Analysis

  • max time kernel
    153s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 01:32

General

  • Target

    2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    8e35823e8117c85255225df826c30dc5

  • SHA1

    812b6655831abc94f18127481508fd3b82be5992

  • SHA256

    f46f94f88649139805ddbefd1fb1fe21f1a57d9c49e64d5f1a3d093262151d72

  • SHA512

    8873c088108e916dc6780786892a9b339815eec4f9f254da0853d74261a25d42aa2db4d6b37e8ebc6f0ed5a530a1fd0a9979c23d30ce647b5c5ef453984b9e98

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU+:Q+856utgpPF8u/7+

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • UPX dump on OEP (original entry point) 28 IoCs
  • XMRig Miner payload 58 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\System\xjypVYA.exe
      C:\Windows\System\xjypVYA.exe
      2⤵
      • Executes dropped EXE
      PID:3304
    • C:\Windows\System\hXQyAWz.exe
      C:\Windows\System\hXQyAWz.exe
      2⤵
      • Executes dropped EXE
      PID:5036
    • C:\Windows\System\MamSpXd.exe
      C:\Windows\System\MamSpXd.exe
      2⤵
      • Executes dropped EXE
      PID:4048
    • C:\Windows\System\DgPyPZb.exe
      C:\Windows\System\DgPyPZb.exe
      2⤵
      • Executes dropped EXE
      PID:2184
    • C:\Windows\System\BLkKKmW.exe
      C:\Windows\System\BLkKKmW.exe
      2⤵
      • Executes dropped EXE
      PID:4696
    • C:\Windows\System\AuKPpYK.exe
      C:\Windows\System\AuKPpYK.exe
      2⤵
      • Executes dropped EXE
      PID:3820
    • C:\Windows\System\sztkdEc.exe
      C:\Windows\System\sztkdEc.exe
      2⤵
      • Executes dropped EXE
      PID:2440
    • C:\Windows\System\AKCMuzg.exe
      C:\Windows\System\AKCMuzg.exe
      2⤵
      • Executes dropped EXE
      PID:1460
    • C:\Windows\System\XpRwATS.exe
      C:\Windows\System\XpRwATS.exe
      2⤵
      • Executes dropped EXE
      PID:3308
    • C:\Windows\System\uvURIqk.exe
      C:\Windows\System\uvURIqk.exe
      2⤵
      • Executes dropped EXE
      PID:1676
    • C:\Windows\System\PZNcYgl.exe
      C:\Windows\System\PZNcYgl.exe
      2⤵
      • Executes dropped EXE
      PID:432
    • C:\Windows\System\jXBDidm.exe
      C:\Windows\System\jXBDidm.exe
      2⤵
      • Executes dropped EXE
      PID:4104
    • C:\Windows\System\lYsjqPm.exe
      C:\Windows\System\lYsjqPm.exe
      2⤵
      • Executes dropped EXE
      PID:4044
    • C:\Windows\System\FyvILwF.exe
      C:\Windows\System\FyvILwF.exe
      2⤵
      • Executes dropped EXE
      PID:3936
    • C:\Windows\System\DzEVCqL.exe
      C:\Windows\System\DzEVCqL.exe
      2⤵
      • Executes dropped EXE
      PID:4652
    • C:\Windows\System\kPlYftQ.exe
      C:\Windows\System\kPlYftQ.exe
      2⤵
      • Executes dropped EXE
      PID:2956
    • C:\Windows\System\kFlAZWH.exe
      C:\Windows\System\kFlAZWH.exe
      2⤵
      • Executes dropped EXE
      PID:4572
    • C:\Windows\System\ePYZOUS.exe
      C:\Windows\System\ePYZOUS.exe
      2⤵
      • Executes dropped EXE
      PID:4384
    • C:\Windows\System\vGkCFFd.exe
      C:\Windows\System\vGkCFFd.exe
      2⤵
      • Executes dropped EXE
      PID:928
    • C:\Windows\System\wVjfYQj.exe
      C:\Windows\System\wVjfYQj.exe
      2⤵
      • Executes dropped EXE
      PID:3412
    • C:\Windows\System\jDliCsO.exe
      C:\Windows\System\jDliCsO.exe
      2⤵
      • Executes dropped EXE
      PID:4128
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1508

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System\AKCMuzg.exe

      Filesize

      2.4MB

      MD5

      3c4936ba91eaa69f7fdbfccc9b857022

      SHA1

      d97c8ba6655ec64594f86192c6bdb9c832040c3a

      SHA256

      f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10

      SHA512

      327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9

    • C:\Windows\System\BLkKKmW.exe

      Filesize

      1.8MB

      MD5

      c665d55523745ebd550a2c4296ad8ec9

      SHA1

      43f72a8e93454ded742dbec7a7c84f59cb0d6520

      SHA256

      4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b

      SHA512

      57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

    • C:\Windows\System\BLkKKmW.exe

      Filesize

      5.4MB

      MD5

      8003c8ca1c6255c4a9df50b61d369786

      SHA1

      ef521c59d5519424152618453d9a1ec413a267cf

      SHA256

      caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8

      SHA512

      0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

    • C:\Windows\System\DzEVCqL.exe

      Filesize

      1.9MB

      MD5

      ca2c8fc23ac2c4dd58545d16927e5bef

      SHA1

      b94b35150eb75787af3ce6aea401e04f2ec70fc4

      SHA256

      51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef

      SHA512

      1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

    • C:\Windows\System\DzEVCqL.exe

      Filesize

      448KB

      MD5

      0642442db4acbbfb6037e06789624264

      SHA1

      923aee440a6887c7a7a8a78085aa492b2cdcee65

      SHA256

      5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

      SHA512

      7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

    • C:\Windows\System\FyvILwF.exe

      Filesize

      704KB

      MD5

      27f1ae58c0e7ea96c463a8f0329d13e3

      SHA1

      a5352f33f2a7ec676e07aa36bd587f2a910b1502

      SHA256

      570ef729e78067f9e824a09ee84a0b44c24671dfe07947eaca970f453f235334

      SHA512

      51c2e61154a9cf7b8c51728bee23d084e40467a64fc74544ed07917de5c42cd2c4f093dc4dba57e475be140334b7f9d2f8c2784d353f9bec4fe5fc6098f5ad70

    • C:\Windows\System\MamSpXd.exe

      Filesize

      1.8MB

      MD5

      4ebd1901e669a14d40cee031fd206e82

      SHA1

      48b4d9303ce77228a3ead5a9a71386291542a98f

      SHA256

      877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1

      SHA512

      c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

    • C:\Windows\System\XpRwATS.exe

      Filesize

      1024KB

      MD5

      aa84df2aa4d3e405cfa711ea45f76832

      SHA1

      f9d4c6b07df318263e7c10c93fe5aee7c1ed449f

      SHA256

      35f254698cefc343a5afa8e1f4afbd2f4e15c9dea7be1bc9d3cdc9a25b594ef4

      SHA512

      40f8b842b8711e2a819c83c44eea2c12af01ba9972546d0cb7e21121b875f8bed7da028e78b61c94b16de95a951cf536d7b2db14fba809cc0242849570fa0f9d

    • C:\Windows\System\XpRwATS.exe

      Filesize

      1.2MB

      MD5

      711965c0ed770375b388ea9b5ea57c70

      SHA1

      21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2

      SHA256

      c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666

      SHA512

      1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

    • C:\Windows\System\ePYZOUS.exe

      Filesize

      128KB

      MD5

      7ce4ba1725e83a50f64ba525f8815dcf

      SHA1

      b1714a2d23cfc42c18c37e1546ac0908d8252c04

      SHA256

      9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

      SHA512

      2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

    • C:\Windows\System\hXQyAWz.exe

      Filesize

      2.1MB

      MD5

      fbb6a602f644dbf57142122f30692c9a

      SHA1

      8158aaa7168744874ea387599d6d2cead21e28a3

      SHA256

      3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d

      SHA512

      594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

    • C:\Windows\System\hXQyAWz.exe

      Filesize

      2.1MB

      MD5

      2543c4760bd9af7f70b7834411ab61af

      SHA1

      ed963cb76a076b222f6cdae99e8563d4444f6351

      SHA256

      c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001

      SHA512

      37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56

    • C:\Windows\System\kFlAZWH.exe

      Filesize

      1.9MB

      MD5

      0b1dc771469fa6753e7aace834956918

      SHA1

      ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7

      SHA256

      60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6

      SHA512

      6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

    • C:\Windows\System\sztkdEc.exe

      Filesize

      3.1MB

      MD5

      3ee04f109da47a1ec064d84e674f1c93

      SHA1

      644e873cc5a86065097d9d560d0304443e10d64c

      SHA256

      47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f

      SHA512

      9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4

    • C:\Windows\System\xjypVYA.exe

      Filesize

      3.6MB

      MD5

      0628374c349921c969043e8b725a574d

      SHA1

      d4d4b61d7abb11c25e423140f9a833a035819e3d

      SHA256

      6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0

      SHA512

      2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

    • C:\Windows\System\xjypVYA.exe

      Filesize

      2.4MB

      MD5

      ffafad94c04d076c16e861ff07a4cb57

      SHA1

      c3501d64aef8c1b093200710a06e749c69db782a

      SHA256

      8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295

      SHA512

      64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700

    • memory/432-146-0x00007FF6552F0000-0x00007FF655644000-memory.dmp

      Filesize

      3.3MB

    • memory/432-70-0x00007FF6552F0000-0x00007FF655644000-memory.dmp

      Filesize

      3.3MB

    • memory/792-0-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp

      Filesize

      3.3MB

    • memory/792-1-0x000001B0F1760000-0x000001B0F1770000-memory.dmp

      Filesize

      64KB

    • memory/792-62-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp

      Filesize

      3.3MB

    • memory/928-125-0x00007FF6693F0000-0x00007FF669744000-memory.dmp

      Filesize

      3.3MB

    • memory/928-154-0x00007FF6693F0000-0x00007FF669744000-memory.dmp

      Filesize

      3.3MB

    • memory/1460-50-0x00007FF663200000-0x00007FF663554000-memory.dmp

      Filesize

      3.3MB

    • memory/1460-143-0x00007FF663200000-0x00007FF663554000-memory.dmp

      Filesize

      3.3MB

    • memory/1676-63-0x00007FF64D220000-0x00007FF64D574000-memory.dmp

      Filesize

      3.3MB

    • memory/1676-145-0x00007FF64D220000-0x00007FF64D574000-memory.dmp

      Filesize

      3.3MB

    • memory/2184-26-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp

      Filesize

      3.3MB

    • memory/2184-139-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp

      Filesize

      3.3MB

    • memory/2184-90-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp

      Filesize

      3.3MB

    • memory/2440-44-0x00007FF795470000-0x00007FF7957C4000-memory.dmp

      Filesize

      3.3MB

    • memory/2440-108-0x00007FF795470000-0x00007FF7957C4000-memory.dmp

      Filesize

      3.3MB

    • memory/2440-142-0x00007FF795470000-0x00007FF7957C4000-memory.dmp

      Filesize

      3.3MB

    • memory/2956-103-0x00007FF77D5D0000-0x00007FF77D924000-memory.dmp

      Filesize

      3.3MB

    • memory/2956-151-0x00007FF77D5D0000-0x00007FF77D924000-memory.dmp

      Filesize

      3.3MB

    • memory/3304-136-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp

      Filesize

      3.3MB

    • memory/3304-69-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp

      Filesize

      3.3MB

    • memory/3304-8-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp

      Filesize

      3.3MB

    • memory/3308-56-0x00007FF77BA60000-0x00007FF77BDB4000-memory.dmp

      Filesize

      3.3MB

    • memory/3308-144-0x00007FF77BA60000-0x00007FF77BDB4000-memory.dmp

      Filesize

      3.3MB

    • memory/3412-128-0x00007FF7040B0000-0x00007FF704404000-memory.dmp

      Filesize

      3.3MB

    • memory/3412-155-0x00007FF7040B0000-0x00007FF704404000-memory.dmp

      Filesize

      3.3MB

    • memory/3820-141-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp

      Filesize

      3.3MB

    • memory/3820-38-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp

      Filesize

      3.3MB

    • memory/3936-149-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp

      Filesize

      3.3MB

    • memory/3936-91-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp

      Filesize

      3.3MB

    • memory/4044-134-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp

      Filesize

      3.3MB

    • memory/4044-84-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp

      Filesize

      3.3MB

    • memory/4044-148-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp

      Filesize

      3.3MB

    • memory/4048-138-0x00007FF606360000-0x00007FF6066B4000-memory.dmp

      Filesize

      3.3MB

    • memory/4048-82-0x00007FF606360000-0x00007FF6066B4000-memory.dmp

      Filesize

      3.3MB

    • memory/4048-20-0x00007FF606360000-0x00007FF6066B4000-memory.dmp

      Filesize

      3.3MB

    • memory/4104-147-0x00007FF724160000-0x00007FF7244B4000-memory.dmp

      Filesize

      3.3MB

    • memory/4104-77-0x00007FF724160000-0x00007FF7244B4000-memory.dmp

      Filesize

      3.3MB

    • memory/4128-156-0x00007FF660FA0000-0x00007FF6612F4000-memory.dmp

      Filesize

      3.3MB

    • memory/4128-133-0x00007FF660FA0000-0x00007FF6612F4000-memory.dmp

      Filesize

      3.3MB

    • memory/4384-116-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp

      Filesize

      3.3MB

    • memory/4384-153-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp

      Filesize

      3.3MB

    • memory/4572-110-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp

      Filesize

      3.3MB

    • memory/4572-152-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp

      Filesize

      3.3MB

    • memory/4652-135-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp

      Filesize

      3.3MB

    • memory/4652-150-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp

      Filesize

      3.3MB

    • memory/4652-97-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp

      Filesize

      3.3MB

    • memory/4696-140-0x00007FF761930000-0x00007FF761C84000-memory.dmp

      Filesize

      3.3MB

    • memory/4696-32-0x00007FF761930000-0x00007FF761C84000-memory.dmp

      Filesize

      3.3MB

    • memory/5036-14-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp

      Filesize

      3.3MB

    • memory/5036-137-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp

      Filesize

      3.3MB

    • memory/5036-76-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp

      Filesize

      3.3MB