Malware Analysis Report

2024-10-16 03:05

Sample ID 240609-yffagseh47
Target 2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike
SHA256 685b16472bb3691a462668c09bab10e6363846d1c39add821c4889bd392a0c95
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

685b16472bb3691a462668c09bab10e6363846d1c39add821c4889bd392a0c95

Threat Level: Known bad

The file 2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

Xmrig family

Detects Reflective DLL injection artifacts

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 19:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 19:43

Reported

2024-06-09 19:46

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UWkRijB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sYYGgPf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jTHJCQy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PIqVlVL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PXfkBFS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jjBNSlm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hOmuemy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vVNjteG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aBQviWQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YJmREAY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GHXtJVS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\foBdswi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RaMFqpm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JeZPyWa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hgtBHhv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GzSshfX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\SaGEHQb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BzgIBVg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nNtYQgo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ixaaTPT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AnOsrOw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzgIBVg.exe
PID 2612 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\BzgIBVg.exe
PID 2612 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\foBdswi.exe
PID 2612 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\foBdswi.exe
PID 2612 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\RaMFqpm.exe
PID 2612 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\RaMFqpm.exe
PID 2612 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\hOmuemy.exe
PID 2612 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\hOmuemy.exe
PID 2612 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWkRijB.exe
PID 2612 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\UWkRijB.exe
PID 2612 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYYGgPf.exe
PID 2612 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\sYYGgPf.exe
PID 2612 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\vVNjteG.exe
PID 2612 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\vVNjteG.exe
PID 2612 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\nNtYQgo.exe
PID 2612 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\nNtYQgo.exe
PID 2612 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTHJCQy.exe
PID 2612 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\jTHJCQy.exe
PID 2612 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\aBQviWQ.exe
PID 2612 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\aBQviWQ.exe
PID 2612 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\PIqVlVL.exe
PID 2612 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\PIqVlVL.exe
PID 2612 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXfkBFS.exe
PID 2612 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXfkBFS.exe
PID 2612 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeZPyWa.exe
PID 2612 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\JeZPyWa.exe
PID 2612 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgtBHhv.exe
PID 2612 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\hgtBHhv.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJmREAY.exe
PID 2612 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\YJmREAY.exe
PID 2612 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjBNSlm.exe
PID 2612 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\jjBNSlm.exe
PID 2612 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzSshfX.exe
PID 2612 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\GzSshfX.exe
PID 2612 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixaaTPT.exe
PID 2612 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\ixaaTPT.exe
PID 2612 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\AnOsrOw.exe
PID 2612 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\AnOsrOw.exe
PID 2612 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\GHXtJVS.exe
PID 2612 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\GHXtJVS.exe
PID 2612 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\SaGEHQb.exe
PID 2612 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\SaGEHQb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BzgIBVg.exe

C:\Windows\System\BzgIBVg.exe

C:\Windows\System\foBdswi.exe

C:\Windows\System\foBdswi.exe

C:\Windows\System\RaMFqpm.exe

C:\Windows\System\RaMFqpm.exe

C:\Windows\System\hOmuemy.exe

C:\Windows\System\hOmuemy.exe

C:\Windows\System\UWkRijB.exe

C:\Windows\System\UWkRijB.exe

C:\Windows\System\sYYGgPf.exe

C:\Windows\System\sYYGgPf.exe

C:\Windows\System\vVNjteG.exe

C:\Windows\System\vVNjteG.exe

C:\Windows\System\nNtYQgo.exe

C:\Windows\System\nNtYQgo.exe

C:\Windows\System\jTHJCQy.exe

C:\Windows\System\jTHJCQy.exe

C:\Windows\System\aBQviWQ.exe

C:\Windows\System\aBQviWQ.exe

C:\Windows\System\PIqVlVL.exe

C:\Windows\System\PIqVlVL.exe

C:\Windows\System\PXfkBFS.exe

C:\Windows\System\PXfkBFS.exe

C:\Windows\System\JeZPyWa.exe

C:\Windows\System\JeZPyWa.exe

C:\Windows\System\hgtBHhv.exe

C:\Windows\System\hgtBHhv.exe

C:\Windows\System\YJmREAY.exe

C:\Windows\System\YJmREAY.exe

C:\Windows\System\jjBNSlm.exe

C:\Windows\System\jjBNSlm.exe

C:\Windows\System\GzSshfX.exe

C:\Windows\System\GzSshfX.exe

C:\Windows\System\ixaaTPT.exe

C:\Windows\System\ixaaTPT.exe

C:\Windows\System\AnOsrOw.exe

C:\Windows\System\AnOsrOw.exe

C:\Windows\System\GHXtJVS.exe

C:\Windows\System\GHXtJVS.exe

C:\Windows\System\SaGEHQb.exe

C:\Windows\System\SaGEHQb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.197.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2612-0-0x00007FF7A7DA0000-0x00007FF7A80F4000-memory.dmp

memory/2612-1-0x00000239C0490000-0x00000239C04A0000-memory.dmp

C:\Windows\System\BzgIBVg.exe

MD5 f5cde5295af5706b5e81ba1927b52f73
SHA1 f401ce5ca91a37fb204f3508e64650d2fd8b80ec
SHA256 755625df81200a0df197497f4e48fe32dd3106d9cead5cd5ad8227f545b25658
SHA512 7839361e90cd9b74b64c17095b638dfbbfd2a2cf019376b3a8fb32e35a1c46bcc132076b1eb7b30dbbc61d79dc1d7738e7f820f65126fe2cf4d52aeba9ffa5aa

memory/772-8-0x00007FF673060000-0x00007FF6733B4000-memory.dmp

C:\Windows\System\RaMFqpm.exe

MD5 412351f25290751b95f86753702d8fd0
SHA1 266e3e2a00056b84f30ff0acfba99f216555b1cc
SHA256 e4ef18758b8dbdc5c903262ccb42169d33671da0a2c4256118d4985253c70982
SHA512 c9c3dde501fccb3f4907428c449613e0b0202d3b68c49ed390266e1db1709ba257b5d1aac8068d1c575ff62bce33a6ea72f1a72bc8d90432415b56cab36f2d53

C:\Windows\System\hOmuemy.exe

MD5 f4b1a40a4fcfc59b676329d8e7790a45
SHA1 0f04e46f4e36c09da367419623e0842b2eb5e472
SHA256 44279c81447860016d096c3b8874bfddf101d5412245f5f1bc6e81989842ae6a
SHA512 fee0ba5c5725b1fd47efc4cbe3cc690ba3063ddd0711a7d0097d1e52c313cb73867b68bd4b9ed022dbda3ea6d3a31e8457686c7a71410724bd3a6e8f8f772537

memory/4900-24-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp

memory/2952-23-0x00007FF6A4A70000-0x00007FF6A4DC4000-memory.dmp

memory/3168-20-0x00007FF60DFB0000-0x00007FF60E304000-memory.dmp

C:\Windows\System\foBdswi.exe

MD5 b224a828fb512e986268a7a9d5754a3d
SHA1 84dd21314025ad2fd5d283d482b87f48d77728fd
SHA256 80170091b14e4e835b67d2e4d1ef91d4394c5d19da96de64492b5a4d612d77d6
SHA512 d1b043bb6dcdfd4595018c016685f7d427b5254beb097517b899a534089cab4c79f6aceb91abb071fec6578f11bc0867ea964d441f52417dc3d15b472eb49b2f

C:\Windows\System\UWkRijB.exe

MD5 6b8294e6dea23c5585a79ffa25646ef4
SHA1 9e2017ee1bb5672b89db43c34d01238c52ce2630
SHA256 11e0b9bd2fb90b58753f69f74de68c22b4092954ab18330538b3172e56cd63ee
SHA512 b3a86041847196a5e53ba1471f51397128146c5d49f7d3bd9e086ef35262acdbf2db19e4956508f40ff72e21f883c39d29199a9257fa275b3c506cc90ccad408

memory/4332-32-0x00007FF63FCE0000-0x00007FF640034000-memory.dmp

C:\Windows\System\sYYGgPf.exe

MD5 9269d4980a4c556bf449fbff8fbb187f
SHA1 d208e7b3a46486e441c046e7e5e12814946c4616
SHA256 702f5a1121fe589eaf3821e4b4721f81a3fda1bef8c0da4453e327781c43f917
SHA512 00113a99a3bff83450f3d0e671b5743cb5a44a228b5c22f980dc0eb7d3df180920168d9c2fbc5612d10a26fdb8dbd3624c6024f8a0296689b4ed04633c6f8f46

memory/1312-38-0x00007FF619310000-0x00007FF619664000-memory.dmp

C:\Windows\System\vVNjteG.exe

MD5 acf1a0b88634a2aff8f2fd0d0dbc522b
SHA1 ace42ad2d33ebecc40eccd33419178c93407dcc2
SHA256 50676f620dfa124df68bbd6722b1edd311545943bfde6c7d6d5b93ba31810a34
SHA512 a24c408ece0834a669509482a7a8d2056e7738e34ad2edb4d06f91b0ad284c86b6eb1370e991ce4579f99f6ba5853506f634dd6b3651ba4b1edd359d9595ab12

memory/2044-44-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp

C:\Windows\System\nNtYQgo.exe

MD5 a8b2bd827c82c6e02c0444381a5fbb59
SHA1 1ed04b31eaccad37025295cb2c82c73e29fe05bb
SHA256 320ad45c5adce718fae1cf53945ff31217f81f8605151ba9f627b541dbf398da
SHA512 bcccd04748528e1c41d0de9f77269825f981e050b6469b38faacb95a48ff2a1a3e4e8b229cff93f39bb9edd16d2748c107103efc6d9c5c044ead616c4d2ae0f7

C:\Windows\System\jTHJCQy.exe

MD5 e0a4a48b8f5c05d4e6cbb1e497b16fdd
SHA1 e1ebfdead8de02c60ff32be1fe3e6e875183844f
SHA256 16200b2fd68d1d7aa0a3601c474d6f11fac6d824826faf402548346579337e91
SHA512 cef15bf6a5653d6d6dacc68b01913eeaa2942199218e6f0a08fcedb11863504c33458a12533b980ee49ce2942d95ff00364bd522c5c2c3a20ad91fa57f57c0f9

memory/3816-52-0x00007FF739AD0000-0x00007FF739E24000-memory.dmp

memory/344-56-0x00007FF6C20F0000-0x00007FF6C2444000-memory.dmp

C:\Windows\System\aBQviWQ.exe

MD5 9af2be2e0318f7d1fe7d4f4617b08539
SHA1 81bc6f5e35e63ad6f0bd8cd5af1c98c5d87a71b1
SHA256 23c1126ba646228c1f3afbabe651ea36d7ff2bec2711731bc452585bfc2f2c5d
SHA512 90162bfa018aa1937a2cdebadd326dde22dd7db5aec4eef8fe2afd258e487c3ef51b727da3e41ef6766fdb17a1a3e078781f3c8fb5b0858215c82d8b942900b7

C:\Windows\System\PIqVlVL.exe

MD5 ab953950064d1e9de954d349396bc904
SHA1 bc8de6466bfff05f1a3af84a9ce593538f854567
SHA256 d5336ca0b22a633a96b307856931f0bf1d2ee71b451ef259155f1438ea78c97e
SHA512 e2940ba6f4d53cc8a26702f06e727c198f44cd3193a9492e3efeeddde4f4a61e2390b478eef9beab6696205a2eeca83fbc40550fd70cb72f06ebcdd76158a118

memory/3232-62-0x00007FF6296A0000-0x00007FF6299F4000-memory.dmp

memory/2612-61-0x00007FF7A7DA0000-0x00007FF7A80F4000-memory.dmp

memory/2892-73-0x00007FF6AFCA0000-0x00007FF6AFFF4000-memory.dmp

C:\Windows\System\PXfkBFS.exe

MD5 3d75dd6a8fda5a17f71d3741a6b957e7
SHA1 1409198d48fd54f5f803df9c63475bbb6b1c5cfc
SHA256 bc056ad447a8f57c3bf30f4ceee6afe261723e83c7229338389bf30dd0f59cbb
SHA512 4e0371df54df8fea298d271fba8ab2e57089ffefb100cc4be382f84789610e8c16d5c0afc6ad38b1a363329152088443b33d69c7dc0e10a342f83a15cb4fdab6

memory/3168-70-0x00007FF60DFB0000-0x00007FF60E304000-memory.dmp

memory/772-69-0x00007FF673060000-0x00007FF6733B4000-memory.dmp

C:\Windows\System\JeZPyWa.exe

MD5 837e17005b931ec4ff994b673953a1e6
SHA1 26c262e725a1e81c0fb81a675b87a1a3140fc148
SHA256 0c1ce4aa5060c860974df198be785993a8e522cd38cfccaabf42b6f86dcb0177
SHA512 948be0fda2e2631108d15c51f1b4d6d0129847dc54857c4409052f58b8f7f45671bc1b7096b82d846b87ca18e1ff92bd82fca3551164df0c6a65eb8243ed73e6

C:\Windows\System\hgtBHhv.exe

MD5 9922d7d15307f0e176b05d2afcf09628
SHA1 6faec32703a6501a2a1836b4bcd052c084b56d6e
SHA256 4abffa91f5749f0218c14a5ad50f7459350ae5f694f2f732a01c2264291fbecd
SHA512 6e62223222c6edeef7be57f3ef54c1372ac42ff80d8582fb2d90f343283f8eeb3934b682cb051210a86937ce986bfa292d4e7ddccfc56e991739f52d8140c489

memory/5064-77-0x00007FF780470000-0x00007FF7807C4000-memory.dmp

memory/3772-88-0x00007FF7C8360000-0x00007FF7C86B4000-memory.dmp

memory/4900-89-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp

memory/3428-90-0x00007FF6ED1D0000-0x00007FF6ED524000-memory.dmp

C:\Windows\System\YJmREAY.exe

MD5 3c9cbb4c1502ace4cb59a652c0f1bb68
SHA1 8d487ad5e13b857858bbb14948cf03c34659b0f0
SHA256 84be3689b8d98e47f2632a52418fc8644b1f8bd07234ac714b4f1b3c9a324230
SHA512 09e7d174ce7584ccfb81c42ffdcbf06862a5dc3a18b9bd9f7096ba46cb3f069a97b81fb7c79faf943a1c986186ce41e4771058de4606e1991f713616d55561d8

memory/4332-95-0x00007FF63FCE0000-0x00007FF640034000-memory.dmp

memory/2400-96-0x00007FF633FF0000-0x00007FF634344000-memory.dmp

C:\Windows\System\jjBNSlm.exe

MD5 66d1b09856291699d0f7394f1497fba6
SHA1 95c1ee331d8800277ffb619e8c53dd79f519c9ba
SHA256 337522c0c9fcb74914f95b3815130529a0447e3a6c8c719642544afe03c37702
SHA512 491e900b1bfe5e233f293177344771fe2e156dc20f4ee29dc25d144974ee5d01c639e137efcd7b26443fb933d9a6864c346bd7e33e1c856e3d380248c15610b2

C:\Windows\System\GzSshfX.exe

MD5 f3104c35b3c595ad2ace0d37fcb6e7e9
SHA1 9bcd0a3e3241e10d1293b7cd80347bd094a6150d
SHA256 93d33404fdbdf2835f88ede5d3ecd0cfd73c17d51aec1c3bd6317ca3859e2418
SHA512 c8c7f1e44f76a163b907cadc09419735e31b6dd33d7e091b32255e5d1a667fb338a2a71245d6c08d0b886a457680a9d6dd2391234e2f4968d27cd7e793846b83

memory/5008-108-0x00007FF7D3490000-0x00007FF7D37E4000-memory.dmp

memory/1196-109-0x00007FF646880000-0x00007FF646BD4000-memory.dmp

C:\Windows\System\ixaaTPT.exe

MD5 6d1e08dc8f4273a2eec6c6b8f95c15af
SHA1 5fc161b76f729cae37be2a7d8d40f8dcea66bac7
SHA256 7df51ddb51953962df9da37ff8e8cab56b5237bf0bbd1a9e1af9e4a028678caa
SHA512 a89d333106b6084530adea282d6ea27b6c14e6af302f9111c7a8007951758ec6f765083c5a579f75975554cbf558b2600f202f62a11c03589feb23f380b0cd96

memory/1200-115-0x00007FF64CC40000-0x00007FF64CF94000-memory.dmp

C:\Windows\System\AnOsrOw.exe

MD5 4973f54d4501ad38e9df22100836766e
SHA1 8f1bd893226c6fd03746be5ea75267e9c8e00d75
SHA256 f6dbf3c1680c3d6edae1960fa6b6fb2e005845c9810a082b1af482c318bd60bc
SHA512 29f2146d7cd11cfb3f5501344909521c9b3d65b9830e19c120729c22699bbfc727e2df24920de25150b5b97f78b6b0efe5b1f05a220913bb451373fa83434127

memory/2220-121-0x00007FF7141C0000-0x00007FF714514000-memory.dmp

C:\Windows\System\GHXtJVS.exe

MD5 9d6dde1c8497e542cb09d850a20ebcc4
SHA1 9e814908c87c8aa0ac26b0d2860b6448aec685d2
SHA256 5e6327d072111e0c15a5a91476f3badd8d8e0a6b1abba5ae9a525d57af3fca66
SHA512 147926a780810223c5267917bb5174dbe5a973e7a3698dff13cb3af06161c51eaf4b3ab3f38f28f02d5c0f22bedb2ec36e13302728c7b3007c21901ea8d5467b

C:\Windows\System\SaGEHQb.exe

MD5 9c1e46aee3e313decd7a570d5ccca240
SHA1 005c09273e686dd5c50faa50ba7f7e057b5d682b
SHA256 c431f5023abaf26874ff2aaf83915cc932ab7d5295d3dea9cb32a6f323617694
SHA512 e494a418dacd459623ae4ae7fb34231f6656a9d2a8f01b351964fb47ade9e6e92e8a670aa84a4a1d954f701743256cab5a7113be85eb8f6850abd5998a41cc63

memory/2312-126-0x00007FF747390000-0x00007FF7476E4000-memory.dmp

memory/3232-125-0x00007FF6296A0000-0x00007FF6299F4000-memory.dmp

memory/1288-133-0x00007FF645720000-0x00007FF645A74000-memory.dmp

memory/2400-134-0x00007FF633FF0000-0x00007FF634344000-memory.dmp

memory/5008-135-0x00007FF7D3490000-0x00007FF7D37E4000-memory.dmp

memory/2312-136-0x00007FF747390000-0x00007FF7476E4000-memory.dmp

memory/772-137-0x00007FF673060000-0x00007FF6733B4000-memory.dmp

memory/3168-138-0x00007FF60DFB0000-0x00007FF60E304000-memory.dmp

memory/2952-139-0x00007FF6A4A70000-0x00007FF6A4DC4000-memory.dmp

memory/4900-140-0x00007FF611B50000-0x00007FF611EA4000-memory.dmp

memory/4332-141-0x00007FF63FCE0000-0x00007FF640034000-memory.dmp

memory/1312-142-0x00007FF619310000-0x00007FF619664000-memory.dmp

memory/2044-143-0x00007FF7156A0000-0x00007FF7159F4000-memory.dmp

memory/3816-144-0x00007FF739AD0000-0x00007FF739E24000-memory.dmp

memory/344-145-0x00007FF6C20F0000-0x00007FF6C2444000-memory.dmp

memory/3232-146-0x00007FF6296A0000-0x00007FF6299F4000-memory.dmp

memory/2892-147-0x00007FF6AFCA0000-0x00007FF6AFFF4000-memory.dmp

memory/5064-148-0x00007FF780470000-0x00007FF7807C4000-memory.dmp

memory/3772-149-0x00007FF7C8360000-0x00007FF7C86B4000-memory.dmp

memory/3428-150-0x00007FF6ED1D0000-0x00007FF6ED524000-memory.dmp

memory/2400-151-0x00007FF633FF0000-0x00007FF634344000-memory.dmp

memory/5008-152-0x00007FF7D3490000-0x00007FF7D37E4000-memory.dmp

memory/1196-153-0x00007FF646880000-0x00007FF646BD4000-memory.dmp

memory/1200-154-0x00007FF64CC40000-0x00007FF64CF94000-memory.dmp

memory/2220-155-0x00007FF7141C0000-0x00007FF714514000-memory.dmp

memory/1288-156-0x00007FF645720000-0x00007FF645A74000-memory.dmp

memory/2312-157-0x00007FF747390000-0x00007FF7476E4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 19:43

Reported

2024-06-09 19:46

Platform

win7-20240221-en

Max time kernel

131s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kknBCOc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pNVqWmI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pWBPUpd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IgWHYqz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WvNvmpG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lzELTjg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nJlShWq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dqcirMf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bJWPQKs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\wzhiQeD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ZkQQStn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PXXJVOr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BmVWpDs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HLcSeXR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MGolwHM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\GCyMAeW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HjHvVKR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fnqwOIu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HoCLTDB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OOHMCdk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WuORgHm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLcSeXR.exe
PID 1968 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLcSeXR.exe
PID 1968 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\HLcSeXR.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGolwHM.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGolwHM.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\MGolwHM.exe
PID 1968 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJWPQKs.exe
PID 1968 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJWPQKs.exe
PID 1968 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\bJWPQKs.exe
PID 1968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWBPUpd.exe
PID 1968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWBPUpd.exe
PID 1968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\pWBPUpd.exe
PID 1968 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgWHYqz.exe
PID 1968 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgWHYqz.exe
PID 1968 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\IgWHYqz.exe
PID 1968 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzhiQeD.exe
PID 1968 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzhiQeD.exe
PID 1968 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\wzhiQeD.exe
PID 1968 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\HjHvVKR.exe
PID 1968 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\HjHvVKR.exe
PID 1968 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\HjHvVKR.exe
PID 1968 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZkQQStn.exe
PID 1968 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZkQQStn.exe
PID 1968 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\ZkQQStn.exe
PID 1968 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnqwOIu.exe
PID 1968 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnqwOIu.exe
PID 1968 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\fnqwOIu.exe
PID 1968 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCyMAeW.exe
PID 1968 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCyMAeW.exe
PID 1968 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\GCyMAeW.exe
PID 1968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\HoCLTDB.exe
PID 1968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\HoCLTDB.exe
PID 1968 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\HoCLTDB.exe
PID 1968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXXJVOr.exe
PID 1968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXXJVOr.exe
PID 1968 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\PXXJVOr.exe
PID 1968 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvNvmpG.exe
PID 1968 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvNvmpG.exe
PID 1968 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\WvNvmpG.exe
PID 1968 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzELTjg.exe
PID 1968 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzELTjg.exe
PID 1968 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\lzELTjg.exe
PID 1968 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOHMCdk.exe
PID 1968 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOHMCdk.exe
PID 1968 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\OOHMCdk.exe
PID 1968 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmVWpDs.exe
PID 1968 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmVWpDs.exe
PID 1968 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\BmVWpDs.exe
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJlShWq.exe
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJlShWq.exe
PID 1968 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\nJlShWq.exe
PID 1968 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqcirMf.exe
PID 1968 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqcirMf.exe
PID 1968 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\dqcirMf.exe
PID 1968 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuORgHm.exe
PID 1968 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuORgHm.exe
PID 1968 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\WuORgHm.exe
PID 1968 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\kknBCOc.exe
PID 1968 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\kknBCOc.exe
PID 1968 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\kknBCOc.exe
PID 1968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNVqWmI.exe
PID 1968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNVqWmI.exe
PID 1968 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe C:\Windows\System\pNVqWmI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a4e4f585c35e0c790fccd72f38e99821_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\HLcSeXR.exe

C:\Windows\System\HLcSeXR.exe

C:\Windows\System\MGolwHM.exe

C:\Windows\System\MGolwHM.exe

C:\Windows\System\bJWPQKs.exe

C:\Windows\System\bJWPQKs.exe

C:\Windows\System\pWBPUpd.exe

C:\Windows\System\pWBPUpd.exe

C:\Windows\System\IgWHYqz.exe

C:\Windows\System\IgWHYqz.exe

C:\Windows\System\wzhiQeD.exe

C:\Windows\System\wzhiQeD.exe

C:\Windows\System\HjHvVKR.exe

C:\Windows\System\HjHvVKR.exe

C:\Windows\System\ZkQQStn.exe

C:\Windows\System\ZkQQStn.exe

C:\Windows\System\fnqwOIu.exe

C:\Windows\System\fnqwOIu.exe

C:\Windows\System\GCyMAeW.exe

C:\Windows\System\GCyMAeW.exe

C:\Windows\System\HoCLTDB.exe

C:\Windows\System\HoCLTDB.exe

C:\Windows\System\PXXJVOr.exe

C:\Windows\System\PXXJVOr.exe

C:\Windows\System\WvNvmpG.exe

C:\Windows\System\WvNvmpG.exe

C:\Windows\System\lzELTjg.exe

C:\Windows\System\lzELTjg.exe

C:\Windows\System\OOHMCdk.exe

C:\Windows\System\OOHMCdk.exe

C:\Windows\System\BmVWpDs.exe

C:\Windows\System\BmVWpDs.exe

C:\Windows\System\nJlShWq.exe

C:\Windows\System\nJlShWq.exe

C:\Windows\System\dqcirMf.exe

C:\Windows\System\dqcirMf.exe

C:\Windows\System\WuORgHm.exe

C:\Windows\System\WuORgHm.exe

C:\Windows\System\kknBCOc.exe

C:\Windows\System\kknBCOc.exe

C:\Windows\System\pNVqWmI.exe

C:\Windows\System\pNVqWmI.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1968-0-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/1968-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\HLcSeXR.exe

MD5 e6d39236c6c3bbad80aa4f4ac359e19a
SHA1 f560181e99cde99fa7630b5b5ee584d2a25593dd
SHA256 295751311ebc380d5240329953a5e6672d3d8e17f8d63c5d54872fe441b23ca0
SHA512 9b74bd36382fd9f6f08c1a5de4a61bcbfb25403cc64f1ad5f4002b1252729c9eb88b4109ac01e05e1dd585524e2f758c0f357cff4f23d1a09bb02c1f903db085

memory/2224-7-0x000000013FAF0000-0x000000013FE44000-memory.dmp

C:\Windows\system\MGolwHM.exe

MD5 dcb4dc41baeddab8623434d32d1e8966
SHA1 a74b6470d39da7b790e30ff95eb5dd67b6b855ce
SHA256 49f34f73cbc2be24b72104bcdfc0eccc786200acc2d933da374b0875d445bcdb
SHA512 7734b0dd4f3a103e36e2a44545ef0512c00c6c81683a1832d6a209e08258a2ae9dba4b5460a641c23be7b4b044e0ebca41433ba9daf26d493cba50732062eb8b

C:\Windows\system\bJWPQKs.exe

MD5 864a8441e26b3e8e957c9acf3e251837
SHA1 628417a4aae68144d6f2e37bd6c1c31ad1ca34f2
SHA256 f8b722ee35a2d61590b549ff3b7bdae9d83aadc1bc7206caa56060a9ad5d7f09
SHA512 08912f5bc8a9abe9cd9bac93e7ae0568d632653150ed5c597cda3e867a0779cc46a20dfba75f7352acd2bfc5acece29a06dced4effe4e5bd71da28cead87e0ad

C:\Windows\system\pWBPUpd.exe

MD5 ba6a0045f9ac30f7e006723089e30636
SHA1 c18e9e01b9a9fb8ff62be6ad5c672f0f9d949c45
SHA256 e8fc2702cc3bb24b2fe4c2099e5949f6178ae29aa55d0364996b5c171dbf41c4
SHA512 19abe864a6b79b0cbd40745dc9742dbbc5477220b71f5a1391540278da81303b9b6288d67abb27ae06fd3760bce11e5dc723c0632d4be795f7a4c8a432d3ddb7

memory/1968-17-0x000000013FD50000-0x00000001400A4000-memory.dmp

\Windows\system\IgWHYqz.exe

MD5 aa692ba1e3f8f6f79984cf16bb3f8f10
SHA1 3656b07fea502d042f289ee6be65c91303d1c9e6
SHA256 8e665cfbd5062b13fb715b04cef7e0151c5c4226c7fe8cb5879505fd9161b52e
SHA512 07c657c802f9360909707bab67b31c2f7259e16e2aabd9ebf8ea3d1828b8215ced3ad4cd7c0eb3118de5050f6fa558de3c4bc452f97061db3e6e86355a3d1205

memory/2252-29-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2824-36-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1968-35-0x0000000002310000-0x0000000002664000-memory.dmp

memory/832-34-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1968-33-0x0000000002310000-0x0000000002664000-memory.dmp

memory/1676-32-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/1968-31-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\wzhiQeD.exe

MD5 021ff2193c050eb9cab075804dd31ada
SHA1 e843bf76404a535f6c40573007322c8713b2c72e
SHA256 4380d7a6439d495104a643ffe12da654d08e43f778cba0c814e4110688a351ed
SHA512 ded766b0b5c1680b6a8f7c602208c86f504065527f060d4265a7e6ff060d76a0122ae0e9a15de1a8b1a45fcd9b4ae8f06b635971f5b2b54fb20747c2234d94a4

memory/1968-40-0x0000000002310000-0x0000000002664000-memory.dmp

memory/1708-41-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2508-54-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2908-48-0x000000013FED0000-0x0000000140224000-memory.dmp

C:\Windows\system\GCyMAeW.exe

MD5 f42238fc519fba22e8d8af6993169ad8
SHA1 b7da6811b38bf063ba95d228dae84fba76627994
SHA256 27ce505099859f537364c20e85e8243dc8ba13977c99c9b525011ede660fbec5
SHA512 f32fa35c80e0fc94fb651c1e4269bffe8145ccb85cfa46cbe991ad9e8e7948c3744414efc7cacb679bb8876cf2c645be9e9782709f2128b1ddc0e12c977bd2b9

memory/2644-63-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/1968-62-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2940-75-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2548-82-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1968-81-0x0000000002310000-0x0000000002664000-memory.dmp

memory/1968-97-0x0000000002310000-0x0000000002664000-memory.dmp

C:\Windows\system\WuORgHm.exe

MD5 11663711f3127dd35213d3da4ac5b4f8
SHA1 b6f5188f7591f6c79751b8aabf5bcabf94d73038
SHA256 d845b2363cefbc0577cdbc2d586bfef05379d9054667e33f005e0f2c5f9e9045
SHA512 e83b48891eab195cbdd447e8ebe9e2b8ae868316fdb676f5955da8f96fc6cdf061ed3d33229190f91ef7d62787f43d6dec63febf937aa339a78884bbc6f092bf

\Windows\system\pNVqWmI.exe

MD5 080f30c9b61527c9d99beb302c7ef8b8
SHA1 fa049138ab3d0d8f1e076984b8729c56894486f9
SHA256 e994a76178906ae0460ce548457967945ace851c2c17bc6d22681253865ae203
SHA512 90e7fd1a5abb6213a0834fb3a52148b5f9c4d85e8d79d0bd4df5e71c63ba65fa73f6169e3cb1dd9ab0666489ffceb4aa3662b1bfe25a0a0a15e971e5dd499a66

C:\Windows\system\kknBCOc.exe

MD5 0756d6a392f3654873edccd325c37936
SHA1 4e1d25e5069fe97a08ffa0ad0782f10e582a51a0
SHA256 5cde3c263cc04550f5eeaf46e43d475d07fc5e174d348be04d1823f79261a717
SHA512 4fa5809375cc0ad5beabc604dec4e3b7f36ae1d8c820a2e8ae769c36d2e33fed684cf60d6523119c27744e8459e28ad22480a77cb92ea4dd19df5c300155153a

C:\Windows\system\dqcirMf.exe

MD5 4def16bdbff1067709642458c0acd8bb
SHA1 7ba7d5af8678574310012f770dccaa5ee738bb45
SHA256 8f941627b50a783f1e34df95c06c47b680ec77955de4ca9770830a1d141a493f
SHA512 79e3f8851664d74d0cde6cc1dc7335402dc8269a358f3473de687a8cb39071844c1a50055bab861df58bdbbd7f9a773aa7248d82e61e6d4b89ec28f97068b0f2

C:\Windows\system\nJlShWq.exe

MD5 f4d9af4ae05dff3e0604280a4a680d89
SHA1 7604e568abeb7ef098af0b50ad49fe9532c6930a
SHA256 77aead3eba4dd7bf7c841dd0532c48810d5b6a2c910771c833f8900f520754d4
SHA512 8a2bf66f251d60bfd8f75a886b1b91be20dd6739881872c442a268a26a58df46a9f7da2d86911215697439f16718a0a6cff810cf5110d26da5ba5e4a8dc42f7b

C:\Windows\system\OOHMCdk.exe

MD5 45962a74ce3b4d85c5b40ea5b957cfa7
SHA1 dd117a5be5c284c41b1af2c8222b4fca02a09a04
SHA256 05b77279bf4d50925c34283c919998166105d912aa5e74e029bf58893d48a433
SHA512 4abcf53e9d1b69a25df484d11ce0a170ddfc2fa8e1f68f44ccd7c92a7757eee2ebfe4903ce4ea6b7df0a7c83626a1fce9fd8781685f456d32cc270e3a8fa44e9

memory/1968-104-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2508-103-0x000000013FD60000-0x00000001400B4000-memory.dmp

C:\Windows\system\BmVWpDs.exe

MD5 5960f755c81f11472b91e97a504afcd5
SHA1 96a3528b480fa6b4483ab601866f795e77230013
SHA256 10eda63adeb1f688fdc9875e49da6bcfffed9732e2aee3ad77851aade97b7d78
SHA512 a77c7f489b6434bf32dd57af74adcedb4b292b8790dec40bf26b10a72cfcce2bbf66c66182ea8aa4225510fb521fc39937e1b8d63bfa37ce34690a4007365cd3

memory/1996-90-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2632-137-0x000000013FB60000-0x000000013FEB4000-memory.dmp

C:\Windows\system\WvNvmpG.exe

MD5 68f891b9ae3b3402f6557024114b6ead
SHA1 2d58e3a15af14166121dc5afd327594e5d71520c
SHA256 018e49af179f53b7883630269627fc00e3dc50bac10fb02698f2c73dc8a1b194
SHA512 308e6eefe17f48c1603c5b31be075530ecf612821c5796650e5c83aca3ac9fae00cb1787c24cbcaf236d8627bf4677d0958570dcaf9c105f9953693c14a237a8

memory/1968-87-0x0000000002310000-0x0000000002664000-memory.dmp

memory/2372-98-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2908-96-0x000000013FED0000-0x0000000140224000-memory.dmp

C:\Windows\system\lzELTjg.exe

MD5 7db5dd33889915f795f8add0b4bfb1b7
SHA1 34a1c7f950b9fca240dafdb23e3ecff1c9a89971
SHA256 dd500f381fde4bb83e116c20319634bd834e00157640761abfadfcb8bd66aacc
SHA512 88218398204a8b3b6c5f4e1368fb7a08d8356a0d6c13fdd9a25603cdb5a7c0b16985808bd0d398a67a50310c6bdcbbf9156e655ab04a51f04707f67541b0d0d6

memory/1708-86-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/1968-138-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\HoCLTDB.exe

MD5 699347ad87f86e68690c0c5ccf173a37
SHA1 eb0ebf46eeae8a76b0dc33180fde0a6b3bee02d1
SHA256 bb87dfec6bf9a2a9fb376287a7a2f248e567d70ea869c2a988b3c1f489c2ff2c
SHA512 bce5f4e8960bb4b5e334a3a63af7fcc0b79ef8ef4ec8fc17de919a54852e6cd40c55a46bcdd4351542b6b06a7da855d37ef7b3450155a9595c00b3b5ccc99bd5

memory/1968-72-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2940-139-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2224-71-0x000000013FAF0000-0x000000013FE44000-memory.dmp

C:\Windows\system\PXXJVOr.exe

MD5 1dbdf201ef480e3ae1416d4d1cb0f838
SHA1 1d91433a68fdc8e3058c3cebe837fd0801d3fcb5
SHA256 bf621fe86353c2f214ef3f046e89b053258c517226803d94b8d6d2a0dc6570f3
SHA512 6864a194722e1a955cd6857212cbd48d2cf9639497d1c7e69fbdf603e3869fcde909b086bc45dc97d9558ac8cf775b4b1f160092bf50d1e83f6fcb9f5dd6b464

C:\Windows\system\fnqwOIu.exe

MD5 76265dd26cccec1ced7c7b862079c86b
SHA1 4043e2e95d4e0fb534d06a27d2c129fd2a883049
SHA256 e68083e018a16f6dee7456cb0e4298b480c25d32d1e172053b1815e36bc11c18
SHA512 e1a062d4e8f533c66b541a80b7cbff4f942c3bd654493584acdfa77fa56568e745d01fb91d9c83564735ede704cd011b87db36f2db6550febe17d30dc402198f

memory/2632-67-0x000000013FB60000-0x000000013FEB4000-memory.dmp

C:\Windows\system\HjHvVKR.exe

MD5 59acd4f492353adc22107a80d1bccfc6
SHA1 ea1268a2c161ff12c7b5e524f01ad1a80d1359b0
SHA256 a0cc1a1f5328c511d00e839451107c47f62b331533d4cfdc3b0bf222b98ea576
SHA512 dfc5ea3d10acf17d614c160a0e2b62af193266cd60ad1566a7088a35eecfd34c410748df7ed65e978218066aac43ab7e68376e9b9c374db80d8ce187d313edc1

memory/2548-141-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1968-140-0x0000000002310000-0x0000000002664000-memory.dmp

memory/1968-53-0x000000013FD60000-0x00000001400B4000-memory.dmp

C:\Windows\system\ZkQQStn.exe

MD5 58d7f55a7a0091b4458266e9c2ac82fe
SHA1 4c1a696f5ffaaa0dd698ab5a3f04f2c69cd30cef
SHA256 7376b2d63bfed299fb36c5283fea4577457efc723b53591d1727f19d0ee9e40d
SHA512 da0d06c4313662378060284ece6066d769bad94f6dcd38f889a518161c04dd656727be02b6cffaa1ba98c3364502bfa1bae094909a0a6385d64da626d9cc3c50

memory/1968-142-0x0000000002310000-0x0000000002664000-memory.dmp

memory/1996-143-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/1968-144-0x0000000002310000-0x0000000002664000-memory.dmp

memory/2372-145-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/1968-146-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2224-148-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2252-147-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2824-149-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1676-150-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/832-151-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1708-152-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2908-154-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2508-153-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2644-155-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2632-156-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2940-157-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2548-158-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1996-159-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2372-160-0x000000013F750000-0x000000013FAA4000-memory.dmp