Analysis

  • max time kernel
    145s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 01:32

General

  • Target

    2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    8dae92c0a623158ab5baf9c21b6b47c4

  • SHA1

    1d592bc0b6f9b0a40c0e5f0af21e4af605f16ccb

  • SHA256

    fade6579c5745e148923498b5e2be690a2c45c444e5e664164c4d0208beba1eb

  • SHA512

    33d5bf8612c4e952d52f25a90ed43d3899c372b8cc409a147e739bac9309e33465c59288ddab2bb9e5238cd05d775e5c3755a7595c7c8ee6ce8315544aa5a10e

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUb:Q+856utgpPF8u/7b

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • UPX dump on OEP (original entry point) 49 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-07_8dae92c0a623158ab5baf9c21b6b47c4_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\System\FodKnOO.exe
      C:\Windows\System\FodKnOO.exe
      2⤵
      • Executes dropped EXE
      PID:4564
    • C:\Windows\System\VjsRYph.exe
      C:\Windows\System\VjsRYph.exe
      2⤵
      • Executes dropped EXE
      PID:1704
    • C:\Windows\System\TqLzuBR.exe
      C:\Windows\System\TqLzuBR.exe
      2⤵
      • Executes dropped EXE
      PID:2480
    • C:\Windows\System\pNDjMww.exe
      C:\Windows\System\pNDjMww.exe
      2⤵
      • Executes dropped EXE
      PID:3616
    • C:\Windows\System\JIHZaQQ.exe
      C:\Windows\System\JIHZaQQ.exe
      2⤵
      • Executes dropped EXE
      PID:456
    • C:\Windows\System\NEFBrTR.exe
      C:\Windows\System\NEFBrTR.exe
      2⤵
      • Executes dropped EXE
      PID:3784
    • C:\Windows\System\OxWHUpC.exe
      C:\Windows\System\OxWHUpC.exe
      2⤵
      • Executes dropped EXE
      PID:3236
    • C:\Windows\System\ROeYSOG.exe
      C:\Windows\System\ROeYSOG.exe
      2⤵
      • Executes dropped EXE
      PID:3648
    • C:\Windows\System\urJcNrT.exe
      C:\Windows\System\urJcNrT.exe
      2⤵
      • Executes dropped EXE
      PID:4064
    • C:\Windows\System\fMedKPU.exe
      C:\Windows\System\fMedKPU.exe
      2⤵
      • Executes dropped EXE
      PID:4004
    • C:\Windows\System\HmKhZNa.exe
      C:\Windows\System\HmKhZNa.exe
      2⤵
      • Executes dropped EXE
      PID:1340
    • C:\Windows\System\oCjEIKQ.exe
      C:\Windows\System\oCjEIKQ.exe
      2⤵
      • Executes dropped EXE
      PID:3144
    • C:\Windows\System\wPlJqdW.exe
      C:\Windows\System\wPlJqdW.exe
      2⤵
      • Executes dropped EXE
      PID:2812
    • C:\Windows\System\xuSsqqM.exe
      C:\Windows\System\xuSsqqM.exe
      2⤵
      • Executes dropped EXE
      PID:1388
    • C:\Windows\System\fZRvYYZ.exe
      C:\Windows\System\fZRvYYZ.exe
      2⤵
      • Executes dropped EXE
      PID:2092
    • C:\Windows\System\wzbSNQU.exe
      C:\Windows\System\wzbSNQU.exe
      2⤵
      • Executes dropped EXE
      PID:2168
    • C:\Windows\System\oGtRknr.exe
      C:\Windows\System\oGtRknr.exe
      2⤵
      • Executes dropped EXE
      PID:3056
    • C:\Windows\System\NNybTjL.exe
      C:\Windows\System\NNybTjL.exe
      2⤵
      • Executes dropped EXE
      PID:2596
    • C:\Windows\System\APotKmh.exe
      C:\Windows\System\APotKmh.exe
      2⤵
      • Executes dropped EXE
      PID:3700
    • C:\Windows\System\UVWmlrf.exe
      C:\Windows\System\UVWmlrf.exe
      2⤵
      • Executes dropped EXE
      PID:4712
    • C:\Windows\System\ryaFRvh.exe
      C:\Windows\System\ryaFRvh.exe
      2⤵
      • Executes dropped EXE
      PID:2876
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3396

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System\FodKnOO.exe

      Filesize

      5.4MB

      MD5

      8003c8ca1c6255c4a9df50b61d369786

      SHA1

      ef521c59d5519424152618453d9a1ec413a267cf

      SHA256

      caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8

      SHA512

      0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

    • C:\Windows\System\FodKnOO.exe

      Filesize

      3.6MB

      MD5

      0628374c349921c969043e8b725a574d

      SHA1

      d4d4b61d7abb11c25e423140f9a833a035819e3d

      SHA256

      6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0

      SHA512

      2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

    • C:\Windows\System\JIHZaQQ.exe

      Filesize

      1.6MB

      MD5

      2c29c56557704a5af675ac862b6acadc

      SHA1

      8095e9a472d534a6ef5dc3ab384273149ae12d48

      SHA256

      ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d

      SHA512

      f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049

    • C:\Windows\System\NEFBrTR.exe

      Filesize

      2.1MB

      MD5

      2543c4760bd9af7f70b7834411ab61af

      SHA1

      ed963cb76a076b222f6cdae99e8563d4444f6351

      SHA256

      c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001

      SHA512

      37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

    • C:\Windows\System\TqLzuBR.exe

      Filesize

      2.2MB

      MD5

      90be846177ebce09b1bfa8b40630684a

      SHA1

      43a2c66ff47d9e295f18f8c18fe76b69e8850154

      SHA256

      2237948f07e37d90442b50a92836356588f3ae1e31ae0d8dac227315cf2c7f65

      SHA512

      f4ff566c9eaa4a50bcad3cfa87bbb92d072dc2249f94ae304b8cb104e61cee98dba9f3ef0ceebfe48bef05c9c2df36d9188d043c7aa83ca58742993e634b68a6

    • C:\Windows\System\UVWmlrf.exe

      Filesize

      1.2MB

      MD5

      711965c0ed770375b388ea9b5ea57c70

      SHA1

      21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2

      SHA256

      c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666

      SHA512

      1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

    • C:\Windows\System\UVWmlrf.exe

      Filesize

      1.1MB

      MD5

      cefe7ebbcbdc6a5e5023e2ad8530b25b

      SHA1

      6e0d7ab1a6ddd7ee739d050791a70816c80e15a8

      SHA256

      6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475

      SHA512

      93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844

    • C:\Windows\System\VjsRYph.exe

      Filesize

      2.1MB

      MD5

      fbb6a602f644dbf57142122f30692c9a

      SHA1

      8158aaa7168744874ea387599d6d2cead21e28a3

      SHA256

      3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d

      SHA512

      594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

    • C:\Windows\System\VjsRYph.exe

      Filesize

      2.5MB

      MD5

      c83a72fd32d1ea03c4c25e0b40a06534

      SHA1

      de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1

      SHA256

      c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359

      SHA512

      01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c

    • C:\Windows\System\fMedKPU.exe

      Filesize

      5.5MB

      MD5

      992e15ebc2245cf970acce9948576d6c

      SHA1

      3322f50d4aebf915abc8a5277cd07a23adf5f127

      SHA256

      34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5

      SHA512

      2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

    • C:\Windows\System\fZRvYYZ.exe

      Filesize

      1.4MB

      MD5

      0003cb25d8e5fcf51d1ea8407b9410fc

      SHA1

      fc0940ac8a56e45a19f31c325aba00f814dae439

      SHA256

      f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2

      SHA512

      3e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87

    • C:\Windows\System\oCjEIKQ.exe

      Filesize

      1.8MB

      MD5

      4ebd1901e669a14d40cee031fd206e82

      SHA1

      48b4d9303ce77228a3ead5a9a71386291542a98f

      SHA256

      877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1

      SHA512

      c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

    • C:\Windows\System\pNDjMww.exe

      Filesize

      1.7MB

      MD5

      170dd624fc04fc3839f9c4b66a089ce7

      SHA1

      689050489367e9d7989856de58d7dae4b3e867bb

      SHA256

      2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b

      SHA512

      6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

    • C:\Windows\System\ryaFRvh.exe

      Filesize

      448KB

      MD5

      0642442db4acbbfb6037e06789624264

      SHA1

      923aee440a6887c7a7a8a78085aa492b2cdcee65

      SHA256

      5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

      SHA512

      7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

    • C:\Windows\System\urJcNrT.exe

      Filesize

      5.3MB

      MD5

      e8c4508a392ccf08590d3627a36cc3c3

      SHA1

      3a57dd6c92ebc54582acaafd15cc9311eb0d15a2

      SHA256

      cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d

      SHA512

      f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

    • C:\Windows\System\wzbSNQU.exe

      Filesize

      1.9MB

      MD5

      0b1dc771469fa6753e7aace834956918

      SHA1

      ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7

      SHA256

      60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6

      SHA512

      6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

    • memory/380-0-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp

      Filesize

      3.3MB

    • memory/380-1-0x000002D1C22D0000-0x000002D1C22E0000-memory.dmp

      Filesize

      64KB

    • memory/380-62-0x00007FF7E7C60000-0x00007FF7E7FB4000-memory.dmp

      Filesize

      3.3MB

    • memory/456-124-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp

      Filesize

      3.3MB

    • memory/456-140-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp

      Filesize

      3.3MB

    • memory/456-32-0x00007FF75B980000-0x00007FF75BCD4000-memory.dmp

      Filesize

      3.3MB

    • memory/1340-146-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp

      Filesize

      3.3MB

    • memory/1340-70-0x00007FF7F5A50000-0x00007FF7F5DA4000-memory.dmp

      Filesize

      3.3MB

    • memory/1388-149-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp

      Filesize

      3.3MB

    • memory/1388-103-0x00007FF7ACE60000-0x00007FF7AD1B4000-memory.dmp

      Filesize

      3.3MB

    • memory/1704-76-0x00007FF6575B0000-0x00007FF657904000-memory.dmp

      Filesize

      3.3MB

    • memory/1704-14-0x00007FF6575B0000-0x00007FF657904000-memory.dmp

      Filesize

      3.3MB

    • memory/1704-137-0x00007FF6575B0000-0x00007FF657904000-memory.dmp

      Filesize

      3.3MB

    • memory/2092-106-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp

      Filesize

      3.3MB

    • memory/2092-150-0x00007FF68D6E0000-0x00007FF68DA34000-memory.dmp

      Filesize

      3.3MB

    • memory/2168-151-0x00007FF63C330000-0x00007FF63C684000-memory.dmp

      Filesize

      3.3MB

    • memory/2168-107-0x00007FF63C330000-0x00007FF63C684000-memory.dmp

      Filesize

      3.3MB

    • memory/2480-100-0x00007FF650680000-0x00007FF6509D4000-memory.dmp

      Filesize

      3.3MB

    • memory/2480-138-0x00007FF650680000-0x00007FF6509D4000-memory.dmp

      Filesize

      3.3MB

    • memory/2480-20-0x00007FF650680000-0x00007FF6509D4000-memory.dmp

      Filesize

      3.3MB

    • memory/2596-122-0x00007FF7083F0000-0x00007FF708744000-memory.dmp

      Filesize

      3.3MB

    • memory/2596-153-0x00007FF7083F0000-0x00007FF708744000-memory.dmp

      Filesize

      3.3MB

    • memory/2812-102-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp

      Filesize

      3.3MB

    • memory/2812-148-0x00007FF6F4860000-0x00007FF6F4BB4000-memory.dmp

      Filesize

      3.3MB

    • memory/2876-135-0x00007FF74E890000-0x00007FF74EBE4000-memory.dmp

      Filesize

      3.3MB

    • memory/2876-156-0x00007FF74E890000-0x00007FF74EBE4000-memory.dmp

      Filesize

      3.3MB

    • memory/3056-119-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp

      Filesize

      3.3MB

    • memory/3056-152-0x00007FF7A8510000-0x00007FF7A8864000-memory.dmp

      Filesize

      3.3MB

    • memory/3144-147-0x00007FF662DD0000-0x00007FF663124000-memory.dmp

      Filesize

      3.3MB

    • memory/3144-77-0x00007FF662DD0000-0x00007FF663124000-memory.dmp

      Filesize

      3.3MB

    • memory/3236-142-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp

      Filesize

      3.3MB

    • memory/3236-134-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp

      Filesize

      3.3MB

    • memory/3236-44-0x00007FF6C5980000-0x00007FF6C5CD4000-memory.dmp

      Filesize

      3.3MB

    • memory/3616-139-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp

      Filesize

      3.3MB

    • memory/3616-26-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp

      Filesize

      3.3MB

    • memory/3616-115-0x00007FF71ACC0000-0x00007FF71B014000-memory.dmp

      Filesize

      3.3MB

    • memory/3648-143-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp

      Filesize

      3.3MB

    • memory/3648-50-0x00007FF61CF00000-0x00007FF61D254000-memory.dmp

      Filesize

      3.3MB

    • memory/3700-125-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp

      Filesize

      3.3MB

    • memory/3700-154-0x00007FF6E3DA0000-0x00007FF6E40F4000-memory.dmp

      Filesize

      3.3MB

    • memory/3784-38-0x00007FF64E620000-0x00007FF64E974000-memory.dmp

      Filesize

      3.3MB

    • memory/3784-133-0x00007FF64E620000-0x00007FF64E974000-memory.dmp

      Filesize

      3.3MB

    • memory/3784-141-0x00007FF64E620000-0x00007FF64E974000-memory.dmp

      Filesize

      3.3MB

    • memory/4004-145-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp

      Filesize

      3.3MB

    • memory/4004-63-0x00007FF7BF890000-0x00007FF7BFBE4000-memory.dmp

      Filesize

      3.3MB

    • memory/4064-144-0x00007FF745350000-0x00007FF7456A4000-memory.dmp

      Filesize

      3.3MB

    • memory/4064-56-0x00007FF745350000-0x00007FF7456A4000-memory.dmp

      Filesize

      3.3MB

    • memory/4564-136-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp

      Filesize

      3.3MB

    • memory/4564-68-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp

      Filesize

      3.3MB

    • memory/4564-8-0x00007FF60C670000-0x00007FF60C9C4000-memory.dmp

      Filesize

      3.3MB

    • memory/4712-132-0x00007FF69DC40000-0x00007FF69DF94000-memory.dmp

      Filesize

      3.3MB

    • memory/4712-155-0x00007FF69DC40000-0x00007FF69DF94000-memory.dmp

      Filesize

      3.3MB