xmrig | c8633567b291378d8f5a4dbead59b1a7b81936a3c515eb14a16cc70b609c9f55

Analysis

max time kernel
133s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

6b36fe5e55d9de907739a0981149e099
SHA1

0ae06ae26fce9e3a102674b7894c6fd05900b325
SHA256

c8633567b291378d8f5a4dbead59b1a7b81936a3c515eb14a16cc70b609c9f55
SHA512

1e67fbfd17bc8b64e46dfab9f9ac8c1dd12a27c659adb262218b376fd7e0aca64664ffa802a91d8e11715d91352efdecb2f9c071ba9a4444640ac60b9d15db3c
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUj:Q+u56utgpPF8u/7j

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 10 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015cb9-51.dat	UPX
behavioral1/files/0x0006000000016056-129.dat	UPX
behavioral1/files/0x0006000000015f9e-123.dat	UPX
behavioral1/files/0x0006000000015cdb-73.dat	UPX
behavioral1/files/0x0006000000015cdb-71.dat	UPX
behavioral1/files/0x0006000000015cca-66.dat	UPX
behavioral1/files/0x0007000000015cb9-53.dat	UPX
behavioral1/files/0x0007000000015023-40.dat	UPX
behavioral1/files/0x00070000000149ea-19.dat	UPX
behavioral1/memory/2500-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX

XMRig Miner payload 29 IoCs

miner

resource	yara_rule
behavioral1/memory/1908-0-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2896-13-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/files/0x0007000000015cb9-51.dat	xmrig
behavioral1/memory/2088-84-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/1816-91-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016056-129.dat	xmrig
behavioral1/files/0x0006000000015f9e-123.dat	xmrig
behavioral1/memory/2424-90-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2380-81-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cdb-73.dat	xmrig
behavioral1/files/0x0006000000015cdb-71.dat	xmrig
behavioral1/files/0x0006000000015cca-66.dat	xmrig
behavioral1/memory/2564-54-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/files/0x0007000000015cb9-53.dat	xmrig
behavioral1/memory/2628-44-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/files/0x0007000000015023-43.dat	xmrig
behavioral1/files/0x0007000000015023-40.dat	xmrig
behavioral1/memory/2644-34-0x000000013F860000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/files/0x00070000000149ea-19.dat	xmrig
behavioral1/memory/1908-132-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2496-135-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2500-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2628-136-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2500-144-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2484-147-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2424-150-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2380-145-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2628-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2896-138-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2896	jyzQJRt.exe
2472	xQyLbbB.exe
2564	QokDvlF.exe
2496	OwEojSY.exe
2644	cNZQsYj.exe
2628	BXqMbIs.exe
2500	jouRQbU.exe
2272	XfKgyKH.exe
2380	WgTQFUQ.exe
2484	RAeqqzM.exe
1728	ABSxVmB.exe
2088	fscWShH.exe
2424	GAVnhUb.exe
1816	nmvWaQM.exe
1628	rGvOgpB.exe
2296	HfuZWpN.exe
300	GpgEhYn.exe
1688	QWVAJNj.exe
1560	etxZgyE.exe
1324	GsoIfuX.exe
1244	GdxBBzK.exe

Loads dropped DLL 21 IoCs

pid	Process
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1908-0-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/files/0x000d00000001449a-3.dat	upx
behavioral1/memory/2896-13-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/files/0x0007000000014b12-25.dat	upx
behavioral1/files/0x0007000000014e5a-35.dat	upx
behavioral1/files/0x0007000000015cb9-51.dat	upx
behavioral1/memory/1728-83-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/2088-84-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/1816-91-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/2484-94-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/files/0x0006000000016056-129.dat	upx
behavioral1/files/0x0006000000015f9e-123.dat	upx
behavioral1/files/0x0006000000015f9e-121.dat	upx
behavioral1/files/0x0006000000015d06-97.dat	upx
behavioral1/memory/2272-92-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2424-90-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2380-81-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/files/0x0006000000015cdb-73.dat	upx
behavioral1/files/0x0006000000015cdb-71.dat	upx
behavioral1/files/0x0006000000015cca-68.dat	upx
behavioral1/files/0x0006000000015cca-66.dat	upx
behavioral1/memory/2500-49-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2564-54-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/files/0x0007000000015cb9-53.dat	upx
behavioral1/memory/2628-44-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/files/0x0007000000015023-43.dat	upx
behavioral1/files/0x0007000000015023-40.dat	upx
behavioral1/memory/2644-34-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/2496-33-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/files/0x00070000000149ea-19.dat	upx
behavioral1/memory/2472-17-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/memory/1908-132-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2496-135-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/2896-134-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2500-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2628-136-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2472-139-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/memory/2644-142-0x000000013F860000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/2496-141-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/2500-144-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2484-147-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/1728-148-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/2424-150-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2088-149-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/1816-151-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/2272-146-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2380-145-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2628-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2564-140-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2896-138-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ABSxVmB.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fscWShH.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GsoIfuX.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XfKgyKH.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WgTQFUQ.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GpgEhYn.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jyzQJRt.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xQyLbbB.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QokDvlF.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nmvWaQM.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\etxZgyE.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BXqMbIs.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jouRQbU.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RAeqqzM.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rGvOgpB.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HfuZWpN.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QWVAJNj.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GdxBBzK.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OwEojSY.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cNZQsYj.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GAVnhUb.exe	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2896	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	29
PID 1908 wrote to memory of 2896	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	29
PID 1908 wrote to memory of 2896	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	29
PID 1908 wrote to memory of 2472	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	30
PID 1908 wrote to memory of 2472	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	30
PID 1908 wrote to memory of 2472	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	30
PID 1908 wrote to memory of 2564	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	31
PID 1908 wrote to memory of 2564	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	31
PID 1908 wrote to memory of 2564	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	31
PID 1908 wrote to memory of 2496	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	32
PID 1908 wrote to memory of 2496	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	32
PID 1908 wrote to memory of 2496	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	32
PID 1908 wrote to memory of 2644	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	33
PID 1908 wrote to memory of 2644	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	33
PID 1908 wrote to memory of 2644	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	33
PID 1908 wrote to memory of 2628	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	34
PID 1908 wrote to memory of 2628	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	34
PID 1908 wrote to memory of 2628	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	34
PID 1908 wrote to memory of 2500	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	35
PID 1908 wrote to memory of 2500	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	35
PID 1908 wrote to memory of 2500	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	35
PID 1908 wrote to memory of 2272	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	36
PID 1908 wrote to memory of 2272	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	36
PID 1908 wrote to memory of 2272	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	36
PID 1908 wrote to memory of 2380	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	37
PID 1908 wrote to memory of 2380	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	37
PID 1908 wrote to memory of 2380	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	37
PID 1908 wrote to memory of 2484	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	38
PID 1908 wrote to memory of 2484	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	38
PID 1908 wrote to memory of 2484	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	38
PID 1908 wrote to memory of 1728	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	39
PID 1908 wrote to memory of 1728	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	39
PID 1908 wrote to memory of 1728	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	39
PID 1908 wrote to memory of 2088	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	40
PID 1908 wrote to memory of 2088	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	40
PID 1908 wrote to memory of 2088	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	40
PID 1908 wrote to memory of 2424	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	41
PID 1908 wrote to memory of 2424	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	41
PID 1908 wrote to memory of 2424	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	41
PID 1908 wrote to memory of 1816	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	42
PID 1908 wrote to memory of 1816	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	42
PID 1908 wrote to memory of 1816	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	42
PID 1908 wrote to memory of 1628	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	43
PID 1908 wrote to memory of 1628	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	43
PID 1908 wrote to memory of 1628	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	43
PID 1908 wrote to memory of 2296	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	44
PID 1908 wrote to memory of 2296	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	44
PID 1908 wrote to memory of 2296	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	44
PID 1908 wrote to memory of 300	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	45
PID 1908 wrote to memory of 300	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	45
PID 1908 wrote to memory of 300	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	45
PID 1908 wrote to memory of 1688	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	46
PID 1908 wrote to memory of 1688	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	46
PID 1908 wrote to memory of 1688	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	46
PID 1908 wrote to memory of 1560	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	47
PID 1908 wrote to memory of 1560	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	47
PID 1908 wrote to memory of 1560	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	47
PID 1908 wrote to memory of 1324	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	48
PID 1908 wrote to memory of 1324	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	48
PID 1908 wrote to memory of 1324	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	48
PID 1908 wrote to memory of 1244	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	49
PID 1908 wrote to memory of 1244	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	49
PID 1908 wrote to memory of 1244	1908	2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_6b36fe5e55d9de907739a0981149e099_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\System\jyzQJRt.exe
  C:\Windows\System\jyzQJRt.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\xQyLbbB.exe
  C:\Windows\System\xQyLbbB.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\QokDvlF.exe
  C:\Windows\System\QokDvlF.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\OwEojSY.exe
  C:\Windows\System\OwEojSY.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\cNZQsYj.exe
  C:\Windows\System\cNZQsYj.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\BXqMbIs.exe
  C:\Windows\System\BXqMbIs.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\jouRQbU.exe
  C:\Windows\System\jouRQbU.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\XfKgyKH.exe
  C:\Windows\System\XfKgyKH.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\WgTQFUQ.exe
  C:\Windows\System\WgTQFUQ.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\RAeqqzM.exe
  C:\Windows\System\RAeqqzM.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\ABSxVmB.exe
  C:\Windows\System\ABSxVmB.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\fscWShH.exe
  C:\Windows\System\fscWShH.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\GAVnhUb.exe
  C:\Windows\System\GAVnhUb.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\nmvWaQM.exe
  C:\Windows\System\nmvWaQM.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\rGvOgpB.exe
  C:\Windows\System\rGvOgpB.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\HfuZWpN.exe
  C:\Windows\System\HfuZWpN.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\GpgEhYn.exe
  C:\Windows\System\GpgEhYn.exe
  2⤵
  - Executes dropped EXE
  PID:300
- C:\Windows\System\QWVAJNj.exe
  C:\Windows\System\QWVAJNj.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\etxZgyE.exe
  C:\Windows\System\etxZgyE.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\GsoIfuX.exe
  C:\Windows\System\GsoIfuX.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\GdxBBzK.exe
  C:\Windows\System\GdxBBzK.exe
  2⤵
  - Executes dropped EXE
  PID:1244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ABSxVmB.exe

Filesize
384KB

MD5
6207c08555e637186de329c9179e16d9

SHA1
09098b1d2cbfb2ab317439f6c4fc0121d5b8f70a

SHA256
90e60744ec9da51fba847be626db348bca6bdaf98ac91b116446f5b42433003b

SHA512
a17015ce5be9dbe107f45a5361c78d0722d3574d1684f1ab5a78044304a8f13b281179a8bde4be29c0529678da2d8332817db568d46fd1e81541274c1a2a6ea7

Download Submit
C:\Windows\system\GdxBBzK.exe

Filesize
1.9MB

MD5
52f8ff77e32ce50117de0d585632c94f

SHA1
44e3e5770a7dc4c683f82d001ed454b85cf274d6

SHA256
5f08a9b8d5caede4064f83312dddc34c1b4fdf018f6d2fa7ea20340b674c94fd

SHA512
918ed51583a1bf663cf73015830cbd20bfdaa1b0e0e64d5ea8143e3a7d76c922d268d68fcaf3c359336c754e6bc4616dad876d8e0063636ed3decf2133a6abb3

Download Submit
C:\Windows\system\GsoIfuX.exe

Filesize
1.6MB

MD5
35321aeda00333dd9032d4d40d1a19e2

SHA1
192ad8a880346419f0e3ea7e477ad8ff99180fa3

SHA256
8035dd462ef2340a2376fcfa8050adc192ff399402e52b00f33dcc97c95978e5

SHA512
eaed167a93819b875bd7897970eed86506e40d576bda6d3c73fcc613b8bfecf4438fd0c0cfae75cb3c35027d13e53a0ba2ba7573c1e62b62a35e5c713b3f4fc2

Download Submit
C:\Windows\system\OwEojSY.exe

Filesize
448KB

MD5
0642442db4acbbfb6037e06789624264

SHA1
923aee440a6887c7a7a8a78085aa492b2cdcee65

SHA256
5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

SHA512
7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

Download Submit
C:\Windows\system\QokDvlF.exe

Filesize
1.7MB

MD5
cf886b22fe2dbe0b4065d91f350758ff

SHA1
820b3630cbbe6252ffdac9ad20a59a8498be234c

SHA256
0fa3c393709352fda2d26aa4138307e949fa9192dc8937db5413d14f28f46dd5

SHA512
b43f0271c4066bfeffd90e0ff7cff07bec6eb897852e1799b2eed72dbf3a14f5aa85559cfc339e6b18ee99b85bdf594d9815f72e3bd0bc2f4bbcb447d4ee8c27

Download Submit
C:\Windows\system\WgTQFUQ.exe

Filesize
1.9MB

MD5
f643883f259de01dd5329353aba9e3bc

SHA1
8a0c9acc560b2a903e1249b54de084c27f2f7330

SHA256
885d32479d3d931762c4646bd89041e2dc323a00afc74c5ce659e0439525e486

SHA512
4fbee57fc43773ceb767e4aa78bc2879a54950d29e94d06ab5acf504f8c6e1b3a52cc3f816f267cfbe746c86e79bc3431149abbf38cd824127a0e4b7532c9af9

Download Submit
C:\Windows\system\fscWShH.exe

Filesize
1.6MB

MD5
fe60770a3cf21a1b415d2be2c9b7d633

SHA1
4abc354680f440d38d0df3bb28b87154df49a0a3

SHA256
e715ffe401e5c4c4ad72d430088a2757c346c379965a44c677470ba53c292160

SHA512
461b30f44d2c1567bc0b48ade2e1cd0ef94bd1c6116444dcefd7ecf771115a60cc3be1daf9ac7ccbd5ddf5c5216ff68cbc98003064ef4c8538eac65721f5a467

Download Submit
C:\Windows\system\jouRQbU.exe

Filesize
896KB

MD5
d8061570a3d685a09a8726d2e2043dcd

SHA1
5784ed9099dd4b61b63fc8ab2f585fc9e4456099

SHA256
2858747fe15b825bca2004f1fb5434e70a8f8952f994cb7850f53fc69e794e72

SHA512
491823d9b7c3d0e919d65b711645bd0839fa6e3b7a404dd101f61c497b50d40cc12658380d09032bb5d5d2ac84e5d2791f8235e5d4c6f54ca1090b042d3a4b7a

Download Submit
\Windows\system\ABSxVmB.exe

Filesize
1.1MB

MD5
220111656068eadde2f8c2f21dcb5902

SHA1
5455b3bbb9cc6cf0628b46653755674c1137b47a

SHA256
843346a1974114ea1de4dd8cdf6fe847ff265fc20e83aa111d58ad179dbea08b

SHA512
53a92627488e123e0888469b327c09cb794316764e66a12a703ebea5bd88044a1e2fc69c5c8d18a10b5879922f208731673f87b7aaa76e9991222a84ff178d08

Download Submit
\Windows\system\BXqMbIs.exe

Filesize
192KB

MD5
4a486a2a371d8db348dc0ad03e9fd9f0

SHA1
edd912c5d606628022dc3216eaf2db7c93554ff7

SHA256
93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b

SHA512
deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

Download Submit
\Windows\system\GsoIfuX.exe

Filesize
576KB

MD5
2b325ba998218e1724cf0adeb30ee980

SHA1
91c91f972b93ca21c02dbae5cc375d4e1212c0a0

SHA256
3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9

SHA512
d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

Download Submit
\Windows\system\WgTQFUQ.exe

Filesize
2.1MB

MD5
a408228147ba38694d9b04d6235f749b

SHA1
4b09806e19b033a103b18b20d69f9c9ed694a54c

SHA256
2a2d127caa6282831c8750f45fa0e94f26c35d3d14938b4bbdcd2d060e24c1a6

SHA512
d16a0a2ea2a8265f5644a63f363356d29df0cb9d460f245d5bf0e63a02079aed04ec394ecc430cfa7a214ec1109f61a622a3dab043950f5e75c65bdf0c1fab62

Download Submit
\Windows\system\fscWShH.exe

Filesize
1.1MB

MD5
4b5b10f3552969f051eadcd37a9c7397

SHA1
0f2b41104db736f9360793c29e92119a74fa37e0

SHA256
f633addb5a572461a15c024f25c75063b5d269a87a95a59eded006b1a75cf6d7

SHA512
ff3c4d40b8c5d525ac0a6eea8b3a5d4134595a19a427e51a3372aac1f7c3120344a3a0a217c283ce087f145e2b66cae626a08d41a64181e3520c23f3a9afe269

Download Submit
\Windows\system\jouRQbU.exe

Filesize
2.1MB

MD5
47d0431f6b514291bd56e8820075b014

SHA1
41128f46e259ab3914d0e81369debd8d56c276b8

SHA256
97810ab24b77215410551aa106be2234863cd3f0314394ba17e1d9f620fb7c87

SHA512
72b276306066ce5d8e5dcba7ff00b4b79e533e51d2f7e439db1b3ed6fe77e57ca41e0150bfc1d32555cc53c302ee681e6258885d8ac83d182608e8a412b0d12c

Download Submit
\Windows\system\jyzQJRt.exe

Filesize
512KB

MD5
6b5887af4274a78686a788865765637c

SHA1
5afc15e6fcbc11377bbabbda47ff43f6ebedd369

SHA256
ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

SHA512
4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

Download Submit
\Windows\system\rGvOgpB.exe

Filesize
128KB

MD5
7ce4ba1725e83a50f64ba525f8815dcf

SHA1
b1714a2d23cfc42c18c37e1546ac0908d8252c04

SHA256
9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

SHA512
2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

Download Submit
memory/1728-83-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/1728-148-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/1816-91-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/1816-151-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-75-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/1908-20-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-1-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/1908-133-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-132-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/1908-65-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/1908-63-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/1908-93-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/1908-95-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-60-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-7-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-96-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/1908-102-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/1908-0-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/1908-26-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2088-84-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2088-149-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2272-146-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-92-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-145-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2380-81-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2424-150-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2424-90-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2472-17-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2472-139-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2484-94-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2484-147-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2496-135-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2496-33-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2496-141-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2500-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2500-144-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2500-49-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2564-54-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2564-140-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2628-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2628-136-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2628-44-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2644-142-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2644-34-0x000000013F860000-0x000000013FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2896-134-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2896-13-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2896-138-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download