Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 01:52
Behavioral task
behavioral1
Sample
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe
Resource
win7-20240221-en
General
-
Target
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
9d0ec5f9f2374d25262fad4d45613b8c
-
SHA1
002914fc22c351ea72ae565c06da6d687004590a
-
SHA256
8e5d6082b7103146bc343199029aed207ffd798d7dcc8992ee744d2679904dec
-
SHA512
30ff5250c85de7b70824f5930b5799229e02ed541e267e70e4d17cf3718f658a2a57ffab43ca20fbc79ee1f91ec1017b5d2587647a6936d2e28ce7a5039c9d5d
-
SSDEEP
98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 29 IoCs
Processes:
resource yara_rule behavioral2/memory/5084-0-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp UPX C:\Windows\System\waCvjvL.exe UPX C:\Windows\System\gIRcBwH.exe UPX C:\Windows\System\HlSUxKL.exe UPX C:\Windows\System\PsMOgFF.exe UPX C:\Windows\System\TRJGwow.exe UPX behavioral2/memory/4076-135-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp UPX behavioral2/memory/864-136-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp UPX behavioral2/memory/5112-137-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp UPX behavioral2/memory/3384-138-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp UPX behavioral2/memory/5068-139-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp UPX behavioral2/memory/4952-140-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp UPX behavioral2/memory/5064-141-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp UPX behavioral2/memory/3056-142-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp UPX behavioral2/memory/960-143-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp UPX behavioral2/memory/3656-144-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp UPX behavioral2/memory/3280-145-0x00007FF612DC0000-0x00007FF613114000-memory.dmp UPX behavioral2/memory/1456-146-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp UPX behavioral2/memory/3536-147-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp UPX behavioral2/memory/4272-148-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp UPX behavioral2/memory/3888-149-0x00007FF77D320000-0x00007FF77D674000-memory.dmp UPX behavioral2/memory/3700-152-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp UPX behavioral2/memory/2428-151-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp UPX behavioral2/memory/2936-154-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp UPX behavioral2/memory/864-155-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp UPX behavioral2/memory/2624-156-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp UPX behavioral2/memory/4076-153-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp UPX behavioral2/memory/2640-157-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp UPX behavioral2/memory/2992-150-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp UPX -
XMRig Miner payload 35 IoCs
Processes:
resource yara_rule behavioral2/memory/5084-0-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp xmrig behavioral2/memory/4952-26-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp xmrig C:\Windows\System\waCvjvL.exe xmrig C:\Windows\System\gIRcBwH.exe xmrig behavioral2/memory/2640-132-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp xmrig behavioral2/memory/2936-116-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp xmrig behavioral2/memory/5112-69-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp xmrig C:\Windows\System\HlSUxKL.exe xmrig behavioral2/memory/3280-56-0x00007FF612DC0000-0x00007FF613114000-memory.dmp xmrig C:\Windows\System\PsMOgFF.exe xmrig C:\Windows\System\TRJGwow.exe xmrig behavioral2/memory/2992-134-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp xmrig behavioral2/memory/4076-135-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp xmrig behavioral2/memory/864-136-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp xmrig behavioral2/memory/5112-137-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp xmrig behavioral2/memory/3384-138-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp xmrig behavioral2/memory/5068-139-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp xmrig behavioral2/memory/4952-140-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp xmrig behavioral2/memory/5064-141-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp xmrig behavioral2/memory/3056-142-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp xmrig behavioral2/memory/960-143-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp xmrig behavioral2/memory/3656-144-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp xmrig behavioral2/memory/3280-145-0x00007FF612DC0000-0x00007FF613114000-memory.dmp xmrig behavioral2/memory/1456-146-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp xmrig behavioral2/memory/3536-147-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp xmrig behavioral2/memory/4272-148-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp xmrig behavioral2/memory/3888-149-0x00007FF77D320000-0x00007FF77D674000-memory.dmp xmrig behavioral2/memory/3700-152-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp xmrig behavioral2/memory/2428-151-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp xmrig behavioral2/memory/2936-154-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp xmrig behavioral2/memory/864-155-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp xmrig behavioral2/memory/2624-156-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp xmrig behavioral2/memory/4076-153-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp xmrig behavioral2/memory/2640-157-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp xmrig behavioral2/memory/2992-150-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
Processes:
UKsAFWU.exeieShFZp.exeTRJGwow.exemUsllMp.exedpfeffn.exeCMExTev.exePsMOgFF.exekPpAqSD.exeCIolLis.exeslxIers.exeHlSUxKL.exepijlJFE.exeluDAmTl.exepwBVfjl.exeonPIisn.exemyzQTtL.exeGPxMKKM.exerVUCoWs.exeBdWUwxG.exewaCvjvL.exegIRcBwH.exepid process 5112 UKsAFWU.exe 3384 ieShFZp.exe 5068 TRJGwow.exe 4952 mUsllMp.exe 5064 dpfeffn.exe 3056 CMExTev.exe 960 PsMOgFF.exe 3656 kPpAqSD.exe 3280 CIolLis.exe 1456 slxIers.exe 3536 HlSUxKL.exe 4272 pijlJFE.exe 3888 luDAmTl.exe 2992 pwBVfjl.exe 2428 onPIisn.exe 3700 myzQTtL.exe 4076 GPxMKKM.exe 2936 rVUCoWs.exe 864 BdWUwxG.exe 2624 waCvjvL.exe 2640 gIRcBwH.exe -
Processes:
resource yara_rule behavioral2/memory/5084-0-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp upx behavioral2/memory/5112-8-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp upx behavioral2/memory/3384-14-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp upx behavioral2/memory/5068-20-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp upx behavioral2/memory/4952-26-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp upx C:\Windows\System\CIolLis.exe upx C:\Windows\System\slxIers.exe upx behavioral2/memory/4272-76-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp upx behavioral2/memory/5068-81-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp upx behavioral2/memory/4952-88-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp upx behavioral2/memory/3056-102-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp upx C:\Windows\System\GPxMKKM.exe upx C:\Windows\System\waCvjvL.exe upx behavioral2/memory/2624-127-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp upx C:\Windows\System\gIRcBwH.exe upx behavioral2/memory/2640-132-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp upx behavioral2/memory/864-120-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp upx behavioral2/memory/2936-116-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp upx behavioral2/memory/4076-108-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp upx behavioral2/memory/3700-103-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp upx behavioral2/memory/2428-97-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp upx behavioral2/memory/2992-91-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp upx C:\Windows\System\pwBVfjl.exe upx behavioral2/memory/3888-84-0x00007FF77D320000-0x00007FF77D674000-memory.dmp upx behavioral2/memory/3536-70-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp upx behavioral2/memory/5112-69-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp upx C:\Windows\System\HlSUxKL.exe upx behavioral2/memory/1456-63-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp upx behavioral2/memory/5084-62-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp upx behavioral2/memory/3280-56-0x00007FF612DC0000-0x00007FF613114000-memory.dmp upx behavioral2/memory/3656-50-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp upx behavioral2/memory/960-44-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp upx C:\Windows\System\PsMOgFF.exe upx behavioral2/memory/3056-38-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp upx behavioral2/memory/5064-32-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp upx C:\Windows\System\TRJGwow.exe upx behavioral2/memory/3888-133-0x00007FF77D320000-0x00007FF77D674000-memory.dmp upx behavioral2/memory/2992-134-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp upx behavioral2/memory/4076-135-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp upx behavioral2/memory/864-136-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp upx behavioral2/memory/5112-137-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp upx behavioral2/memory/3384-138-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp upx behavioral2/memory/5068-139-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp upx behavioral2/memory/4952-140-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp upx behavioral2/memory/5064-141-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp upx behavioral2/memory/3056-142-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp upx behavioral2/memory/960-143-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp upx behavioral2/memory/3656-144-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp upx behavioral2/memory/3280-145-0x00007FF612DC0000-0x00007FF613114000-memory.dmp upx behavioral2/memory/1456-146-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp upx behavioral2/memory/3536-147-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp upx behavioral2/memory/4272-148-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp upx behavioral2/memory/3888-149-0x00007FF77D320000-0x00007FF77D674000-memory.dmp upx behavioral2/memory/3700-152-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp upx behavioral2/memory/2428-151-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp upx behavioral2/memory/2936-154-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp upx behavioral2/memory/864-155-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp upx behavioral2/memory/2624-156-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp upx behavioral2/memory/4076-153-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp upx behavioral2/memory/2640-157-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp upx behavioral2/memory/2992-150-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
Processes:
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exedescription ioc process File created C:\Windows\System\myzQTtL.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\UKsAFWU.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\mUsllMp.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\dpfeffn.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\CMExTev.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\PsMOgFF.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\luDAmTl.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\onPIisn.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\GPxMKKM.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\rVUCoWs.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\BdWUwxG.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\kPpAqSD.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\ieShFZp.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\slxIers.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\HlSUxKL.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pwBVfjl.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\waCvjvL.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\gIRcBwH.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\TRJGwow.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\CIolLis.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe File created C:\Windows\System\pijlJFE.exe 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exedescription pid process Token: SeLockMemoryPrivilege 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exedescription pid process target process PID 5084 wrote to memory of 5112 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe UKsAFWU.exe PID 5084 wrote to memory of 5112 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe UKsAFWU.exe PID 5084 wrote to memory of 3384 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe ieShFZp.exe PID 5084 wrote to memory of 3384 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe ieShFZp.exe PID 5084 wrote to memory of 5068 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe TRJGwow.exe PID 5084 wrote to memory of 5068 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe TRJGwow.exe PID 5084 wrote to memory of 4952 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe mUsllMp.exe PID 5084 wrote to memory of 4952 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe mUsllMp.exe PID 5084 wrote to memory of 5064 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe dpfeffn.exe PID 5084 wrote to memory of 5064 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe dpfeffn.exe PID 5084 wrote to memory of 3056 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe CMExTev.exe PID 5084 wrote to memory of 3056 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe CMExTev.exe PID 5084 wrote to memory of 960 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe PsMOgFF.exe PID 5084 wrote to memory of 960 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe PsMOgFF.exe PID 5084 wrote to memory of 3656 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe kPpAqSD.exe PID 5084 wrote to memory of 3656 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe kPpAqSD.exe PID 5084 wrote to memory of 3280 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe CIolLis.exe PID 5084 wrote to memory of 3280 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe CIolLis.exe PID 5084 wrote to memory of 1456 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe slxIers.exe PID 5084 wrote to memory of 1456 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe slxIers.exe PID 5084 wrote to memory of 3536 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe HlSUxKL.exe PID 5084 wrote to memory of 3536 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe HlSUxKL.exe PID 5084 wrote to memory of 4272 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe pijlJFE.exe PID 5084 wrote to memory of 4272 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe pijlJFE.exe PID 5084 wrote to memory of 3888 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe luDAmTl.exe PID 5084 wrote to memory of 3888 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe luDAmTl.exe PID 5084 wrote to memory of 2992 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe pwBVfjl.exe PID 5084 wrote to memory of 2992 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe pwBVfjl.exe PID 5084 wrote to memory of 2428 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe onPIisn.exe PID 5084 wrote to memory of 2428 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe onPIisn.exe PID 5084 wrote to memory of 3700 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe myzQTtL.exe PID 5084 wrote to memory of 3700 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe myzQTtL.exe PID 5084 wrote to memory of 4076 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe GPxMKKM.exe PID 5084 wrote to memory of 4076 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe GPxMKKM.exe PID 5084 wrote to memory of 2936 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe rVUCoWs.exe PID 5084 wrote to memory of 2936 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe rVUCoWs.exe PID 5084 wrote to memory of 864 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe BdWUwxG.exe PID 5084 wrote to memory of 864 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe BdWUwxG.exe PID 5084 wrote to memory of 2624 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe waCvjvL.exe PID 5084 wrote to memory of 2624 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe waCvjvL.exe PID 5084 wrote to memory of 2640 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe gIRcBwH.exe PID 5084 wrote to memory of 2640 5084 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe gIRcBwH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\System\UKsAFWU.exeC:\Windows\System\UKsAFWU.exe2⤵
- Executes dropped EXE
PID:5112 -
C:\Windows\System\ieShFZp.exeC:\Windows\System\ieShFZp.exe2⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\System\TRJGwow.exeC:\Windows\System\TRJGwow.exe2⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\System\mUsllMp.exeC:\Windows\System\mUsllMp.exe2⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\System\dpfeffn.exeC:\Windows\System\dpfeffn.exe2⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\System\CMExTev.exeC:\Windows\System\CMExTev.exe2⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\System\PsMOgFF.exeC:\Windows\System\PsMOgFF.exe2⤵
- Executes dropped EXE
PID:960 -
C:\Windows\System\kPpAqSD.exeC:\Windows\System\kPpAqSD.exe2⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\System\CIolLis.exeC:\Windows\System\CIolLis.exe2⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\System\slxIers.exeC:\Windows\System\slxIers.exe2⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\System\HlSUxKL.exeC:\Windows\System\HlSUxKL.exe2⤵
- Executes dropped EXE
PID:3536 -
C:\Windows\System\pijlJFE.exeC:\Windows\System\pijlJFE.exe2⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\System\luDAmTl.exeC:\Windows\System\luDAmTl.exe2⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\System\pwBVfjl.exeC:\Windows\System\pwBVfjl.exe2⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\System\onPIisn.exeC:\Windows\System\onPIisn.exe2⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\System\myzQTtL.exeC:\Windows\System\myzQTtL.exe2⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\System\GPxMKKM.exeC:\Windows\System\GPxMKKM.exe2⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\System\rVUCoWs.exeC:\Windows\System\rVUCoWs.exe2⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\System\BdWUwxG.exeC:\Windows\System\BdWUwxG.exe2⤵
- Executes dropped EXE
PID:864 -
C:\Windows\System\waCvjvL.exeC:\Windows\System\waCvjvL.exe2⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\System\gIRcBwH.exeC:\Windows\System\gIRcBwH.exe2⤵
- Executes dropped EXE
PID:2640
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
MD52b325ba998218e1724cf0adeb30ee980
SHA191c91f972b93ca21c02dbae5cc375d4e1212c0a0
SHA2563b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9
SHA512d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5
-
Filesize
128KB
MD57ce4ba1725e83a50f64ba525f8815dcf
SHA1b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA2569f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA5122dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19
-
Filesize
3.6MB
MD50628374c349921c969043e8b725a574d
SHA1d4d4b61d7abb11c25e423140f9a833a035819e3d
SHA2566f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0
SHA5122db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1
-
Filesize
1.2MB
MD5711965c0ed770375b388ea9b5ea57c70
SHA121f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA5121805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428
-
Filesize
1.9MB
MD50b1dc771469fa6753e7aace834956918
SHA1ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7
SHA25660a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6
SHA5126ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60
-
Filesize
2.1MB
MD5fbb6a602f644dbf57142122f30692c9a
SHA18158aaa7168744874ea387599d6d2cead21e28a3
SHA2563ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe
-
Filesize
512KB
MD56b5887af4274a78686a788865765637c
SHA15afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA5124f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077
-
Filesize
448KB
MD50642442db4acbbfb6037e06789624264
SHA1923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA2565d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA5127fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1
-
Filesize
3.1MB
MD53ee04f109da47a1ec064d84e674f1c93
SHA1644e873cc5a86065097d9d560d0304443e10d64c
SHA25647d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f
SHA5129c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4