Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 01:52
Behavioral task
behavioral1
Sample
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe
Resource
win7-20240221-en
General
-
Target
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
9d0ec5f9f2374d25262fad4d45613b8c
-
SHA1
002914fc22c351ea72ae565c06da6d687004590a
-
SHA256
8e5d6082b7103146bc343199029aed207ffd798d7dcc8992ee744d2679904dec
-
SHA512
30ff5250c85de7b70824f5930b5799229e02ed541e267e70e4d17cf3718f658a2a57ffab43ca20fbc79ee1f91ec1017b5d2587647a6936d2e28ce7a5039c9d5d
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 18 IoCs
Processes:
resource yara_rule C:\Windows\system\oWryuDN.exe UPX C:\Windows\system\DYcUzMp.exe UPX \Windows\system\DYcUzMp.exe UPX behavioral1/memory/2168-135-0x000000013F790000-0x000000013FAE4000-memory.dmp UPX behavioral1/memory/2084-140-0x000000013FBF0000-0x000000013FF44000-memory.dmp UPX behavioral1/memory/1680-141-0x000000013FA00000-0x000000013FD54000-memory.dmp UPX behavioral1/memory/2716-142-0x000000013F7C0000-0x000000013FB14000-memory.dmp UPX behavioral1/memory/2536-145-0x000000013FDF0000-0x0000000140144000-memory.dmp UPX behavioral1/memory/2592-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp UPX behavioral1/memory/2952-143-0x000000013FE00000-0x0000000140154000-memory.dmp UPX behavioral1/memory/2884-149-0x000000013FD20000-0x0000000140074000-memory.dmp UPX behavioral1/memory/2028-150-0x000000013F660000-0x000000013F9B4000-memory.dmp UPX behavioral1/memory/2440-151-0x000000013F0C0000-0x000000013F414000-memory.dmp UPX behavioral1/memory/2424-152-0x000000013FFA0000-0x00000001402F4000-memory.dmp UPX behavioral1/memory/2808-153-0x000000013FDA0000-0x00000001400F4000-memory.dmp UPX behavioral1/memory/2648-148-0x000000013FEE0000-0x0000000140234000-memory.dmp UPX behavioral1/memory/2656-147-0x000000013F800000-0x000000013FB54000-memory.dmp UPX behavioral1/memory/2732-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp UPX -
XMRig Miner payload 22 IoCs
Processes:
resource yara_rule C:\Windows\system\oWryuDN.exe xmrig C:\Windows\system\DYcUzMp.exe xmrig behavioral1/memory/2732-99-0x000000013F3A0000-0x000000013F6F4000-memory.dmp xmrig \Windows\system\corhpyj.exe xmrig \Windows\system\DYcUzMp.exe xmrig behavioral1/memory/1680-20-0x000000013FA00000-0x000000013FD54000-memory.dmp xmrig behavioral1/memory/2084-14-0x000000013FBF0000-0x000000013FF44000-memory.dmp xmrig behavioral1/memory/2168-135-0x000000013F790000-0x000000013FAE4000-memory.dmp xmrig behavioral1/memory/2084-140-0x000000013FBF0000-0x000000013FF44000-memory.dmp xmrig behavioral1/memory/1680-141-0x000000013FA00000-0x000000013FD54000-memory.dmp xmrig behavioral1/memory/2716-142-0x000000013F7C0000-0x000000013FB14000-memory.dmp xmrig behavioral1/memory/2536-145-0x000000013FDF0000-0x0000000140144000-memory.dmp xmrig behavioral1/memory/2592-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp xmrig behavioral1/memory/2952-143-0x000000013FE00000-0x0000000140154000-memory.dmp xmrig behavioral1/memory/2884-149-0x000000013FD20000-0x0000000140074000-memory.dmp xmrig behavioral1/memory/2028-150-0x000000013F660000-0x000000013F9B4000-memory.dmp xmrig behavioral1/memory/2440-151-0x000000013F0C0000-0x000000013F414000-memory.dmp xmrig behavioral1/memory/2424-152-0x000000013FFA0000-0x00000001402F4000-memory.dmp xmrig behavioral1/memory/2808-153-0x000000013FDA0000-0x00000001400F4000-memory.dmp xmrig behavioral1/memory/2648-148-0x000000013FEE0000-0x0000000140234000-memory.dmp xmrig behavioral1/memory/2656-147-0x000000013F800000-0x000000013FB54000-memory.dmp xmrig behavioral1/memory/2732-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
HWdxlSA.exeJJtAWMB.exeoWryuDN.exeZchojoU.exeARLdpiW.exeDYcUzMp.exeKkguQsP.exeNPRABMN.exeQnNkuAb.exeUSaqKKr.exevivtBiR.exeHqLKwQo.execorhpyj.exeVKYpRrg.exeFwJoEgE.exeLdTQyrQ.exeonfpLXs.exeFwuIolP.exeYYVqlGE.exeFqmDbgm.exeQAFUoDX.exepid process 2084 HWdxlSA.exe 1680 JJtAWMB.exe 2716 oWryuDN.exe 2952 ZchojoU.exe 2536 ARLdpiW.exe 2592 DYcUzMp.exe 2732 KkguQsP.exe 2656 NPRABMN.exe 2648 QnNkuAb.exe 2884 USaqKKr.exe 2028 vivtBiR.exe 2440 HqLKwQo.exe 2424 corhpyj.exe 2808 VKYpRrg.exe 2996 FwJoEgE.exe 680 LdTQyrQ.exe 1820 onfpLXs.exe 2000 FwuIolP.exe 284 YYVqlGE.exe 2312 FqmDbgm.exe 1808 QAFUoDX.exe -
Loads dropped DLL 21 IoCs
Processes:
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exepid process 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe -
Processes:
resource yara_rule behavioral1/memory/2168-0-0x000000013F790000-0x000000013FAE4000-memory.dmp upx \Windows\system\HWdxlSA.exe upx C:\Windows\system\HWdxlSA.exe upx \Windows\system\JJtAWMB.exe upx C:\Windows\system\oWryuDN.exe upx C:\Windows\system\DYcUzMp.exe upx behavioral1/memory/2536-69-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2884-121-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/2028-133-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2952-131-0x000000013FE00000-0x0000000140154000-memory.dmp upx behavioral1/memory/2808-127-0x000000013FDA0000-0x00000001400F4000-memory.dmp upx behavioral1/memory/2424-125-0x000000013FFA0000-0x00000001402F4000-memory.dmp upx behavioral1/memory/2440-124-0x000000013F0C0000-0x000000013F414000-memory.dmp upx C:\Windows\system\FqmDbgm.exe upx behavioral1/memory/2648-114-0x000000013FEE0000-0x0000000140234000-memory.dmp upx behavioral1/memory/2656-112-0x000000013F800000-0x000000013FB54000-memory.dmp upx behavioral1/memory/2732-99-0x000000013F3A0000-0x000000013F6F4000-memory.dmp upx behavioral1/memory/2592-77-0x000000013FA70000-0x000000013FDC4000-memory.dmp upx \Windows\system\corhpyj.exe upx behavioral1/memory/2716-47-0x000000013F7C0000-0x000000013FB14000-memory.dmp upx \Windows\system\DYcUzMp.exe upx behavioral1/memory/1680-20-0x000000013FA00000-0x000000013FD54000-memory.dmp upx behavioral1/memory/2084-14-0x000000013FBF0000-0x000000013FF44000-memory.dmp upx behavioral1/memory/2168-135-0x000000013F790000-0x000000013FAE4000-memory.dmp upx behavioral1/memory/2084-140-0x000000013FBF0000-0x000000013FF44000-memory.dmp upx behavioral1/memory/1680-141-0x000000013FA00000-0x000000013FD54000-memory.dmp upx behavioral1/memory/2716-142-0x000000013F7C0000-0x000000013FB14000-memory.dmp upx behavioral1/memory/2536-145-0x000000013FDF0000-0x0000000140144000-memory.dmp upx behavioral1/memory/2592-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp upx behavioral1/memory/2952-143-0x000000013FE00000-0x0000000140154000-memory.dmp upx behavioral1/memory/2884-149-0x000000013FD20000-0x0000000140074000-memory.dmp upx behavioral1/memory/2028-150-0x000000013F660000-0x000000013F9B4000-memory.dmp upx behavioral1/memory/2440-151-0x000000013F0C0000-0x000000013F414000-memory.dmp upx behavioral1/memory/2424-152-0x000000013FFA0000-0x00000001402F4000-memory.dmp upx behavioral1/memory/2808-153-0x000000013FDA0000-0x00000001400F4000-memory.dmp upx behavioral1/memory/2648-148-0x000000013FEE0000-0x0000000140234000-memory.dmp upx behavioral1/memory/2656-147-0x000000013F800000-0x000000013FB54000-memory.dmp upx behavioral1/memory/2732-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\onfpLXs.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\YYVqlGE.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\LdTQyrQ.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\JJtAWMB.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\oWryuDN.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ARLdpiW.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\USaqKKr.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\vivtBiR.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\corhpyj.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\VKYpRrg.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HWdxlSA.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QAFUoDX.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\DYcUzMp.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\QnNkuAb.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\KkguQsP.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FwJoEgE.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FwuIolP.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ZchojoU.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HqLKwQo.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\FqmDbgm.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\NPRABMN.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exedescription pid process target process PID 2168 wrote to memory of 2084 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe HWdxlSA.exe PID 2168 wrote to memory of 2084 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe HWdxlSA.exe PID 2168 wrote to memory of 2084 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe HWdxlSA.exe PID 2168 wrote to memory of 1680 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe JJtAWMB.exe PID 2168 wrote to memory of 1680 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe JJtAWMB.exe PID 2168 wrote to memory of 1680 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe JJtAWMB.exe PID 2168 wrote to memory of 2716 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe oWryuDN.exe PID 2168 wrote to memory of 2716 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe oWryuDN.exe PID 2168 wrote to memory of 2716 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe oWryuDN.exe PID 2168 wrote to memory of 2952 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe ZchojoU.exe PID 2168 wrote to memory of 2952 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe ZchojoU.exe PID 2168 wrote to memory of 2952 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe ZchojoU.exe PID 2168 wrote to memory of 2536 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe ARLdpiW.exe PID 2168 wrote to memory of 2536 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe ARLdpiW.exe PID 2168 wrote to memory of 2536 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe ARLdpiW.exe PID 2168 wrote to memory of 2592 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe DYcUzMp.exe PID 2168 wrote to memory of 2592 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe DYcUzMp.exe PID 2168 wrote to memory of 2592 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe DYcUzMp.exe PID 2168 wrote to memory of 2648 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe QnNkuAb.exe PID 2168 wrote to memory of 2648 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe QnNkuAb.exe PID 2168 wrote to memory of 2648 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe QnNkuAb.exe PID 2168 wrote to memory of 2732 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe KkguQsP.exe PID 2168 wrote to memory of 2732 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe KkguQsP.exe PID 2168 wrote to memory of 2732 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe KkguQsP.exe PID 2168 wrote to memory of 2884 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe USaqKKr.exe PID 2168 wrote to memory of 2884 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe USaqKKr.exe PID 2168 wrote to memory of 2884 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe USaqKKr.exe PID 2168 wrote to memory of 2656 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe NPRABMN.exe PID 2168 wrote to memory of 2656 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe NPRABMN.exe PID 2168 wrote to memory of 2656 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe NPRABMN.exe PID 2168 wrote to memory of 2028 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe vivtBiR.exe PID 2168 wrote to memory of 2028 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe vivtBiR.exe PID 2168 wrote to memory of 2028 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe vivtBiR.exe PID 2168 wrote to memory of 2440 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe HqLKwQo.exe PID 2168 wrote to memory of 2440 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe HqLKwQo.exe PID 2168 wrote to memory of 2440 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe HqLKwQo.exe PID 2168 wrote to memory of 2424 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe corhpyj.exe PID 2168 wrote to memory of 2424 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe corhpyj.exe PID 2168 wrote to memory of 2424 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe corhpyj.exe PID 2168 wrote to memory of 2808 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe VKYpRrg.exe PID 2168 wrote to memory of 2808 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe VKYpRrg.exe PID 2168 wrote to memory of 2808 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe VKYpRrg.exe PID 2168 wrote to memory of 2996 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe FwJoEgE.exe PID 2168 wrote to memory of 2996 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe FwJoEgE.exe PID 2168 wrote to memory of 2996 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe FwJoEgE.exe PID 2168 wrote to memory of 680 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe LdTQyrQ.exe PID 2168 wrote to memory of 680 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe LdTQyrQ.exe PID 2168 wrote to memory of 680 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe LdTQyrQ.exe PID 2168 wrote to memory of 1820 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe onfpLXs.exe PID 2168 wrote to memory of 1820 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe onfpLXs.exe PID 2168 wrote to memory of 1820 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe onfpLXs.exe PID 2168 wrote to memory of 2000 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe FwuIolP.exe PID 2168 wrote to memory of 2000 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe FwuIolP.exe PID 2168 wrote to memory of 2000 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe FwuIolP.exe PID 2168 wrote to memory of 2312 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe FqmDbgm.exe PID 2168 wrote to memory of 2312 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe FqmDbgm.exe PID 2168 wrote to memory of 2312 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe FqmDbgm.exe PID 2168 wrote to memory of 284 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe YYVqlGE.exe PID 2168 wrote to memory of 284 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe YYVqlGE.exe PID 2168 wrote to memory of 284 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe YYVqlGE.exe PID 2168 wrote to memory of 1808 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe QAFUoDX.exe PID 2168 wrote to memory of 1808 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe QAFUoDX.exe PID 2168 wrote to memory of 1808 2168 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe QAFUoDX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System\HWdxlSA.exeC:\Windows\System\HWdxlSA.exe2⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\System\JJtAWMB.exeC:\Windows\System\JJtAWMB.exe2⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\System\oWryuDN.exeC:\Windows\System\oWryuDN.exe2⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\System\ZchojoU.exeC:\Windows\System\ZchojoU.exe2⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\System\ARLdpiW.exeC:\Windows\System\ARLdpiW.exe2⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\System\DYcUzMp.exeC:\Windows\System\DYcUzMp.exe2⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\System\QnNkuAb.exeC:\Windows\System\QnNkuAb.exe2⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\System\KkguQsP.exeC:\Windows\System\KkguQsP.exe2⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\System\USaqKKr.exeC:\Windows\System\USaqKKr.exe2⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\System\NPRABMN.exeC:\Windows\System\NPRABMN.exe2⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\System\vivtBiR.exeC:\Windows\System\vivtBiR.exe2⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\System\HqLKwQo.exeC:\Windows\System\HqLKwQo.exe2⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\System\corhpyj.exeC:\Windows\System\corhpyj.exe2⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\System\VKYpRrg.exeC:\Windows\System\VKYpRrg.exe2⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\System\FwJoEgE.exeC:\Windows\System\FwJoEgE.exe2⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\System\LdTQyrQ.exeC:\Windows\System\LdTQyrQ.exe2⤵
- Executes dropped EXE
PID:680 -
C:\Windows\System\onfpLXs.exeC:\Windows\System\onfpLXs.exe2⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\System\FwuIolP.exeC:\Windows\System\FwuIolP.exe2⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\System\FqmDbgm.exeC:\Windows\System\FqmDbgm.exe2⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\System\YYVqlGE.exeC:\Windows\System\YYVqlGE.exe2⤵
- Executes dropped EXE
PID:284 -
C:\Windows\System\QAFUoDX.exeC:\Windows\System\QAFUoDX.exe2⤵
- Executes dropped EXE
PID:1808
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5fbb6a602f644dbf57142122f30692c9a
SHA18158aaa7168744874ea387599d6d2cead21e28a3
SHA2563ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe
-
Filesize
512KB
MD56b5887af4274a78686a788865765637c
SHA15afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA5124f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077
-
Filesize
448KB
MD50642442db4acbbfb6037e06789624264
SHA1923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA2565d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA5127fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1
-
Filesize
2.8MB
MD57ca4c7d08ec840a69d3101c638d4b72f
SHA19a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA51293ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b
-
Filesize
2.3MB
MD59d367348bc2b0a338371873ab92b5ce0
SHA17f656575ff1e475fc391f43341a8d5f4ac819b19
SHA25654a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309
SHA5128ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454
-
Filesize
192KB
MD54a486a2a371d8db348dc0ad03e9fd9f0
SHA1edd912c5d606628022dc3216eaf2db7c93554ff7
SHA25693ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b
SHA512deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b
-
Filesize
128KB
MD57ce4ba1725e83a50f64ba525f8815dcf
SHA1b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA2569f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA5122dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19
-
Filesize
768KB
MD5096410221e55421e5c4c4275c7d21513
SHA1a9a3350bb5b616aee4d0c922dc225694f8027702
SHA2561162e04ab5acff6cf895e753ad87619013ecfffc06f47ed477cf1c201c040e66
SHA512b442b0d589e49e95f8c072f6f97ae946c91e082ea0e6557eeef4f55282d6675cb325a5ba42eb1799fb9bff049919d0eef469abfd200cb35fe59f78974905588c