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exepid process 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/2240-0-0x000000013F190000-0x000000013F4E4000-memory.dmp upx \Windows\system\plnbMBN.exe upx \Windows\system\qlWioWI.exe upx behavioral1/memory/1072-13-0x000000013F540000-0x000000013F894000-memory.dmp upx \Windows\system\aPMoWoQ.exe upx C:\Windows\system\viqZqXT.exe upx behavioral1/memory/2896-28-0x000000013F340000-0x000000013F694000-memory.dmp upx \Windows\system\kVCvaOY.exe upx behavioral1/memory/1760-76-0x000000013F830000-0x000000013FB84000-memory.dmp upx behavioral1/memory/2528-81-0x000000013F030000-0x000000013F384000-memory.dmp upx \Windows\system\nEqzteT.exe upx C:\Windows\system\UEoFWja.exe upx \Windows\system\RMlvkRq.exe upx \Windows\system\ALYGqcZ.exe upx behavioral1/memory/2640-111-0x000000013FED0000-0x0000000140224000-memory.dmp upx behavioral1/memory/456-91-0x000000013FF30000-0x0000000140284000-memory.dmp upx behavioral1/memory/1672-89-0x000000013FF40000-0x0000000140294000-memory.dmp upx behavioral1/memory/2368-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp upx behavioral1/memory/2724-80-0x000000013FB60000-0x000000013FEB4000-memory.dmp upx C:\Windows\system\SONQKWN.exe upx behavioral1/memory/2148-70-0x000000013F8D0000-0x000000013FC24000-memory.dmp upx behavioral1/memory/2656-65-0x000000013F510000-0x000000013F864000-memory.dmp upx behavioral1/memory/2628-60-0x000000013FBA0000-0x000000013FEF4000-memory.dmp upx C:\Windows\system\YJzyvhe.exe upx C:\Windows\system\brWaMmK.exe upx \Windows\system\cejEZIz.exe upx \Windows\system\YJzyvhe.exe upx C:\Windows\system\kVCvaOY.exe upx \Windows\system\xZKUoEO.exe upx behavioral1/memory/2512-27-0x000000013F650000-0x000000013F9A4000-memory.dmp upx C:\Windows\system\aPMoWoQ.exe upx behavioral1/memory/2744-15-0x000000013F4B0000-0x000000013F804000-memory.dmp upx behavioral1/memory/2240-134-0x000000013F190000-0x000000013F4E4000-memory.dmp upx behavioral1/memory/2744-135-0x000000013F4B0000-0x000000013F804000-memory.dmp upx behavioral1/memory/2512-137-0x000000013F650000-0x000000013F9A4000-memory.dmp upx behavioral1/memory/1072-138-0x000000013F540000-0x000000013F894000-memory.dmp upx behavioral1/memory/2744-139-0x000000013F4B0000-0x000000013F804000-memory.dmp upx behavioral1/memory/2896-140-0x000000013F340000-0x000000013F694000-memory.dmp upx behavioral1/memory/2512-141-0x000000013F650000-0x000000013F9A4000-memory.dmp upx behavioral1/memory/2628-142-0x000000013FBA0000-0x000000013FEF4000-memory.dmp upx behavioral1/memory/2656-143-0x000000013F510000-0x000000013F864000-memory.dmp upx behavioral1/memory/2724-147-0x000000013FB60000-0x000000013FEB4000-memory.dmp upx behavioral1/memory/2368-148-0x000000013FFA0000-0x00000001402F4000-memory.dmp upx behavioral1/memory/1672-149-0x000000013FF40000-0x0000000140294000-memory.dmp upx behavioral1/memory/1760-144-0x000000013F830000-0x000000013FB84000-memory.dmp upx behavioral1/memory/2528-146-0x000000013F030000-0x000000013F384000-memory.dmp upx behavioral1/memory/2148-145-0x000000013F8D0000-0x000000013FC24000-memory.dmp upx behavioral1/memory/456-150-0x000000013FF30000-0x0000000140284000-memory.dmp upx behavioral1/memory/2640-151-0x000000013FED0000-0x0000000140224000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\plnbMBN.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YJzyvhe.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PxjSrtP.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nEqzteT.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\cejEZIz.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\nbumVaJ.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fbTAGhe.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\SONQKWN.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\liWZxVO.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UEoFWja.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ALYGqcZ.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xZKUoEO.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\bgacZLK.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kVCvaOY.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\brWaMmK.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\JsmAhjn.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\RMlvkRq.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\qlWioWI.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\aPMoWoQ.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\viqZqXT.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UcKimEK.exe 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exedescription pid process target process PID 2240 wrote to memory of 1072 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe plnbMBN.exe PID 2240 wrote to memory of 1072 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe plnbMBN.exe PID 2240 wrote to memory of 1072 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe plnbMBN.exe PID 2240 wrote to memory of 2744 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe qlWioWI.exe PID 2240 wrote to memory of 2744 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe qlWioWI.exe PID 2240 wrote to memory of 2744 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe qlWioWI.exe PID 2240 wrote to memory of 2896 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe aPMoWoQ.exe PID 2240 wrote to memory of 2896 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe aPMoWoQ.exe PID 2240 wrote to memory of 2896 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe aPMoWoQ.exe PID 2240 wrote to memory of 2512 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe viqZqXT.exe PID 2240 wrote to memory of 2512 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe viqZqXT.exe PID 2240 wrote to memory of 2512 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe viqZqXT.exe PID 2240 wrote to memory of 2628 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe xZKUoEO.exe PID 2240 wrote to memory of 2628 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe xZKUoEO.exe PID 2240 wrote to memory of 2628 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe xZKUoEO.exe PID 2240 wrote to memory of 2656 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe bgacZLK.exe PID 2240 wrote to memory of 2656 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe bgacZLK.exe PID 2240 wrote to memory of 2656 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe bgacZLK.exe PID 2240 wrote to memory of 2148 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe kVCvaOY.exe PID 2240 wrote to memory of 2148 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe kVCvaOY.exe PID 2240 wrote to memory of 2148 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe kVCvaOY.exe PID 2240 wrote to memory of 1760 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe YJzyvhe.exe PID 2240 wrote to memory of 1760 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe YJzyvhe.exe PID 2240 wrote to memory of 1760 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe YJzyvhe.exe PID 2240 wrote to memory of 2724 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe brWaMmK.exe PID 2240 wrote to memory of 2724 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe brWaMmK.exe PID 2240 wrote to memory of 2724 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe brWaMmK.exe PID 2240 wrote to memory of 2528 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe cejEZIz.exe PID 2240 wrote to memory of 2528 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe cejEZIz.exe PID 2240 wrote to memory of 2528 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe cejEZIz.exe PID 2240 wrote to memory of 2368 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe SONQKWN.exe PID 2240 wrote to memory of 2368 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe SONQKWN.exe PID 2240 wrote to memory of 2368 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe SONQKWN.exe PID 2240 wrote to memory of 1672 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe nbumVaJ.exe PID 2240 wrote to memory of 1672 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe nbumVaJ.exe PID 2240 wrote to memory of 1672 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe nbumVaJ.exe PID 2240 wrote to memory of 456 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe PxjSrtP.exe PID 2240 wrote to memory of 456 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe PxjSrtP.exe PID 2240 wrote to memory of 456 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe PxjSrtP.exe PID 2240 wrote to memory of 2640 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe nEqzteT.exe PID 2240 wrote to memory of 2640 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe nEqzteT.exe PID 2240 wrote to memory of 2640 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe nEqzteT.exe PID 2240 wrote to memory of 2564 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe fbTAGhe.exe PID 2240 wrote to memory of 2564 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe fbTAGhe.exe PID 2240 wrote to memory of 2564 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe fbTAGhe.exe PID 2240 wrote to memory of 1488 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe liWZxVO.exe PID 2240 wrote to memory of 1488 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe liWZxVO.exe PID 2240 wrote to memory of 1488 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe liWZxVO.exe PID 2240 wrote to memory of 1904 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe UEoFWja.exe PID 2240 wrote to memory of 1904 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe UEoFWja.exe PID 2240 wrote to memory of 1904 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe UEoFWja.exe PID 2240 wrote to memory of 1128 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe ALYGqcZ.exe PID 2240 wrote to memory of 1128 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe ALYGqcZ.exe PID 2240 wrote to memory of 1128 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe ALYGqcZ.exe PID 2240 wrote to memory of 1920 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe JsmAhjn.exe PID 2240 wrote to memory of 1920 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe JsmAhjn.exe PID 2240 wrote to memory of 1920 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe JsmAhjn.exe PID 2240 wrote to memory of 1824 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe UcKimEK.exe PID 2240 wrote to memory of 1824 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe UcKimEK.exe PID 2240 wrote to memory of 1824 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe UcKimEK.exe PID 2240 wrote to memory of 2040 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe RMlvkRq.exe PID 2240 wrote to memory of 2040 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe RMlvkRq.exe PID 2240 wrote to memory of 2040 2240 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe RMlvkRq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\System\plnbMBN.exeC:\Windows\System\plnbMBN.exe2⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\System\qlWioWI.exeC:\Windows\System\qlWioWI.exe2⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\System\aPMoWoQ.exeC:\Windows\System\aPMoWoQ.exe2⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\System\viqZqXT.exeC:\Windows\System\viqZqXT.exe2⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\System\xZKUoEO.exeC:\Windows\System\xZKUoEO.exe2⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\System\bgacZLK.exeC:\Windows\System\bgacZLK.exe2⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\System\kVCvaOY.exeC:\Windows\System\kVCvaOY.exe2⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\System\YJzyvhe.exeC:\Windows\System\YJzyvhe.exe2⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\System\brWaMmK.exeC:\Windows\System\brWaMmK.exe2⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\System\cejEZIz.exeC:\Windows\System\cejEZIz.exe2⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\System\SONQKWN.exeC:\Windows\System\SONQKWN.exe2⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\System\nbumVaJ.exeC:\Windows\System\nbumVaJ.exe2⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\System\PxjSrtP.exeC:\Windows\System\PxjSrtP.exe2⤵
- Executes dropped EXE
PID:456 -
C:\Windows\System\nEqzteT.exeC:\Windows\System\nEqzteT.exe2⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\System\fbTAGhe.exeC:\Windows\System\fbTAGhe.exe2⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\System\liWZxVO.exeC:\Windows\System\liWZxVO.exe2⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\System\UEoFWja.exeC:\Windows\System\UEoFWja.exe2⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\System\ALYGqcZ.exeC:\Windows\System\ALYGqcZ.exe2⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\System\JsmAhjn.exeC:\Windows\System\JsmAhjn.exe2⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\System\UcKimEK.exeC:\Windows\System\UcKimEK.exe2⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\System\RMlvkRq.exeC:\Windows\System\RMlvkRq.exe2⤵
- Executes dropped EXE
PID:2040
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD5e8c4508a392ccf08590d3627a36cc3c3
SHA13a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410
-
Filesize
5.9MB
MD5f6cdfb3d88537b367792cbd894bd98ed
SHA13d3f99c94c72c456dffcf949bc5d30603a7e936c
SHA25605dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86
SHA5120da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3
-
Filesize
2.1MB
MD52543c4760bd9af7f70b7834411ab61af
SHA1ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA51237d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56
-
Filesize
2.3MB
MD59d367348bc2b0a338371873ab92b5ce0
SHA17f656575ff1e475fc391f43341a8d5f4ac819b19
SHA25654a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309
SHA5128ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454
-
Filesize
1.1MB
MD5cefe7ebbcbdc6a5e5023e2ad8530b25b
SHA16e0d7ab1a6ddd7ee739d050791a70816c80e15a8
SHA2566ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475
SHA51293f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844
-
Filesize
2.8MB
MD57ca4c7d08ec840a69d3101c638d4b72f
SHA19a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA51293ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b
-
Filesize
5.4MB
MD58003c8ca1c6255c4a9df50b61d369786
SHA1ef521c59d5519424152618453d9a1ec413a267cf
SHA256caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA5120384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795
-
Filesize
1.9MB
MD50b1dc771469fa6753e7aace834956918
SHA1ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA25660a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA5126ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60
-
Filesize
5.8MB
MD5984a8cf637fc9f46a5be1646493a183b
SHA1eff3045fcb5d0b4a9321004fdd3e94f3f336f5af
SHA2560d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068
SHA512f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d
-
Filesize
512KB
MD56b5887af4274a78686a788865765637c
SHA15afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA5124f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077
-
Filesize
1.2MB
MD5711965c0ed770375b388ea9b5ea57c70
SHA121f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA5121805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428
-
Filesize
4.3MB
MD5182702f8c189f2105671b3b193ea01bd
SHA15cbe4a492c7f661166b4ece7955c0ec73fadc31d
SHA256a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f
SHA51281af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1
-
Filesize
448KB
MD50642442db4acbbfb6037e06789624264
SHA1923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA2565d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA5127fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1
-
Filesize
2.0MB
MD5ce95ecfd82cad989d07f01bb5a4e0e62
SHA19c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084
-
Filesize
1.8MB
MD54ebd1901e669a14d40cee031fd206e82
SHA148b4d9303ce77228a3ead5a9a71386291542a98f
SHA256877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087
-
Filesize
2.1MB
MD5fbb6a602f644dbf57142122f30692c9a
SHA18158aaa7168744874ea387599d6d2cead21e28a3
SHA2563ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe
-
Filesize
2.7MB
MD593bacfc3d845f374627b012c3a61a1e5
SHA1f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae
SHA2564fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d
SHA51263e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83