Analysis

  • max time kernel
    135s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 01:52

General

  • Target

    2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    9d0ec5f9f2374d25262fad4d45613b8c

  • SHA1

    002914fc22c351ea72ae565c06da6d687004590a

  • SHA256

    8e5d6082b7103146bc343199029aed207ffd798d7dcc8992ee744d2679904dec

  • SHA512

    30ff5250c85de7b70824f5930b5799229e02ed541e267e70e4d17cf3718f658a2a57ffab43ca20fbc79ee1f91ec1017b5d2587647a6936d2e28ce7a5039c9d5d

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • UPX dump on OEP (original entry point) 18 IoCs
  • XMRig Miner payload 22 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 38 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\System\HWdxlSA.exe
      C:\Windows\System\HWdxlSA.exe
      2⤵
      • Executes dropped EXE
      PID:2084
    • C:\Windows\System\JJtAWMB.exe
      C:\Windows\System\JJtAWMB.exe
      2⤵
      • Executes dropped EXE
      PID:1680
    • C:\Windows\System\oWryuDN.exe
      C:\Windows\System\oWryuDN.exe
      2⤵
      • Executes dropped EXE
      PID:2716
    • C:\Windows\System\ZchojoU.exe
      C:\Windows\System\ZchojoU.exe
      2⤵
      • Executes dropped EXE
      PID:2952
    • C:\Windows\System\ARLdpiW.exe
      C:\Windows\System\ARLdpiW.exe
      2⤵
      • Executes dropped EXE
      PID:2536
    • C:\Windows\System\DYcUzMp.exe
      C:\Windows\System\DYcUzMp.exe
      2⤵
      • Executes dropped EXE
      PID:2592
    • C:\Windows\System\QnNkuAb.exe
      C:\Windows\System\QnNkuAb.exe
      2⤵
      • Executes dropped EXE
      PID:2648
    • C:\Windows\System\KkguQsP.exe
      C:\Windows\System\KkguQsP.exe
      2⤵
      • Executes dropped EXE
      PID:2732
    • C:\Windows\System\USaqKKr.exe
      C:\Windows\System\USaqKKr.exe
      2⤵
      • Executes dropped EXE
      PID:2884
    • C:\Windows\System\NPRABMN.exe
      C:\Windows\System\NPRABMN.exe
      2⤵
      • Executes dropped EXE
      PID:2656
    • C:\Windows\System\vivtBiR.exe
      C:\Windows\System\vivtBiR.exe
      2⤵
      • Executes dropped EXE
      PID:2028
    • C:\Windows\System\HqLKwQo.exe
      C:\Windows\System\HqLKwQo.exe
      2⤵
      • Executes dropped EXE
      PID:2440
    • C:\Windows\System\corhpyj.exe
      C:\Windows\System\corhpyj.exe
      2⤵
      • Executes dropped EXE
      PID:2424
    • C:\Windows\System\VKYpRrg.exe
      C:\Windows\System\VKYpRrg.exe
      2⤵
      • Executes dropped EXE
      PID:2808
    • C:\Windows\System\FwJoEgE.exe
      C:\Windows\System\FwJoEgE.exe
      2⤵
      • Executes dropped EXE
      PID:2996
    • C:\Windows\System\LdTQyrQ.exe
      C:\Windows\System\LdTQyrQ.exe
      2⤵
      • Executes dropped EXE
      PID:680
    • C:\Windows\System\onfpLXs.exe
      C:\Windows\System\onfpLXs.exe
      2⤵
      • Executes dropped EXE
      PID:1820
    • C:\Windows\System\FwuIolP.exe
      C:\Windows\System\FwuIolP.exe
      2⤵
      • Executes dropped EXE
      PID:2000
    • C:\Windows\System\FqmDbgm.exe
      C:\Windows\System\FqmDbgm.exe
      2⤵
      • Executes dropped EXE
      PID:2312
    • C:\Windows\System\YYVqlGE.exe
      C:\Windows\System\YYVqlGE.exe
      2⤵
      • Executes dropped EXE
      PID:284
    • C:\Windows\System\QAFUoDX.exe
      C:\Windows\System\QAFUoDX.exe
      2⤵
      • Executes dropped EXE
      PID:1808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\DYcUzMp.exe

    Filesize

    2.1MB

    MD5

    fbb6a602f644dbf57142122f30692c9a

    SHA1

    8158aaa7168744874ea387599d6d2cead21e28a3

    SHA256

    3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d

    SHA512

    594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

  • C:\Windows\system\FqmDbgm.exe

    Filesize

    512KB

    MD5

    6b5887af4274a78686a788865765637c

    SHA1

    5afc15e6fcbc11377bbabbda47ff43f6ebedd369

    SHA256

    ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

    SHA512

    4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

  • C:\Windows\system\HWdxlSA.exe

    Filesize

    448KB

    MD5

    0642442db4acbbfb6037e06789624264

    SHA1

    923aee440a6887c7a7a8a78085aa492b2cdcee65

    SHA256

    5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

    SHA512

    7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

  • C:\Windows\system\oWryuDN.exe

    Filesize

    2.8MB

    MD5

    7ca4c7d08ec840a69d3101c638d4b72f

    SHA1

    9a0bd3c709f755b63121fadc936f446aec1e7ee6

    SHA256

    ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7

    SHA512

    93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

  • \Windows\system\DYcUzMp.exe

    Filesize

    2.3MB

    MD5

    9d367348bc2b0a338371873ab92b5ce0

    SHA1

    7f656575ff1e475fc391f43341a8d5f4ac819b19

    SHA256

    54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309

    SHA512

    8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454

  • \Windows\system\HWdxlSA.exe

    Filesize

    192KB

    MD5

    4a486a2a371d8db348dc0ad03e9fd9f0

    SHA1

    edd912c5d606628022dc3216eaf2db7c93554ff7

    SHA256

    93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b

    SHA512

    deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

  • \Windows\system\JJtAWMB.exe

    Filesize

    128KB

    MD5

    7ce4ba1725e83a50f64ba525f8815dcf

    SHA1

    b1714a2d23cfc42c18c37e1546ac0908d8252c04

    SHA256

    9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

    SHA512

    2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

  • \Windows\system\corhpyj.exe

    Filesize

    768KB

    MD5

    096410221e55421e5c4c4275c7d21513

    SHA1

    a9a3350bb5b616aee4d0c922dc225694f8027702

    SHA256

    1162e04ab5acff6cf895e753ad87619013ecfffc06f47ed477cf1c201c040e66

    SHA512

    b442b0d589e49e95f8c072f6f97ae946c91e082ea0e6557eeef4f55282d6675cb325a5ba42eb1799fb9bff049919d0eef469abfd200cb35fe59f78974905588c

  • memory/1680-141-0x000000013FA00000-0x000000013FD54000-memory.dmp

    Filesize

    3.3MB

  • memory/1680-20-0x000000013FA00000-0x000000013FD54000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-133-0x000000013F660000-0x000000013F9B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-150-0x000000013F660000-0x000000013F9B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2084-140-0x000000013FBF0000-0x000000013FF44000-memory.dmp

    Filesize

    3.3MB

  • memory/2084-14-0x000000013FBF0000-0x000000013FF44000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-137-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-93-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-1-0x00000000000F0000-0x0000000000100000-memory.dmp

    Filesize

    64KB

  • memory/2168-130-0x0000000002450000-0x00000000027A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-129-0x0000000002450000-0x00000000027A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-128-0x0000000002450000-0x00000000027A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-86-0x000000013FEE0000-0x0000000140234000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-139-0x000000013F0C0000-0x000000013F414000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-0-0x000000013F790000-0x000000013FAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-123-0x000000013F0C0000-0x000000013F414000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-122-0x0000000002450000-0x00000000027A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-132-0x0000000002450000-0x00000000027A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-138-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-136-0x000000013FEE0000-0x0000000140234000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-135-0x000000013F790000-0x000000013FAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-8-0x000000013FBF0000-0x000000013FF44000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-126-0x000000013FDA0000-0x00000001400F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-68-0x0000000002450000-0x00000000027A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-57-0x000000013FE00000-0x0000000140154000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-91-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2168-134-0x000000013FFA0000-0x00000001402F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2424-125-0x000000013FFA0000-0x00000001402F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2424-152-0x000000013FFA0000-0x00000001402F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2440-124-0x000000013F0C0000-0x000000013F414000-memory.dmp

    Filesize

    3.3MB

  • memory/2440-151-0x000000013F0C0000-0x000000013F414000-memory.dmp

    Filesize

    3.3MB

  • memory/2536-69-0x000000013FDF0000-0x0000000140144000-memory.dmp

    Filesize

    3.3MB

  • memory/2536-145-0x000000013FDF0000-0x0000000140144000-memory.dmp

    Filesize

    3.3MB

  • memory/2592-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2592-77-0x000000013FA70000-0x000000013FDC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2648-148-0x000000013FEE0000-0x0000000140234000-memory.dmp

    Filesize

    3.3MB

  • memory/2648-114-0x000000013FEE0000-0x0000000140234000-memory.dmp

    Filesize

    3.3MB

  • memory/2656-147-0x000000013F800000-0x000000013FB54000-memory.dmp

    Filesize

    3.3MB

  • memory/2656-112-0x000000013F800000-0x000000013FB54000-memory.dmp

    Filesize

    3.3MB

  • memory/2716-142-0x000000013F7C0000-0x000000013FB14000-memory.dmp

    Filesize

    3.3MB

  • memory/2716-47-0x000000013F7C0000-0x000000013FB14000-memory.dmp

    Filesize

    3.3MB

  • memory/2732-99-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2732-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2808-127-0x000000013FDA0000-0x00000001400F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2808-153-0x000000013FDA0000-0x00000001400F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2884-149-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2884-121-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2952-143-0x000000013FE00000-0x0000000140154000-memory.dmp

    Filesize

    3.3MB

  • memory/2952-131-0x000000013FE00000-0x0000000140154000-memory.dmp

    Filesize

    3.3MB