Analysis Overview
SHA256
8e5d6082b7103146bc343199029aed207ffd798d7dcc8992ee744d2679904dec
Threat Level: Known bad
The file 2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
xmrig
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 01:52
Reported
2024-06-07 01:57
Platform
win7-20240221-en
Max time kernel
135s
Max time network
150s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HWdxlSA.exe | N/A |
| N/A | N/A | C:\Windows\System\JJtAWMB.exe | N/A |
| N/A | N/A | C:\Windows\System\oWryuDN.exe | N/A |
| N/A | N/A | C:\Windows\System\ZchojoU.exe | N/A |
| N/A | N/A | C:\Windows\System\ARLdpiW.exe | N/A |
| N/A | N/A | C:\Windows\System\DYcUzMp.exe | N/A |
| N/A | N/A | C:\Windows\System\KkguQsP.exe | N/A |
| N/A | N/A | C:\Windows\System\NPRABMN.exe | N/A |
| N/A | N/A | C:\Windows\System\QnNkuAb.exe | N/A |
| N/A | N/A | C:\Windows\System\USaqKKr.exe | N/A |
| N/A | N/A | C:\Windows\System\vivtBiR.exe | N/A |
| N/A | N/A | C:\Windows\System\HqLKwQo.exe | N/A |
| N/A | N/A | C:\Windows\System\corhpyj.exe | N/A |
| N/A | N/A | C:\Windows\System\VKYpRrg.exe | N/A |
| N/A | N/A | C:\Windows\System\FwJoEgE.exe | N/A |
| N/A | N/A | C:\Windows\System\LdTQyrQ.exe | N/A |
| N/A | N/A | C:\Windows\System\onfpLXs.exe | N/A |
| N/A | N/A | C:\Windows\System\FwuIolP.exe | N/A |
| N/A | N/A | C:\Windows\System\YYVqlGE.exe | N/A |
| N/A | N/A | C:\Windows\System\FqmDbgm.exe | N/A |
| N/A | N/A | C:\Windows\System\QAFUoDX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\HWdxlSA.exe
C:\Windows\System\HWdxlSA.exe
C:\Windows\System\JJtAWMB.exe
C:\Windows\System\JJtAWMB.exe
C:\Windows\System\oWryuDN.exe
C:\Windows\System\oWryuDN.exe
C:\Windows\System\ZchojoU.exe
C:\Windows\System\ZchojoU.exe
C:\Windows\System\ARLdpiW.exe
C:\Windows\System\ARLdpiW.exe
C:\Windows\System\DYcUzMp.exe
C:\Windows\System\DYcUzMp.exe
C:\Windows\System\QnNkuAb.exe
C:\Windows\System\QnNkuAb.exe
C:\Windows\System\KkguQsP.exe
C:\Windows\System\KkguQsP.exe
C:\Windows\System\USaqKKr.exe
C:\Windows\System\USaqKKr.exe
C:\Windows\System\NPRABMN.exe
C:\Windows\System\NPRABMN.exe
C:\Windows\System\vivtBiR.exe
C:\Windows\System\vivtBiR.exe
C:\Windows\System\HqLKwQo.exe
C:\Windows\System\HqLKwQo.exe
C:\Windows\System\corhpyj.exe
C:\Windows\System\corhpyj.exe
C:\Windows\System\VKYpRrg.exe
C:\Windows\System\VKYpRrg.exe
C:\Windows\System\FwJoEgE.exe
C:\Windows\System\FwJoEgE.exe
C:\Windows\System\LdTQyrQ.exe
C:\Windows\System\LdTQyrQ.exe
C:\Windows\System\onfpLXs.exe
C:\Windows\System\onfpLXs.exe
C:\Windows\System\FwuIolP.exe
C:\Windows\System\FwuIolP.exe
C:\Windows\System\FqmDbgm.exe
C:\Windows\System\FqmDbgm.exe
C:\Windows\System\YYVqlGE.exe
C:\Windows\System\YYVqlGE.exe
C:\Windows\System\QAFUoDX.exe
C:\Windows\System\QAFUoDX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2168-0-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2168-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\HWdxlSA.exe
| MD5 | 4a486a2a371d8db348dc0ad03e9fd9f0 |
| SHA1 | edd912c5d606628022dc3216eaf2db7c93554ff7 |
| SHA256 | 93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b |
| SHA512 | deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b |
C:\Windows\system\HWdxlSA.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
\Windows\system\JJtAWMB.exe
| MD5 | 7ce4ba1725e83a50f64ba525f8815dcf |
| SHA1 | b1714a2d23cfc42c18c37e1546ac0908d8252c04 |
| SHA256 | 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908 |
| SHA512 | 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19 |
C:\Windows\system\oWryuDN.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
C:\Windows\system\DYcUzMp.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
memory/2536-69-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2168-86-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2168-91-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2168-93-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2884-121-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2168-126-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2168-132-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2168-134-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2028-133-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2952-131-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2168-130-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2168-129-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2168-128-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2808-127-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2424-125-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2440-124-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2168-123-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2168-122-0x0000000002450000-0x00000000027A4000-memory.dmp
C:\Windows\system\FqmDbgm.exe
| MD5 | 6b5887af4274a78686a788865765637c |
| SHA1 | 5afc15e6fcbc11377bbabbda47ff43f6ebedd369 |
| SHA256 | ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006 |
| SHA512 | 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077 |
memory/2648-114-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2656-112-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2732-99-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2592-77-0x000000013FA70000-0x000000013FDC4000-memory.dmp
\Windows\system\corhpyj.exe
| MD5 | 096410221e55421e5c4c4275c7d21513 |
| SHA1 | a9a3350bb5b616aee4d0c922dc225694f8027702 |
| SHA256 | 1162e04ab5acff6cf895e753ad87619013ecfffc06f47ed477cf1c201c040e66 |
| SHA512 | b442b0d589e49e95f8c072f6f97ae946c91e082ea0e6557eeef4f55282d6675cb325a5ba42eb1799fb9bff049919d0eef469abfd200cb35fe59f78974905588c |
memory/2168-68-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2168-57-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2716-47-0x000000013F7C0000-0x000000013FB14000-memory.dmp
\Windows\system\DYcUzMp.exe
| MD5 | 9d367348bc2b0a338371873ab92b5ce0 |
| SHA1 | 7f656575ff1e475fc391f43341a8d5f4ac819b19 |
| SHA256 | 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309 |
| SHA512 | 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454 |
memory/1680-20-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2084-14-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2168-8-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2168-135-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2168-136-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2168-138-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2168-137-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2168-139-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2084-140-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1680-141-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2716-142-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2536-145-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2592-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2952-143-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2884-149-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2028-150-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2440-151-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2424-152-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2808-153-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2648-148-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2656-147-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2732-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 01:52
Reported
2024-06-07 01:56
Platform
win10v2004-20240426-en
Max time kernel
132s
Max time network
150s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UKsAFWU.exe | N/A |
| N/A | N/A | C:\Windows\System\ieShFZp.exe | N/A |
| N/A | N/A | C:\Windows\System\TRJGwow.exe | N/A |
| N/A | N/A | C:\Windows\System\mUsllMp.exe | N/A |
| N/A | N/A | C:\Windows\System\dpfeffn.exe | N/A |
| N/A | N/A | C:\Windows\System\CMExTev.exe | N/A |
| N/A | N/A | C:\Windows\System\PsMOgFF.exe | N/A |
| N/A | N/A | C:\Windows\System\kPpAqSD.exe | N/A |
| N/A | N/A | C:\Windows\System\CIolLis.exe | N/A |
| N/A | N/A | C:\Windows\System\slxIers.exe | N/A |
| N/A | N/A | C:\Windows\System\HlSUxKL.exe | N/A |
| N/A | N/A | C:\Windows\System\pijlJFE.exe | N/A |
| N/A | N/A | C:\Windows\System\luDAmTl.exe | N/A |
| N/A | N/A | C:\Windows\System\pwBVfjl.exe | N/A |
| N/A | N/A | C:\Windows\System\onPIisn.exe | N/A |
| N/A | N/A | C:\Windows\System\myzQTtL.exe | N/A |
| N/A | N/A | C:\Windows\System\GPxMKKM.exe | N/A |
| N/A | N/A | C:\Windows\System\rVUCoWs.exe | N/A |
| N/A | N/A | C:\Windows\System\BdWUwxG.exe | N/A |
| N/A | N/A | C:\Windows\System\waCvjvL.exe | N/A |
| N/A | N/A | C:\Windows\System\gIRcBwH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9d0ec5f9f2374d25262fad4d45613b8c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UKsAFWU.exe
C:\Windows\System\UKsAFWU.exe
C:\Windows\System\ieShFZp.exe
C:\Windows\System\ieShFZp.exe
C:\Windows\System\TRJGwow.exe
C:\Windows\System\TRJGwow.exe
C:\Windows\System\mUsllMp.exe
C:\Windows\System\mUsllMp.exe
C:\Windows\System\dpfeffn.exe
C:\Windows\System\dpfeffn.exe
C:\Windows\System\CMExTev.exe
C:\Windows\System\CMExTev.exe
C:\Windows\System\PsMOgFF.exe
C:\Windows\System\PsMOgFF.exe
C:\Windows\System\kPpAqSD.exe
C:\Windows\System\kPpAqSD.exe
C:\Windows\System\CIolLis.exe
C:\Windows\System\CIolLis.exe
C:\Windows\System\slxIers.exe
C:\Windows\System\slxIers.exe
C:\Windows\System\HlSUxKL.exe
C:\Windows\System\HlSUxKL.exe
C:\Windows\System\pijlJFE.exe
C:\Windows\System\pijlJFE.exe
C:\Windows\System\luDAmTl.exe
C:\Windows\System\luDAmTl.exe
C:\Windows\System\pwBVfjl.exe
C:\Windows\System\pwBVfjl.exe
C:\Windows\System\onPIisn.exe
C:\Windows\System\onPIisn.exe
C:\Windows\System\myzQTtL.exe
C:\Windows\System\myzQTtL.exe
C:\Windows\System\GPxMKKM.exe
C:\Windows\System\GPxMKKM.exe
C:\Windows\System\rVUCoWs.exe
C:\Windows\System\rVUCoWs.exe
C:\Windows\System\BdWUwxG.exe
C:\Windows\System\BdWUwxG.exe
C:\Windows\System\waCvjvL.exe
C:\Windows\System\waCvjvL.exe
C:\Windows\System\gIRcBwH.exe
C:\Windows\System\gIRcBwH.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5084-0-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp
memory/5084-1-0x000001F85B4F0000-0x000001F85B500000-memory.dmp
memory/5112-8-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp
memory/3384-14-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp
memory/5068-20-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp
memory/4952-26-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp
C:\Windows\System\CIolLis.exe
| MD5 | 2b325ba998218e1724cf0adeb30ee980 |
| SHA1 | 91c91f972b93ca21c02dbae5cc375d4e1212c0a0 |
| SHA256 | 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9 |
| SHA512 | d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5 |
C:\Windows\System\slxIers.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
memory/4272-76-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp
memory/5068-81-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp
memory/4952-88-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp
memory/3056-102-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp
C:\Windows\System\GPxMKKM.exe
| MD5 | 7ce4ba1725e83a50f64ba525f8815dcf |
| SHA1 | b1714a2d23cfc42c18c37e1546ac0908d8252c04 |
| SHA256 | 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908 |
| SHA512 | 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19 |
C:\Windows\System\waCvjvL.exe
| MD5 | 3ee04f109da47a1ec064d84e674f1c93 |
| SHA1 | 644e873cc5a86065097d9d560d0304443e10d64c |
| SHA256 | 47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f |
| SHA512 | 9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4 |
memory/2624-127-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp
C:\Windows\System\gIRcBwH.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
memory/2640-132-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp
memory/864-120-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp
memory/2936-116-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp
memory/4076-108-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp
memory/3700-103-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp
memory/2428-97-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp
memory/2992-91-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp
C:\Windows\System\pwBVfjl.exe
| MD5 | 6b5887af4274a78686a788865765637c |
| SHA1 | 5afc15e6fcbc11377bbabbda47ff43f6ebedd369 |
| SHA256 | ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006 |
| SHA512 | 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077 |
memory/3888-84-0x00007FF77D320000-0x00007FF77D674000-memory.dmp
memory/3536-70-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp
memory/5112-69-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp
C:\Windows\System\HlSUxKL.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/1456-63-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp
memory/5084-62-0x00007FF6CE790000-0x00007FF6CEAE4000-memory.dmp
memory/3280-56-0x00007FF612DC0000-0x00007FF613114000-memory.dmp
memory/3656-50-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp
memory/960-44-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp
C:\Windows\System\PsMOgFF.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/3056-38-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp
memory/5064-32-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp
C:\Windows\System\TRJGwow.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
memory/3888-133-0x00007FF77D320000-0x00007FF77D674000-memory.dmp
memory/2992-134-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp
memory/4076-135-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp
memory/864-136-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp
memory/5112-137-0x00007FF78D860000-0x00007FF78DBB4000-memory.dmp
memory/3384-138-0x00007FF72D580000-0x00007FF72D8D4000-memory.dmp
memory/5068-139-0x00007FF7AC660000-0x00007FF7AC9B4000-memory.dmp
memory/4952-140-0x00007FF6D0840000-0x00007FF6D0B94000-memory.dmp
memory/5064-141-0x00007FF7E0D20000-0x00007FF7E1074000-memory.dmp
memory/3056-142-0x00007FF6AFE70000-0x00007FF6B01C4000-memory.dmp
memory/960-143-0x00007FF7E6B30000-0x00007FF7E6E84000-memory.dmp
memory/3656-144-0x00007FF7DDAA0000-0x00007FF7DDDF4000-memory.dmp
memory/3280-145-0x00007FF612DC0000-0x00007FF613114000-memory.dmp
memory/1456-146-0x00007FF7C5440000-0x00007FF7C5794000-memory.dmp
memory/3536-147-0x00007FF7F71B0000-0x00007FF7F7504000-memory.dmp
memory/4272-148-0x00007FF61BEF0000-0x00007FF61C244000-memory.dmp
memory/3888-149-0x00007FF77D320000-0x00007FF77D674000-memory.dmp
memory/3700-152-0x00007FF7EEB00000-0x00007FF7EEE54000-memory.dmp
memory/2428-151-0x00007FF7C1890000-0x00007FF7C1BE4000-memory.dmp
memory/2936-154-0x00007FF6E9A90000-0x00007FF6E9DE4000-memory.dmp
memory/864-155-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp
memory/2624-156-0x00007FF6B3F30000-0x00007FF6B4284000-memory.dmp
memory/4076-153-0x00007FF77D5C0000-0x00007FF77D914000-memory.dmp
memory/2640-157-0x00007FF763F60000-0x00007FF7642B4000-memory.dmp
memory/2992-150-0x00007FF6DF390000-0x00007FF6DF6E4000-memory.dmp