Analysis

  • max time kernel
    132s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 01:52

General

  • Target

    2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    9d0ec5f9f2374d25262fad4d45613b8c

  • SHA1

    002914fc22c351ea72ae565c06da6d687004590a

  • SHA256

    8e5d6082b7103146bc343199029aed207ffd798d7dcc8992ee744d2679904dec

  • SHA512

    30ff5250c85de7b70824f5930b5799229e02ed541e267e70e4d17cf3718f658a2a57ffab43ca20fbc79ee1f91ec1017b5d2587647a6936d2e28ce7a5039c9d5d

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • UPX dump on OEP (original entry point) 29 IoCs
  • XMRig Miner payload 35 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 61 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Windows\System\UKsAFWU.exe
      C:\Windows\System\UKsAFWU.exe
      2⤵
      • Executes dropped EXE
      PID:5112
    • C:\Windows\System\ieShFZp.exe
      C:\Windows\System\ieShFZp.exe
      2⤵
      • Executes dropped EXE
      PID:3384
    • C:\Windows\System\TRJGwow.exe
      C:\Windows\System\TRJGwow.exe
      2⤵
      • Executes dropped EXE
      PID:5068
    • C:\Windows\System\mUsllMp.exe
      C:\Windows\System\mUsllMp.exe
      2⤵
      • Executes dropped EXE
      PID:4952
    • C:\Windows\System\dpfeffn.exe
      C:\Windows\System\dpfeffn.exe
      2⤵
      • Executes dropped EXE
      PID:5064
    • C:\Windows\System\CMExTev.exe
      C:\Windows\System\CMExTev.exe
      2⤵
      • Executes dropped EXE
      PID:3056
    • C:\Windows\System\PsMOgFF.exe
      C:\Windows\System\PsMOgFF.exe
      2⤵
      • Executes dropped EXE
      PID:960
    • C:\Windows\System\kPpAqSD.exe
      C:\Windows\System\kPpAqSD.exe
      2⤵
      • Executes dropped EXE
      PID:3656
    • C:\Windows\System\CIolLis.exe
      C:\Windows\System\CIolLis.exe
      2⤵
      • Executes dropped EXE
      PID:3280
    • C:\Windows\System\slxIers.exe
      C:\Windows\System\slxIers.exe
      2⤵
      • Executes dropped EXE
      PID:1456
    • C:\Windows\System\HlSUxKL.exe
      C:\Windows\System\HlSUxKL.exe
      2⤵
      • Executes dropped EXE
      PID:3536
    • C:\Windows\System\pijlJFE.exe
      C:\Windows\System\pijlJFE.exe
      2⤵
      • Executes dropped EXE
      PID:4272
    • C:\Windows\System\luDAmTl.exe
      C:\Windows\System\luDAmTl.exe
      2⤵
      • Executes dropped EXE
      PID:3888
    • C:\Windows\System\pwBVfjl.exe
      C:\Windows\System\pwBVfjl.exe
      2⤵
      • Executes dropped EXE
      PID:2992
    • C:\Windows\System\onPIisn.exe
      C:\Windows\System\onPIisn.exe
      2⤵
      • Executes dropped EXE
      PID:2428
    • C:\Windows\System\myzQTtL.exe
      C:\Windows\System\myzQTtL.exe
      2⤵
      • Executes dropped EXE
      PID:3700
    • C:\Windows\System\GPxMKKM.exe
      C:\Windows\System\GPxMKKM.exe
      2⤵
      • Executes dropped EXE
      PID:4076
    • C:\Windows\System\rVUCoWs.exe
      C:\Windows\System\rVUCoWs.exe
      2⤵
      • Executes dropped EXE
      PID:2936
    • C:\Windows\System\BdWUwxG.exe
      C:\Windows\System\BdWUwxG.exe
      2⤵
      • Executes dropped EXE
      PID:864
    • C:\Windows\System\waCvjvL.exe
      C:\Windows\System\waCvjvL.exe
      2⤵
      • Executes dropped EXE
      PID:2624
    • C:\Windows\System\gIRcBwH.exe
      C:\Windows\System\gIRcBwH.exe
      2⤵
      • Executes dropped EXE
      PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\CIolLis.exe

    Filesize

    576KB

    MD5

    2b325ba998218e1724cf0adeb30ee980

    SHA1

    91c91f972b93ca21c02dbae5cc375d4e1212c0a0

    SHA256

    3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9

    SHA512

    d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

  • C:\Windows\System\GPxMKKM.exe

    Filesize

    128KB

    MD5

    7ce4ba1725e83a50f64ba525f8815dcf

    SHA1

    b1714a2d23cfc42c18c37e1546ac0908d8252c04

    SHA256

    9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

    SHA512

    2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

  • C:\Windows\System\HlSUxKL.exe

    Filesize

    3.6MB

    MD5

    0628374c349921c969043e8b725a574d

    SHA1

    d4d4b61d7abb11c25e423140f9a833a035819e3d

    SHA256

    6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0

    SHA512

    2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

  • C:\Windows\System\PsMOgFF.exe

    Filesize

    1.2MB

    MD5

    711965c0ed770375b388ea9b5ea57c70

    SHA1

    21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2

    SHA256

    c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666

    SHA512

    1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

  • C:\Windows\System\TRJGwow.exe

    Filesize

    1.9MB

    MD5

    0b1dc771469fa6753e7aace834956918

    SHA1

    ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7

    SHA256

    60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6

    SHA512

    6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

  • C:\Windows\System\gIRcBwH.exe

    Filesize

    2.1MB

    MD5

    fbb6a602f644dbf57142122f30692c9a

    SHA1

    8158aaa7168744874ea387599d6d2cead21e28a3

    SHA256

    3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d

    SHA512

    594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

  • C:\Windows\System\pwBVfjl.exe

    Filesize

    512KB

    MD5

    6b5887af4274a78686a788865765637c

    SHA1

    5afc15e6fcbc11377bbabbda47ff43f6ebedd369

    SHA256

    ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

    SHA512

    4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

  • C:\Windows\System\slxIers.exe

    Filesize

    448KB

    MD5

    0642442db4acbbfb6037e06789624264

    SHA1

    923aee440a6887c7a7a8a78085aa492b2cdcee65

    SHA256

    5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

    SHA512

    7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

  • C:\Windows\System\waCvjvL.exe

    Filesize

    3.1MB

    MD5

    3ee04f109da47a1ec064d84e674f1c93

    SHA1

    644e873cc5a86065097d9d560d0304443e10d64c

    SHA256

    47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f

    SHA512

    9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4

  • memory/864-155-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp

    Filesize

    3.3MB

  • memory/864-120-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp

    Filesize

    3.3MB

  • memory/864-136-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp

    Filesize

    3.3MB

  • memory/960-44-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp

    Filesize

    3.3MB

  • memory/960-143-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp

    Filesize

    3.3MB

  • memory/1456-63-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp

    Filesize

    3.3MB

  • memory/1456-146-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp

    Filesize

    3.3MB

  • memory/2428-151-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2428-97-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2624-127-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp

    Filesize

    3.3MB

  • memory/2624-156-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-132-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-157-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2936-154-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2936-116-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2992-150-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2992-91-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2992-134-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-142-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-38-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-102-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp

    Filesize

    3.3MB

  • memory/3280-56-0x00007FF612DC0000-0x00007FF613114000-memory.dmp

    Filesize

    3.3MB

  • memory/3280-145-0x00007FF612DC0000-0x00007FF613114000-memory.dmp

    Filesize

    3.3MB

  • memory/3384-138-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp

    Filesize

    3.3MB

  • memory/3384-14-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp

    Filesize

    3.3MB

  • memory/3536-70-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp

    Filesize

    3.3MB

  • memory/3536-147-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp

    Filesize

    3.3MB

  • memory/3656-50-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp

    Filesize

    3.3MB

  • memory/3656-144-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp

    Filesize

    3.3MB

  • memory/3700-103-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp

    Filesize

    3.3MB

  • memory/3700-152-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp

    Filesize

    3.3MB

  • memory/3888-149-0x00007FF77D320000-0x00007FF77D674000-memory.dmp

    Filesize

    3.3MB

  • memory/3888-133-0x00007FF77D320000-0x00007FF77D674000-memory.dmp

    Filesize

    3.3MB

  • memory/3888-84-0x00007FF77D320000-0x00007FF77D674000-memory.dmp

    Filesize

    3.3MB

  • memory/4076-135-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp

    Filesize

    3.3MB

  • memory/4076-153-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp

    Filesize

    3.3MB

  • memory/4076-108-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp

    Filesize

    3.3MB

  • memory/4272-148-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp

    Filesize

    3.3MB

  • memory/4272-76-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp

    Filesize

    3.3MB

  • memory/4952-26-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp

    Filesize

    3.3MB

  • memory/4952-140-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp

    Filesize

    3.3MB

  • memory/4952-88-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp

    Filesize

    3.3MB

  • memory/5064-141-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp

    Filesize

    3.3MB

  • memory/5064-32-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp

    Filesize

    3.3MB

  • memory/5068-139-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp

    Filesize

    3.3MB

  • memory/5068-81-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp

    Filesize

    3.3MB

  • memory/5068-20-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp

    Filesize

    3.3MB

  • memory/5084-62-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/5084-0-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/5084-1-0x000001F85B4F0000-0x000001F85B500000-memory.dmp

    Filesize

    64KB

  • memory/5112-69-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp

    Filesize

    3.3MB

  • memory/5112-137-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp

    Filesize

    3.3MB

  • memory/5112-8-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp

    Filesize

    3.3MB