Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-b9dmesah99
Target 2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike
SHA256 cf4374e518a0a30da5dd3006b1ef578b2417edbc9df5c850534fef7c5c687b35
Tags
miner upx 0 xmrig cobaltstrike
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf4374e518a0a30da5dd3006b1ef578b2417edbc9df5c850534fef7c5c687b35

Threat Level: Known bad

The file 2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

UPX dump on OEP (original entry point)

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 01:54

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 01:50

Reported

2024-06-10 02:40

Platform

win7-20240215-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CLRjSeW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lBBVEhu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lWomlBE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ifrzfqU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UnFQRIP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QVneNrr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HHRJlYM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xMkzzVk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\YKyJsqg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yrGxqGb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pGLAkbi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jfnCqij.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OXGeGLI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zlXHABs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uvOsWBF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yKysXIL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aXJyFBW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jUWQTWC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QOvtIEM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IhTzvXU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oDxAgOw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMkzzVk.exe
PID 1876 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMkzzVk.exe
PID 1876 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\xMkzzVk.exe
PID 1876 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifrzfqU.exe
PID 1876 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifrzfqU.exe
PID 1876 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\ifrzfqU.exe
PID 1876 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\YKyJsqg.exe
PID 1876 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\YKyJsqg.exe
PID 1876 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\YKyJsqg.exe
PID 1876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGLAkbi.exe
PID 1876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGLAkbi.exe
PID 1876 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\pGLAkbi.exe
PID 1876 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\QOvtIEM.exe
PID 1876 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\QOvtIEM.exe
PID 1876 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\QOvtIEM.exe
PID 1876 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnFQRIP.exe
PID 1876 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnFQRIP.exe
PID 1876 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\UnFQRIP.exe
PID 1876 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\QVneNrr.exe
PID 1876 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\QVneNrr.exe
PID 1876 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\QVneNrr.exe
PID 1876 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\IhTzvXU.exe
PID 1876 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\IhTzvXU.exe
PID 1876 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\IhTzvXU.exe
PID 1876 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfnCqij.exe
PID 1876 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfnCqij.exe
PID 1876 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\jfnCqij.exe
PID 1876 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLRjSeW.exe
PID 1876 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLRjSeW.exe
PID 1876 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\CLRjSeW.exe
PID 1876 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXGeGLI.exe
PID 1876 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXGeGLI.exe
PID 1876 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\OXGeGLI.exe
PID 1876 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDxAgOw.exe
PID 1876 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDxAgOw.exe
PID 1876 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\oDxAgOw.exe
PID 1876 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlXHABs.exe
PID 1876 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlXHABs.exe
PID 1876 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\zlXHABs.exe
PID 1876 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvOsWBF.exe
PID 1876 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvOsWBF.exe
PID 1876 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\uvOsWBF.exe
PID 1876 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKysXIL.exe
PID 1876 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKysXIL.exe
PID 1876 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\yKysXIL.exe
PID 1876 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrGxqGb.exe
PID 1876 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrGxqGb.exe
PID 1876 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\yrGxqGb.exe
PID 1876 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lBBVEhu.exe
PID 1876 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lBBVEhu.exe
PID 1876 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lBBVEhu.exe
PID 1876 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\aXJyFBW.exe
PID 1876 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\aXJyFBW.exe
PID 1876 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\aXJyFBW.exe
PID 1876 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lWomlBE.exe
PID 1876 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lWomlBE.exe
PID 1876 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lWomlBE.exe
PID 1876 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHRJlYM.exe
PID 1876 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHRJlYM.exe
PID 1876 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\HHRJlYM.exe
PID 1876 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUWQTWC.exe
PID 1876 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUWQTWC.exe
PID 1876 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\jUWQTWC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\xMkzzVk.exe

C:\Windows\System\xMkzzVk.exe

C:\Windows\System\ifrzfqU.exe

C:\Windows\System\ifrzfqU.exe

C:\Windows\System\YKyJsqg.exe

C:\Windows\System\YKyJsqg.exe

C:\Windows\System\pGLAkbi.exe

C:\Windows\System\pGLAkbi.exe

C:\Windows\System\QOvtIEM.exe

C:\Windows\System\QOvtIEM.exe

C:\Windows\System\UnFQRIP.exe

C:\Windows\System\UnFQRIP.exe

C:\Windows\System\QVneNrr.exe

C:\Windows\System\QVneNrr.exe

C:\Windows\System\IhTzvXU.exe

C:\Windows\System\IhTzvXU.exe

C:\Windows\System\jfnCqij.exe

C:\Windows\System\jfnCqij.exe

C:\Windows\System\CLRjSeW.exe

C:\Windows\System\CLRjSeW.exe

C:\Windows\System\OXGeGLI.exe

C:\Windows\System\OXGeGLI.exe

C:\Windows\System\oDxAgOw.exe

C:\Windows\System\oDxAgOw.exe

C:\Windows\System\zlXHABs.exe

C:\Windows\System\zlXHABs.exe

C:\Windows\System\uvOsWBF.exe

C:\Windows\System\uvOsWBF.exe

C:\Windows\System\yKysXIL.exe

C:\Windows\System\yKysXIL.exe

C:\Windows\System\yrGxqGb.exe

C:\Windows\System\yrGxqGb.exe

C:\Windows\System\lBBVEhu.exe

C:\Windows\System\lBBVEhu.exe

C:\Windows\System\aXJyFBW.exe

C:\Windows\System\aXJyFBW.exe

C:\Windows\System\lWomlBE.exe

C:\Windows\System\lWomlBE.exe

C:\Windows\System\HHRJlYM.exe

C:\Windows\System\HHRJlYM.exe

C:\Windows\System\jUWQTWC.exe

C:\Windows\System\jUWQTWC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1876-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\xMkzzVk.exe

MD5 4a486a2a371d8db348dc0ad03e9fd9f0
SHA1 edd912c5d606628022dc3216eaf2db7c93554ff7
SHA256 93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b
SHA512 deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

C:\Windows\system\QOvtIEM.exe

MD5 7ce4ba1725e83a50f64ba525f8815dcf
SHA1 b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA256 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA512 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

memory/1876-41-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

C:\Windows\system\IhTzvXU.exe

MD5 7ca4c7d08ec840a69d3101c638d4b72f
SHA1 9a0bd3c709f755b63121fadc936f446aec1e7ee6
SHA256 ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7
SHA512 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

\Windows\system\CLRjSeW.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/2640-58-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\yKysXIL.exe

MD5 2b325ba998218e1724cf0adeb30ee980
SHA1 91c91f972b93ca21c02dbae5cc375d4e1212c0a0
SHA256 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9
SHA512 d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

memory/1876-128-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1876-130-0x0000000002440000-0x0000000002794000-memory.dmp

memory/1876-132-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1876-131-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1876-129-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2632-127-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/1656-122-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1468-118-0x000000013F370000-0x000000013F6C4000-memory.dmp

\Windows\system\HHRJlYM.exe

MD5 6b5887af4274a78686a788865765637c
SHA1 5afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256 ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA512 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

memory/2300-113-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/1876-108-0x0000000002440000-0x0000000002794000-memory.dmp

memory/2680-102-0x000000013F950000-0x000000013FCA4000-memory.dmp

\Windows\system\aXJyFBW.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

\Windows\system\lWomlBE.exe

MD5 ce95ecfd82cad989d07f01bb5a4e0e62
SHA1 9c404e62c6a147d88e2c4214a4a0c1206972e9c1
SHA256 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576
SHA512 c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

memory/2532-95-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2432-87-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1876-77-0x0000000002440000-0x0000000002794000-memory.dmp

memory/1876-81-0x0000000002440000-0x0000000002794000-memory.dmp

memory/2692-66-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/1876-70-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2056-54-0x000000013FB60000-0x000000013FEB4000-memory.dmp

\Windows\system\IhTzvXU.exe

MD5 cefe7ebbcbdc6a5e5023e2ad8530b25b
SHA1 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8
SHA256 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475
SHA512 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844

memory/2876-44-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2704-43-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2612-36-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1876-25-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2960-18-0x000000013F810000-0x000000013FB64000-memory.dmp

\Windows\system\pGLAkbi.exe

MD5 9d367348bc2b0a338371873ab92b5ce0
SHA1 7f656575ff1e475fc391f43341a8d5f4ac819b19
SHA256 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309
SHA512 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454

memory/1876-10-0x0000000002440000-0x0000000002794000-memory.dmp

memory/1876-0-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/1876-133-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2960-134-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2692-138-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2532-143-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2680-145-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/1656-147-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/1468-146-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2300-144-0x000000013FB90000-0x000000013FEE4000-memory.dmp

memory/2432-142-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2632-141-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2876-140-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2704-139-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2640-137-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2612-136-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2056-135-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 01:50

Reported

2024-06-10 02:40

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GunTUGe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HXuBFhe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XFpTFDU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aGkOFZt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\odsqMwm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WEjEfqb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Wmiscjz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lrmvtGD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WwoycUW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BoFfKwc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bpEvAZq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lHmSWIl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WBUWkhc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\xjjqaOv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BCHEaCZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XToyNSb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WrznZdR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vOlzhRJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\HCioJAj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\gysodmH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uNenTZS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\BoFfKwc.exe
PID 4476 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\BoFfKwc.exe
PID 4476 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOlzhRJ.exe
PID 4476 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\vOlzhRJ.exe
PID 4476 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCioJAj.exe
PID 4476 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\HCioJAj.exe
PID 4476 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFpTFDU.exe
PID 4476 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\XFpTFDU.exe
PID 4476 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\gysodmH.exe
PID 4476 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\gysodmH.exe
PID 4476 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEjEfqb.exe
PID 4476 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\WEjEfqb.exe
PID 4476 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\aGkOFZt.exe
PID 4476 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\aGkOFZt.exe
PID 4476 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\bpEvAZq.exe
PID 4476 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\bpEvAZq.exe
PID 4476 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHmSWIl.exe
PID 4476 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lHmSWIl.exe
PID 4476 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\Wmiscjz.exe
PID 4476 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\Wmiscjz.exe
PID 4476 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrmvtGD.exe
PID 4476 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\lrmvtGD.exe
PID 4476 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\odsqMwm.exe
PID 4476 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\odsqMwm.exe
PID 4476 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\GunTUGe.exe
PID 4476 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\GunTUGe.exe
PID 4476 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBUWkhc.exe
PID 4476 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\WBUWkhc.exe
PID 4476 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjjqaOv.exe
PID 4476 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\xjjqaOv.exe
PID 4476 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXuBFhe.exe
PID 4476 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\HXuBFhe.exe
PID 4476 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCHEaCZ.exe
PID 4476 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\BCHEaCZ.exe
PID 4476 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\XToyNSb.exe
PID 4476 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\XToyNSb.exe
PID 4476 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwoycUW.exe
PID 4476 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\WwoycUW.exe
PID 4476 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrznZdR.exe
PID 4476 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\WrznZdR.exe
PID 4476 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNenTZS.exe
PID 4476 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe C:\Windows\System\uNenTZS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_c76d086ad3d2663063ff6d40b29a2354_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\BoFfKwc.exe

C:\Windows\System\BoFfKwc.exe

C:\Windows\System\vOlzhRJ.exe

C:\Windows\System\vOlzhRJ.exe

C:\Windows\System\HCioJAj.exe

C:\Windows\System\HCioJAj.exe

C:\Windows\System\XFpTFDU.exe

C:\Windows\System\XFpTFDU.exe

C:\Windows\System\gysodmH.exe

C:\Windows\System\gysodmH.exe

C:\Windows\System\WEjEfqb.exe

C:\Windows\System\WEjEfqb.exe

C:\Windows\System\aGkOFZt.exe

C:\Windows\System\aGkOFZt.exe

C:\Windows\System\bpEvAZq.exe

C:\Windows\System\bpEvAZq.exe

C:\Windows\System\lHmSWIl.exe

C:\Windows\System\lHmSWIl.exe

C:\Windows\System\Wmiscjz.exe

C:\Windows\System\Wmiscjz.exe

C:\Windows\System\lrmvtGD.exe

C:\Windows\System\lrmvtGD.exe

C:\Windows\System\odsqMwm.exe

C:\Windows\System\odsqMwm.exe

C:\Windows\System\GunTUGe.exe

C:\Windows\System\GunTUGe.exe

C:\Windows\System\WBUWkhc.exe

C:\Windows\System\WBUWkhc.exe

C:\Windows\System\xjjqaOv.exe

C:\Windows\System\xjjqaOv.exe

C:\Windows\System\HXuBFhe.exe

C:\Windows\System\HXuBFhe.exe

C:\Windows\System\BCHEaCZ.exe

C:\Windows\System\BCHEaCZ.exe

C:\Windows\System\XToyNSb.exe

C:\Windows\System\XToyNSb.exe

C:\Windows\System\WwoycUW.exe

C:\Windows\System\WwoycUW.exe

C:\Windows\System\WrznZdR.exe

C:\Windows\System\WrznZdR.exe

C:\Windows\System\uNenTZS.exe

C:\Windows\System\uNenTZS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4476-0-0x00007FF667AE0000-0x00007FF667E34000-memory.dmp

memory/4232-20-0x00007FF762570000-0x00007FF7628C4000-memory.dmp

C:\Windows\System\aGkOFZt.exe

MD5 2b325ba998218e1724cf0adeb30ee980
SHA1 91c91f972b93ca21c02dbae5cc375d4e1212c0a0
SHA256 3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9
SHA512 d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

C:\Windows\System\aGkOFZt.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

memory/4476-62-0x00007FF667AE0000-0x00007FF667E34000-memory.dmp

C:\Windows\System\Wmiscjz.exe

MD5 3ee04f109da47a1ec064d84e674f1c93
SHA1 644e873cc5a86065097d9d560d0304443e10d64c
SHA256 47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f
SHA512 9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4

memory/4632-86-0x00007FF7502A0000-0x00007FF7505F4000-memory.dmp

memory/3572-112-0x00007FF6F3BE0000-0x00007FF6F3F34000-memory.dmp

memory/5072-117-0x00007FF6988A0000-0x00007FF698BF4000-memory.dmp

memory/752-131-0x00007FF6B83E0000-0x00007FF6B8734000-memory.dmp

memory/4696-132-0x00007FF728380000-0x00007FF7286D4000-memory.dmp

C:\Windows\System\uNenTZS.exe

MD5 fbb6a602f644dbf57142122f30692c9a
SHA1 8158aaa7168744874ea387599d6d2cead21e28a3
SHA256 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d
SHA512 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe

memory/1728-125-0x00007FF6E1630000-0x00007FF6E1984000-memory.dmp

memory/4532-122-0x00007FF63DB30000-0x00007FF63DE84000-memory.dmp

memory/5024-107-0x00007FF777A00000-0x00007FF777D54000-memory.dmp

memory/5108-101-0x00007FF74EBE0000-0x00007FF74EF34000-memory.dmp

memory/3708-100-0x00007FF669900000-0x00007FF669C54000-memory.dmp

memory/2480-97-0x00007FF7168B0000-0x00007FF716C04000-memory.dmp

memory/2044-92-0x00007FF7E4F80000-0x00007FF7E52D4000-memory.dmp

memory/4728-90-0x00007FF707C20000-0x00007FF707F74000-memory.dmp

C:\Windows\System\GunTUGe.exe

MD5 7ce4ba1725e83a50f64ba525f8815dcf
SHA1 b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA256 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA512 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

memory/8-77-0x00007FF6B01B0000-0x00007FF6B0504000-memory.dmp

memory/3948-70-0x00007FF727020000-0x00007FF727374000-memory.dmp

memory/1988-64-0x00007FF771380000-0x00007FF7716D4000-memory.dmp

memory/1728-56-0x00007FF6E1630000-0x00007FF6E1984000-memory.dmp

memory/1064-50-0x00007FF7FAA00000-0x00007FF7FAD54000-memory.dmp

memory/3572-45-0x00007FF6F3BE0000-0x00007FF6F3F34000-memory.dmp

memory/5108-38-0x00007FF74EBE0000-0x00007FF74EF34000-memory.dmp

memory/3948-133-0x00007FF727020000-0x00007FF727374000-memory.dmp

memory/2512-32-0x00007FF62ADA0000-0x00007FF62B0F4000-memory.dmp

memory/2044-26-0x00007FF7E4F80000-0x00007FF7E52D4000-memory.dmp

C:\Windows\System\XFpTFDU.exe

MD5 4a486a2a371d8db348dc0ad03e9fd9f0
SHA1 edd912c5d606628022dc3216eaf2db7c93554ff7
SHA256 93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b
SHA512 deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

memory/940-14-0x00007FF76FC60000-0x00007FF76FFB4000-memory.dmp

memory/516-8-0x00007FF7EA730000-0x00007FF7EAA84000-memory.dmp

memory/4476-1-0x0000020FA2370000-0x0000020FA2380000-memory.dmp

memory/2480-134-0x00007FF7168B0000-0x00007FF716C04000-memory.dmp

memory/4532-135-0x00007FF63DB30000-0x00007FF63DE84000-memory.dmp

memory/516-136-0x00007FF7EA730000-0x00007FF7EAA84000-memory.dmp

memory/940-137-0x00007FF76FC60000-0x00007FF76FFB4000-memory.dmp

memory/4232-138-0x00007FF762570000-0x00007FF7628C4000-memory.dmp

memory/2044-139-0x00007FF7E4F80000-0x00007FF7E52D4000-memory.dmp

memory/2512-140-0x00007FF62ADA0000-0x00007FF62B0F4000-memory.dmp

memory/5108-141-0x00007FF74EBE0000-0x00007FF74EF34000-memory.dmp

memory/1064-143-0x00007FF7FAA00000-0x00007FF7FAD54000-memory.dmp

memory/3572-142-0x00007FF6F3BE0000-0x00007FF6F3F34000-memory.dmp

memory/1988-145-0x00007FF771380000-0x00007FF7716D4000-memory.dmp

memory/1728-144-0x00007FF6E1630000-0x00007FF6E1984000-memory.dmp

memory/4728-149-0x00007FF707C20000-0x00007FF707F74000-memory.dmp

memory/4632-148-0x00007FF7502A0000-0x00007FF7505F4000-memory.dmp

memory/2480-151-0x00007FF7168B0000-0x00007FF716C04000-memory.dmp

memory/5024-152-0x00007FF777A00000-0x00007FF777D54000-memory.dmp

memory/5072-153-0x00007FF6988A0000-0x00007FF698BF4000-memory.dmp

memory/752-154-0x00007FF6B83E0000-0x00007FF6B8734000-memory.dmp

memory/4696-156-0x00007FF728380000-0x00007FF7286D4000-memory.dmp

memory/4532-155-0x00007FF63DB30000-0x00007FF63DE84000-memory.dmp

memory/3708-150-0x00007FF669900000-0x00007FF669C54000-memory.dmp

memory/8-147-0x00007FF6B01B0000-0x00007FF6B0504000-memory.dmp

memory/3948-146-0x00007FF727020000-0x00007FF727374000-memory.dmp