Analysis
-
max time kernel
145s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 01:32
Behavioral task
behavioral1
Sample
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
General
-
Target
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
8dae92c0a623158ab5baf9c21b6b47c4
-
SHA1
1d592bc0b6f9b0a40c0e5f0af21e4af605f16ccb
-
SHA256
fade6579c5745e148923498b5e2be690a2c45c444e5e664164c4d0208beba1eb
-
SHA512
33d5bf8612c4e952d52f25a90ed43d3899c372b8cc409a147e739bac9309e33465c59288ddab2bb9e5238cd05d775e5c3755a7595c7c8ee6ce8315544aa5a10e
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUb:Q+856utgpPF8u/7b
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 49 IoCs
Processes:
resource yara_rule behavioral2/memory/380-0-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp UPX C:\Windows\System\FodKnOO.exe UPX behavioral2/memory/4564-8-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp UPX C:\Windows\System\FodKnOO.exe UPX C:\Windows\System\VjsRYph.exe UPX C:\Windows\System\VjsRYph.exe UPX C:\Windows\System\TqLzuBR.exe UPX behavioral2/memory/2480-20-0x00007FF650680000-0x00007FF6509D4000-memory.dmp UPX behavioral2/memory/3616-26-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp UPX C:\Windows\System\pNDjMww.exe UPX behavioral2/memory/456-32-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp UPX C:\Windows\System\JIHZaQQ.exe UPX behavioral2/memory/3784-38-0x00007FF64E620000-0x00007FF64E974000-memory.dmp UPX C:\Windows\System\urJcNrT.exe UPX behavioral2/memory/4064-56-0x00007FF745350000-0x00007FF7456A4000-memory.dmp UPX behavioral2/memory/3648-50-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp UPX C:\Windows\System\fMedKPU.exe UPX behavioral2/memory/380-62-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp UPX C:\Windows\System\NEFBrTR.exe UPX behavioral2/memory/4564-68-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp UPX C:\Windows\System\oCjEIKQ.exe UPX behavioral2/memory/3144-77-0x00007FF662DD0000-0x00007FF663124000-memory.dmp UPX C:\Windows\System\wzbSNQU.exe UPX C:\Windows\System\fZRvYYZ.exe UPX behavioral2/memory/2480-100-0x00007FF650680000-0x00007FF6509D4000-memory.dmp UPX behavioral2/memory/2168-107-0x00007FF63C330000-0x00007FF63C684000-memory.dmp UPX behavioral2/memory/456-124-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp UPX C:\Windows\System\UVWmlrf.exe UPX C:\Windows\System\UVWmlrf.exe UPX behavioral2/memory/3056-119-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp UPX behavioral2/memory/3784-133-0x00007FF64E620000-0x00007FF64E974000-memory.dmp UPX behavioral2/memory/4564-136-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp UPX behavioral2/memory/2480-138-0x00007FF650680000-0x00007FF6509D4000-memory.dmp UPX behavioral2/memory/3616-139-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp UPX behavioral2/memory/3784-141-0x00007FF64E620000-0x00007FF64E974000-memory.dmp UPX behavioral2/memory/3236-142-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp UPX behavioral2/memory/3648-143-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp UPX behavioral2/memory/4064-144-0x00007FF745350000-0x00007FF7456A4000-memory.dmp UPX behavioral2/memory/4004-145-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp UPX behavioral2/memory/1340-146-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp UPX behavioral2/memory/3144-147-0x00007FF662DD0000-0x00007FF663124000-memory.dmp UPX behavioral2/memory/2812-148-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp UPX behavioral2/memory/1388-149-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp UPX behavioral2/memory/2092-150-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp UPX behavioral2/memory/2168-151-0x00007FF63C330000-0x00007FF63C684000-memory.dmp UPX behavioral2/memory/3056-152-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp UPX behavioral2/memory/2596-153-0x00007FF7083F0000-0x00007FF708744000-memory.dmp UPX behavioral2/memory/3700-154-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp UPX behavioral2/memory/2876-156-0x00007FF74E890000-0x00007FF74EBE4000-memory.dmp UPX -
XMRig Miner payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/380-0-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp xmrig C:\Windows\System\FodKnOO.exe xmrig behavioral2/memory/4564-8-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp xmrig C:\Windows\System\FodKnOO.exe xmrig C:\Windows\System\VjsRYph.exe xmrig behavioral2/memory/1704-14-0x00007FF6575B0000-0x00007FF657904000-memory.dmp xmrig C:\Windows\System\VjsRYph.exe xmrig C:\Windows\System\TqLzuBR.exe xmrig behavioral2/memory/2480-20-0x00007FF650680000-0x00007FF6509D4000-memory.dmp xmrig behavioral2/memory/3616-26-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp xmrig C:\Windows\System\pNDjMww.exe xmrig behavioral2/memory/456-32-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp xmrig C:\Windows\System\JIHZaQQ.exe xmrig behavioral2/memory/3784-38-0x00007FF64E620000-0x00007FF64E974000-memory.dmp xmrig behavioral2/memory/3236-44-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp xmrig C:\Windows\System\urJcNrT.exe xmrig behavioral2/memory/4064-56-0x00007FF745350000-0x00007FF7456A4000-memory.dmp xmrig behavioral2/memory/3648-50-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp xmrig C:\Windows\System\fMedKPU.exe xmrig behavioral2/memory/380-62-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp xmrig behavioral2/memory/4004-63-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp xmrig C:\Windows\System\NEFBrTR.exe xmrig behavioral2/memory/4564-68-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp xmrig behavioral2/memory/1340-70-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp xmrig C:\Windows\System\oCjEIKQ.exe xmrig behavioral2/memory/1704-76-0x00007FF6575B0000-0x00007FF657904000-memory.dmp xmrig behavioral2/memory/3144-77-0x00007FF662DD0000-0x00007FF663124000-memory.dmp xmrig C:\Windows\System\wzbSNQU.exe xmrig C:\Windows\System\fZRvYYZ.exe xmrig behavioral2/memory/2480-100-0x00007FF650680000-0x00007FF6509D4000-memory.dmp xmrig behavioral2/memory/2812-102-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp xmrig behavioral2/memory/2168-107-0x00007FF63C330000-0x00007FF63C684000-memory.dmp xmrig behavioral2/memory/2092-106-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp xmrig behavioral2/memory/1388-103-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp xmrig behavioral2/memory/2596-122-0x00007FF7083F0000-0x00007FF708744000-memory.dmp xmrig behavioral2/memory/456-124-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp xmrig C:\Windows\System\UVWmlrf.exe xmrig behavioral2/memory/3700-125-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp xmrig C:\Windows\System\UVWmlrf.exe xmrig behavioral2/memory/3056-119-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp xmrig behavioral2/memory/3616-115-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp xmrig behavioral2/memory/3784-133-0x00007FF64E620000-0x00007FF64E974000-memory.dmp xmrig behavioral2/memory/2876-135-0x00007FF74E890000-0x00007FF74EBE4000-memory.dmp xmrig behavioral2/memory/3236-134-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp xmrig behavioral2/memory/4712-132-0x00007FF69DC40000-0x00007FF69DF94000-memory.dmp xmrig behavioral2/memory/4564-136-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp xmrig behavioral2/memory/1704-137-0x00007FF6575B0000-0x00007FF657904000-memory.dmp xmrig behavioral2/memory/2480-138-0x00007FF650680000-0x00007FF6509D4000-memory.dmp xmrig behavioral2/memory/3616-139-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp xmrig behavioral2/memory/456-140-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp xmrig behavioral2/memory/3784-141-0x00007FF64E620000-0x00007FF64E974000-memory.dmp xmrig behavioral2/memory/3236-142-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp xmrig behavioral2/memory/3648-143-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp xmrig behavioral2/memory/4064-144-0x00007FF745350000-0x00007FF7456A4000-memory.dmp xmrig behavioral2/memory/4004-145-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp xmrig behavioral2/memory/1340-146-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp xmrig behavioral2/memory/3144-147-0x00007FF662DD0000-0x00007FF663124000-memory.dmp xmrig behavioral2/memory/2812-148-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp xmrig behavioral2/memory/1388-149-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp xmrig behavioral2/memory/2092-150-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp xmrig behavioral2/memory/2168-151-0x00007FF63C330000-0x00007FF63C684000-memory.dmp xmrig behavioral2/memory/3056-152-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp xmrig behavioral2/memory/2596-153-0x00007FF7083F0000-0x00007FF708744000-memory.dmp xmrig behavioral2/memory/3700-154-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
FodKnOO.exeVjsRYph.exeTqLzuBR.exepNDjMww.exeJIHZaQQ.exeNEFBrTR.exeOxWHUpC.exeROeYSOG.exeurJcNrT.exefMedKPU.exeHmKhZNa.exeoCjEIKQ.exewPlJqdW.exexuSsqqM.exefZRvYYZ.exewzbSNQU.exeoGtRknr.exeNNybTjL.exeAPotKmh.exeUVWmlrf.exeryaFRvh.exepid process 4564 FodKnOO.exe 1704 VjsRYph.exe 2480 TqLzuBR.exe 3616 pNDjMww.exe 456 JIHZaQQ.exe 3784 NEFBrTR.exe 3236 OxWHUpC.exe 3648 ROeYSOG.exe 4064 urJcNrT.exe 4004 fMedKPU.exe 1340 HmKhZNa.exe 3144 oCjEIKQ.exe 2812 wPlJqdW.exe 1388 xuSsqqM.exe 2092 fZRvYYZ.exe 2168 wzbSNQU.exe 3056 oGtRknr.exe 2596 NNybTjL.exe 3700 APotKmh.exe 4712 UVWmlrf.exe 2876 ryaFRvh.exe -
Processes:
resource yara_rule behavioral2/memory/380-0-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp upx C:\Windows\System\FodKnOO.exe upx behavioral2/memory/4564-8-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp upx C:\Windows\System\FodKnOO.exe upx C:\Windows\System\VjsRYph.exe upx behavioral2/memory/1704-14-0x00007FF6575B0000-0x00007FF657904000-memory.dmp upx C:\Windows\System\VjsRYph.exe upx C:\Windows\System\TqLzuBR.exe upx behavioral2/memory/2480-20-0x00007FF650680000-0x00007FF6509D4000-memory.dmp upx behavioral2/memory/3616-26-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp upx C:\Windows\System\pNDjMww.exe upx behavioral2/memory/456-32-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp upx C:\Windows\System\JIHZaQQ.exe upx behavioral2/memory/3784-38-0x00007FF64E620000-0x00007FF64E974000-memory.dmp upx behavioral2/memory/3236-44-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp upx C:\Windows\System\urJcNrT.exe upx behavioral2/memory/4064-56-0x00007FF745350000-0x00007FF7456A4000-memory.dmp upx behavioral2/memory/3648-50-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp upx C:\Windows\System\fMedKPU.exe upx behavioral2/memory/380-62-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp upx behavioral2/memory/4004-63-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp upx C:\Windows\System\NEFBrTR.exe upx behavioral2/memory/4564-68-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp upx behavioral2/memory/1340-70-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp upx C:\Windows\System\oCjEIKQ.exe upx behavioral2/memory/1704-76-0x00007FF6575B0000-0x00007FF657904000-memory.dmp upx behavioral2/memory/3144-77-0x00007FF662DD0000-0x00007FF663124000-memory.dmp upx C:\Windows\System\wzbSNQU.exe upx C:\Windows\System\fZRvYYZ.exe upx behavioral2/memory/2480-100-0x00007FF650680000-0x00007FF6509D4000-memory.dmp upx behavioral2/memory/2812-102-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp upx behavioral2/memory/2168-107-0x00007FF63C330000-0x00007FF63C684000-memory.dmp upx behavioral2/memory/2092-106-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp upx behavioral2/memory/1388-103-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp upx behavioral2/memory/2596-122-0x00007FF7083F0000-0x00007FF708744000-memory.dmp upx behavioral2/memory/456-124-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp upx C:\Windows\System\ryaFRvh.exe upx C:\Windows\System\UVWmlrf.exe upx behavioral2/memory/3700-125-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp upx C:\Windows\System\UVWmlrf.exe upx behavioral2/memory/3056-119-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp upx behavioral2/memory/3616-115-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp upx behavioral2/memory/3784-133-0x00007FF64E620000-0x00007FF64E974000-memory.dmp upx behavioral2/memory/2876-135-0x00007FF74E890000-0x00007FF74EBE4000-memory.dmp upx behavioral2/memory/3236-134-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp upx behavioral2/memory/4712-132-0x00007FF69DC40000-0x00007FF69DF94000-memory.dmp upx behavioral2/memory/4564-136-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp upx behavioral2/memory/1704-137-0x00007FF6575B0000-0x00007FF657904000-memory.dmp upx behavioral2/memory/2480-138-0x00007FF650680000-0x00007FF6509D4000-memory.dmp upx behavioral2/memory/3616-139-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp upx behavioral2/memory/456-140-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp upx behavioral2/memory/3784-141-0x00007FF64E620000-0x00007FF64E974000-memory.dmp upx behavioral2/memory/3236-142-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp upx behavioral2/memory/3648-143-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp upx behavioral2/memory/4064-144-0x00007FF745350000-0x00007FF7456A4000-memory.dmp upx behavioral2/memory/4004-145-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp upx behavioral2/memory/1340-146-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp upx behavioral2/memory/3144-147-0x00007FF662DD0000-0x00007FF663124000-memory.dmp upx behavioral2/memory/2812-148-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp upx behavioral2/memory/1388-149-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp upx behavioral2/memory/2092-150-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp upx behavioral2/memory/2168-151-0x00007FF63C330000-0x00007FF63C684000-memory.dmp upx behavioral2/memory/3056-152-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp upx behavioral2/memory/2596-153-0x00007FF7083F0000-0x00007FF708744000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\ROeYSOG.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\urJcNrT.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\wzbSNQU.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oGtRknr.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NNybTjL.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\VjsRYph.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HmKhZNa.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UVWmlrf.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\APotKmh.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ryaFRvh.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FodKnOO.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\JIHZaQQ.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\OxWHUpC.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\xuSsqqM.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fZRvYYZ.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\wPlJqdW.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TqLzuBR.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pNDjMww.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NEFBrTR.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\fMedKPU.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oCjEIKQ.exe 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exedescription pid process target process PID 380 wrote to memory of 4564 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe FodKnOO.exe PID 380 wrote to memory of 4564 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe FodKnOO.exe PID 380 wrote to memory of 1704 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe VjsRYph.exe PID 380 wrote to memory of 1704 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe VjsRYph.exe PID 380 wrote to memory of 2480 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe TqLzuBR.exe PID 380 wrote to memory of 2480 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe TqLzuBR.exe PID 380 wrote to memory of 3616 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe pNDjMww.exe PID 380 wrote to memory of 3616 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe pNDjMww.exe PID 380 wrote to memory of 456 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe JIHZaQQ.exe PID 380 wrote to memory of 456 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe JIHZaQQ.exe PID 380 wrote to memory of 3784 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe NEFBrTR.exe PID 380 wrote to memory of 3784 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe NEFBrTR.exe PID 380 wrote to memory of 3236 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe OxWHUpC.exe PID 380 wrote to memory of 3236 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe OxWHUpC.exe PID 380 wrote to memory of 3648 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe ROeYSOG.exe PID 380 wrote to memory of 3648 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe ROeYSOG.exe PID 380 wrote to memory of 4064 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe urJcNrT.exe PID 380 wrote to memory of 4064 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe urJcNrT.exe PID 380 wrote to memory of 4004 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe fMedKPU.exe PID 380 wrote to memory of 4004 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe fMedKPU.exe PID 380 wrote to memory of 1340 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe HmKhZNa.exe PID 380 wrote to memory of 1340 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe HmKhZNa.exe PID 380 wrote to memory of 3144 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe oCjEIKQ.exe PID 380 wrote to memory of 3144 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe oCjEIKQ.exe PID 380 wrote to memory of 2812 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe wPlJqdW.exe PID 380 wrote to memory of 2812 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe wPlJqdW.exe PID 380 wrote to memory of 1388 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe xuSsqqM.exe PID 380 wrote to memory of 1388 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe xuSsqqM.exe PID 380 wrote to memory of 2092 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe fZRvYYZ.exe PID 380 wrote to memory of 2092 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe fZRvYYZ.exe PID 380 wrote to memory of 2168 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe wzbSNQU.exe PID 380 wrote to memory of 2168 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe wzbSNQU.exe PID 380 wrote to memory of 3056 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe oGtRknr.exe PID 380 wrote to memory of 3056 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe oGtRknr.exe PID 380 wrote to memory of 2596 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe NNybTjL.exe PID 380 wrote to memory of 2596 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe NNybTjL.exe PID 380 wrote to memory of 3700 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe APotKmh.exe PID 380 wrote to memory of 3700 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe APotKmh.exe PID 380 wrote to memory of 4712 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe UVWmlrf.exe PID 380 wrote to memory of 4712 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe UVWmlrf.exe PID 380 wrote to memory of 2876 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe ryaFRvh.exe PID 380 wrote to memory of 2876 380 2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe ryaFRvh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\System\FodKnOO.exeC:\Windows\System\FodKnOO.exe2⤵
- Executes dropped EXE
PID:4564 -
C:\Windows\System\VjsRYph.exeC:\Windows\System\VjsRYph.exe2⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\System\TqLzuBR.exeC:\Windows\System\TqLzuBR.exe2⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\System\pNDjMww.exeC:\Windows\System\pNDjMww.exe2⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\System\JIHZaQQ.exeC:\Windows\System\JIHZaQQ.exe2⤵
- Executes dropped EXE
PID:456 -
C:\Windows\System\NEFBrTR.exeC:\Windows\System\NEFBrTR.exe2⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\System\OxWHUpC.exeC:\Windows\System\OxWHUpC.exe2⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\System\ROeYSOG.exeC:\Windows\System\ROeYSOG.exe2⤵
- Executes dropped EXE
PID:3648 -
C:\Windows\System\urJcNrT.exeC:\Windows\System\urJcNrT.exe2⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\System\fMedKPU.exeC:\Windows\System\fMedKPU.exe2⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\System\HmKhZNa.exeC:\Windows\System\HmKhZNa.exe2⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\System\oCjEIKQ.exeC:\Windows\System\oCjEIKQ.exe2⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\System\wPlJqdW.exeC:\Windows\System\wPlJqdW.exe2⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\System\xuSsqqM.exeC:\Windows\System\xuSsqqM.exe2⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\System\fZRvYYZ.exeC:\Windows\System\fZRvYYZ.exe2⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\System\wzbSNQU.exeC:\Windows\System\wzbSNQU.exe2⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\System\oGtRknr.exeC:\Windows\System\oGtRknr.exe2⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\System\NNybTjL.exeC:\Windows\System\NNybTjL.exe2⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\System\APotKmh.exeC:\Windows\System\APotKmh.exe2⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\System\UVWmlrf.exeC:\Windows\System\UVWmlrf.exe2⤵
- Executes dropped EXE
PID:4712 -
C:\Windows\System\ryaFRvh.exeC:\Windows\System\ryaFRvh.exe2⤵
- Executes dropped EXE
PID:2876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3396
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.4MB
MD58003c8ca1c6255c4a9df50b61d369786
SHA1ef521c59d5519424152618453d9a1ec413a267cf
SHA256caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8
SHA5120384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795
-
Filesize
3.6MB
MD50628374c349921c969043e8b725a574d
SHA1d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA2566f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA5122db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1
-
Filesize
1.6MB
MD52c29c56557704a5af675ac862b6acadc
SHA18095e9a472d534a6ef5dc3ab384273149ae12d48
SHA256ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d
SHA512f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049
-
Filesize
2.1MB
MD52543c4760bd9af7f70b7834411ab61af
SHA1ed963cb76a076b222f6cdae99e8563d4444f6351
SHA256c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001
SHA51237d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56
-
Filesize
2.2MB
MD590be846177ebce09b1bfa8b40630684a
SHA143a2c66ff47d9e295f18f8c18fe76b69e8850154
SHA2562237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65
SHA512f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6
-
Filesize
1.2MB
MD5711965c0ed770375b388ea9b5ea57c70
SHA121f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA5121805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428
-
Filesize
1.1MB
MD5cefe7ebbcbdc6a5e5023e2ad8530b25b
SHA16e0d7ab1a6ddd7ee739d050791a70816c80e15a8
SHA2566ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475
SHA51293f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844
-
Filesize
2.1MB
MD5fbb6a602f644dbf57142122f30692c9a
SHA18158aaa7168744874ea387599d6d2cead21e28a3
SHA2563ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe
-
Filesize
2.5MB
MD5c83a72fd32d1ea03c4c25e0b40a06534
SHA1de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1
SHA256c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359
SHA51201b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c
-
Filesize
5.5MB
MD5992e15ebc2245cf970acce9948576d6c
SHA13322f50d4aebf915abc8a5277cd07a23adf5f127
SHA25634aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5
SHA5122299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7
-
Filesize
1.4MB
MD50003cb25d8e5fcf51d1ea8407b9410fc
SHA1fc0940ac8a56e45a19f31c325aba00f814dae439
SHA256f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2
SHA5123e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87
-
Filesize
1.8MB
MD54ebd1901e669a14d40cee031fd206e82
SHA148b4d9303ce77228a3ead5a9a71386291542a98f
SHA256877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1
SHA512c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087
-
Filesize
1.7MB
MD5170dd624fc04fc3839f9c4b66a089ce7
SHA1689050489367e9d7989856de58d7dae4b3e867bb
SHA2562882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b
SHA5126c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a
-
Filesize
448KB
MD50642442db4acbbfb6037e06789624264
SHA1923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA2565d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA5127fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1
-
Filesize
5.3MB
MD5e8c4508a392ccf08590d3627a36cc3c3
SHA13a57dd6c92ebc54582acaafd15cc9311eb0d15a2
SHA256cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d
SHA512f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410
-
Filesize
1.9MB
MD50b1dc771469fa6753e7aace834956918
SHA1ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA25660a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA5126ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60