cobaltstrike | ac0fd3cfb2d109fe86e26b8278990027d09694dfd7cacfe15cb9c39e4cb4bfb8

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

31600f1a179eee87dba8252d3f259a40
SHA1

241d774cf0cf9484eab88d13604b824bd55b0cbd
SHA256

ac0fd3cfb2d109fe86e26b8278990027d09694dfd7cacfe15cb9c39e4cb4bfb8
SHA512

13417b4f44dfa681019b1ab9554107d15caeeb147ac71c2cadda7a4010b09fbe396d17c53c42659ca13de10fcff43dbec198468e42264c26c58c27df9ff4ea5d
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUL:T+856utgpPF8u/7L

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\xxuwuRU.exe	cobalt_reflective_dll
C:\Windows\system\DXhWcUu.exe	cobalt_reflective_dll
C:\Windows\system\iCDvSkJ.exe	cobalt_reflective_dll
C:\Windows\system\ZZDAjJF.exe	cobalt_reflective_dll
C:\Windows\system\CnxcxoI.exe	cobalt_reflective_dll
C:\Windows\system\gVKmeIB.exe	cobalt_reflective_dll
C:\Windows\system\MgBgwuG.exe	cobalt_reflective_dll
C:\Windows\system\aUETXhF.exe	cobalt_reflective_dll
\Windows\system\UfJizcA.exe	cobalt_reflective_dll
C:\Windows\system\NAclPnn.exe	cobalt_reflective_dll
C:\Windows\system\SQpWJCT.exe	cobalt_reflective_dll
C:\Windows\system\UpxLhZi.exe	cobalt_reflective_dll
\Windows\system\zKLmSqu.exe	cobalt_reflective_dll
C:\Windows\system\UWxixaq.exe	cobalt_reflective_dll
C:\Windows\system\EtSEFum.exe	cobalt_reflective_dll
C:\Windows\system\WXHrfUf.exe	cobalt_reflective_dll
C:\Windows\system\CxUOtcJ.exe	cobalt_reflective_dll
C:\Windows\system\McimbTL.exe	cobalt_reflective_dll
C:\Windows\system\VLssnKC.exe	cobalt_reflective_dll
C:\Windows\system\NOhjGNx.exe	cobalt_reflective_dll
C:\Windows\system\KWHfLCn.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\xxuwuRU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DXhWcUu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iCDvSkJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZZDAjJF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CnxcxoI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gVKmeIB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MgBgwuG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aUETXhF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\UfJizcA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NAclPnn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SQpWJCT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UpxLhZi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zKLmSqu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UWxixaq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EtSEFum.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WXHrfUf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CxUOtcJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\McimbTL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VLssnKC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NOhjGNx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KWHfLCn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 59 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3068-0-0x000000013F4B0000-0x000000013F804000-memory.dmp	UPX
\Windows\system\xxuwuRU.exe	UPX
C:\Windows\system\DXhWcUu.exe	UPX
behavioral1/memory/2500-15-0x000000013F200000-0x000000013F554000-memory.dmp	UPX
behavioral1/memory/3020-12-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
C:\Windows\system\iCDvSkJ.exe	UPX
C:\Windows\system\ZZDAjJF.exe	UPX
behavioral1/memory/2684-29-0x000000013FEE0000-0x0000000140234000-memory.dmp	UPX
C:\Windows\system\CnxcxoI.exe	UPX
behavioral1/memory/2568-40-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2412-35-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX
C:\Windows\system\gVKmeIB.exe	UPX
behavioral1/memory/2512-22-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
C:\Windows\system\MgBgwuG.exe	UPX
behavioral1/memory/2364-55-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
C:\Windows\system\aUETXhF.exe	UPX
\Windows\system\UfJizcA.exe	UPX
behavioral1/memory/2452-70-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
C:\Windows\system\NAclPnn.exe	UPX
C:\Windows\system\SQpWJCT.exe	UPX
C:\Windows\system\UpxLhZi.exe	UPX
\Windows\system\zKLmSqu.exe	UPX
C:\Windows\system\UWxixaq.exe	UPX
C:\Windows\system\EtSEFum.exe	UPX
C:\Windows\system\WXHrfUf.exe	UPX
C:\Windows\system\CxUOtcJ.exe	UPX
C:\Windows\system\McimbTL.exe	UPX
behavioral1/memory/2464-98-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/2568-96-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2816-89-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2412-87-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX
C:\Windows\system\VLssnKC.exe	UPX
behavioral1/memory/2768-82-0x000000013F5F0000-0x000000013F944000-memory.dmp	UPX
behavioral1/memory/2772-75-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
C:\Windows\system\NOhjGNx.exe	UPX
behavioral1/memory/3020-68-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/380-61-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/memory/3068-60-0x000000013F4B0000-0x000000013F804000-memory.dmp	UPX
behavioral1/memory/1504-48-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
C:\Windows\system\KWHfLCn.exe	UPX
behavioral1/memory/380-136-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/memory/2772-138-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/2768-139-0x000000013F5F0000-0x000000013F944000-memory.dmp	UPX
behavioral1/memory/2816-141-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2464-143-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/2500-145-0x000000013F200000-0x000000013F554000-memory.dmp	UPX
behavioral1/memory/3020-146-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2512-147-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/memory/2684-148-0x000000013FEE0000-0x0000000140234000-memory.dmp	UPX
behavioral1/memory/2568-149-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/1504-150-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/memory/2364-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/380-152-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/memory/2452-153-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/2772-154-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/2768-155-0x000000013F5F0000-0x000000013F944000-memory.dmp	UPX
behavioral1/memory/2816-156-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2464-157-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/2412-158-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX

XMRig Miner payload 59 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3068-0-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
\Windows\system\xxuwuRU.exe	xmrig
C:\Windows\system\DXhWcUu.exe	xmrig
behavioral1/memory/2500-15-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/3020-12-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
C:\Windows\system\iCDvSkJ.exe	xmrig
C:\Windows\system\ZZDAjJF.exe	xmrig
behavioral1/memory/2684-29-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
C:\Windows\system\CnxcxoI.exe	xmrig
behavioral1/memory/2568-40-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2412-35-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
C:\Windows\system\gVKmeIB.exe	xmrig
behavioral1/memory/2512-22-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
C:\Windows\system\MgBgwuG.exe	xmrig
behavioral1/memory/2364-55-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
C:\Windows\system\aUETXhF.exe	xmrig
\Windows\system\UfJizcA.exe	xmrig
behavioral1/memory/2452-70-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
C:\Windows\system\NAclPnn.exe	xmrig
C:\Windows\system\SQpWJCT.exe	xmrig
C:\Windows\system\UpxLhZi.exe	xmrig
\Windows\system\zKLmSqu.exe	xmrig
C:\Windows\system\UWxixaq.exe	xmrig
C:\Windows\system\EtSEFum.exe	xmrig
C:\Windows\system\WXHrfUf.exe	xmrig
C:\Windows\system\CxUOtcJ.exe	xmrig
C:\Windows\system\McimbTL.exe	xmrig
behavioral1/memory/2464-98-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2568-96-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2816-89-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2412-87-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
C:\Windows\system\VLssnKC.exe	xmrig
behavioral1/memory/2768-82-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/memory/2772-75-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
C:\Windows\system\NOhjGNx.exe	xmrig
behavioral1/memory/3020-68-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/380-61-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/3068-60-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/1504-48-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
C:\Windows\system\KWHfLCn.exe	xmrig
behavioral1/memory/380-136-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/2772-138-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/2768-139-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/memory/2816-141-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2464-143-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2500-145-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/3020-146-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2512-147-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2684-148-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
behavioral1/memory/2568-149-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/1504-150-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/2364-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/380-152-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/2452-153-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2772-154-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/2768-155-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/memory/2816-156-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2464-157-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2412-158-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

xxuwuRU.exeDXhWcUu.exeiCDvSkJ.exeZZDAjJF.exegVKmeIB.exeCnxcxoI.exeKWHfLCn.exeMgBgwuG.exeaUETXhF.exeUfJizcA.exeNAclPnn.exeNOhjGNx.exeSQpWJCT.exeVLssnKC.exeCxUOtcJ.exeMcimbTL.exeWXHrfUf.exeUpxLhZi.exeEtSEFum.exeUWxixaq.exezKLmSqu.exe

pid	process
3020	xxuwuRU.exe
2500	DXhWcUu.exe
2512	iCDvSkJ.exe
2684	ZZDAjJF.exe
2412	gVKmeIB.exe
2568	CnxcxoI.exe
1504	KWHfLCn.exe
2364	MgBgwuG.exe
380	aUETXhF.exe
2452	UfJizcA.exe
2772	NAclPnn.exe
2768	NOhjGNx.exe
2816	SQpWJCT.exe
2464	VLssnKC.exe
1224	CxUOtcJ.exe
1536	McimbTL.exe
1416	WXHrfUf.exe
2392	UpxLhZi.exe
2920	EtSEFum.exe
2632	UWxixaq.exe
1168	zKLmSqu.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

pid	process
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3068-0-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
\Windows\system\xxuwuRU.exe	upx
C:\Windows\system\DXhWcUu.exe	upx
behavioral1/memory/2500-15-0x000000013F200000-0x000000013F554000-memory.dmp	upx
behavioral1/memory/3020-12-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
C:\Windows\system\iCDvSkJ.exe	upx
C:\Windows\system\ZZDAjJF.exe	upx
behavioral1/memory/2684-29-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
C:\Windows\system\CnxcxoI.exe	upx
behavioral1/memory/2568-40-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2412-35-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
C:\Windows\system\gVKmeIB.exe	upx
behavioral1/memory/2512-22-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
C:\Windows\system\MgBgwuG.exe	upx
behavioral1/memory/2364-55-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
C:\Windows\system\aUETXhF.exe	upx
\Windows\system\UfJizcA.exe	upx
behavioral1/memory/2452-70-0x000000013F140000-0x000000013F494000-memory.dmp	upx
C:\Windows\system\NAclPnn.exe	upx
C:\Windows\system\SQpWJCT.exe	upx
C:\Windows\system\UpxLhZi.exe	upx
\Windows\system\zKLmSqu.exe	upx
C:\Windows\system\UWxixaq.exe	upx
C:\Windows\system\EtSEFum.exe	upx
C:\Windows\system\WXHrfUf.exe	upx
C:\Windows\system\CxUOtcJ.exe	upx
C:\Windows\system\McimbTL.exe	upx
behavioral1/memory/2464-98-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2568-96-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2816-89-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2412-87-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
C:\Windows\system\VLssnKC.exe	upx
behavioral1/memory/2768-82-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/memory/2772-75-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
C:\Windows\system\NOhjGNx.exe	upx
behavioral1/memory/3020-68-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/380-61-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/3068-60-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/1504-48-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
C:\Windows\system\KWHfLCn.exe	upx
behavioral1/memory/380-136-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/2772-138-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2768-139-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/memory/2816-141-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2464-143-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2500-145-0x000000013F200000-0x000000013F554000-memory.dmp	upx
behavioral1/memory/3020-146-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2512-147-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/memory/2684-148-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/memory/2568-149-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/1504-150-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/2364-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/380-152-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/2452-153-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2772-154-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2768-155-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/memory/2816-156-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2464-157-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2412-158-0x000000013FF40000-0x0000000140294000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\DXhWcUu.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gVKmeIB.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CnxcxoI.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aUETXhF.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UfJizcA.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SQpWJCT.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VLssnKC.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xxuwuRU.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zKLmSqu.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CxUOtcJ.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\McimbTL.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WXHrfUf.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KWHfLCn.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NOhjGNx.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZZDAjJF.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MgBgwuG.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NAclPnn.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UpxLhZi.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EtSEFum.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UWxixaq.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iCDvSkJ.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3068 wrote to memory of 3020	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	xxuwuRU.exe
PID 3068 wrote to memory of 3020	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	xxuwuRU.exe
PID 3068 wrote to memory of 3020	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	xxuwuRU.exe
PID 3068 wrote to memory of 2500	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	DXhWcUu.exe
PID 3068 wrote to memory of 2500	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	DXhWcUu.exe
PID 3068 wrote to memory of 2500	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	DXhWcUu.exe
PID 3068 wrote to memory of 2512	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	iCDvSkJ.exe
PID 3068 wrote to memory of 2512	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	iCDvSkJ.exe
PID 3068 wrote to memory of 2512	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	iCDvSkJ.exe
PID 3068 wrote to memory of 2684	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	ZZDAjJF.exe
PID 3068 wrote to memory of 2684	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	ZZDAjJF.exe
PID 3068 wrote to memory of 2684	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	ZZDAjJF.exe
PID 3068 wrote to memory of 2412	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	gVKmeIB.exe
PID 3068 wrote to memory of 2412	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	gVKmeIB.exe
PID 3068 wrote to memory of 2412	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	gVKmeIB.exe
PID 3068 wrote to memory of 2568	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	CnxcxoI.exe
PID 3068 wrote to memory of 2568	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	CnxcxoI.exe
PID 3068 wrote to memory of 2568	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	CnxcxoI.exe
PID 3068 wrote to memory of 1504	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	KWHfLCn.exe
PID 3068 wrote to memory of 1504	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	KWHfLCn.exe
PID 3068 wrote to memory of 1504	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	KWHfLCn.exe
PID 3068 wrote to memory of 2364	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	MgBgwuG.exe
PID 3068 wrote to memory of 2364	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	MgBgwuG.exe
PID 3068 wrote to memory of 2364	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	MgBgwuG.exe
PID 3068 wrote to memory of 380	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	aUETXhF.exe
PID 3068 wrote to memory of 380	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	aUETXhF.exe
PID 3068 wrote to memory of 380	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	aUETXhF.exe
PID 3068 wrote to memory of 2452	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UfJizcA.exe
PID 3068 wrote to memory of 2452	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UfJizcA.exe
PID 3068 wrote to memory of 2452	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UfJizcA.exe
PID 3068 wrote to memory of 2772	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	NAclPnn.exe
PID 3068 wrote to memory of 2772	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	NAclPnn.exe
PID 3068 wrote to memory of 2772	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	NAclPnn.exe
PID 3068 wrote to memory of 2768	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	NOhjGNx.exe
PID 3068 wrote to memory of 2768	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	NOhjGNx.exe
PID 3068 wrote to memory of 2768	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	NOhjGNx.exe
PID 3068 wrote to memory of 2816	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	SQpWJCT.exe
PID 3068 wrote to memory of 2816	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	SQpWJCT.exe
PID 3068 wrote to memory of 2816	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	SQpWJCT.exe
PID 3068 wrote to memory of 2464	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	VLssnKC.exe
PID 3068 wrote to memory of 2464	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	VLssnKC.exe
PID 3068 wrote to memory of 2464	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	VLssnKC.exe
PID 3068 wrote to memory of 1224	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	CxUOtcJ.exe
PID 3068 wrote to memory of 1224	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	CxUOtcJ.exe
PID 3068 wrote to memory of 1224	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	CxUOtcJ.exe
PID 3068 wrote to memory of 1536	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	McimbTL.exe
PID 3068 wrote to memory of 1536	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	McimbTL.exe
PID 3068 wrote to memory of 1536	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	McimbTL.exe
PID 3068 wrote to memory of 1416	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	WXHrfUf.exe
PID 3068 wrote to memory of 1416	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	WXHrfUf.exe
PID 3068 wrote to memory of 1416	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	WXHrfUf.exe
PID 3068 wrote to memory of 2392	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UpxLhZi.exe
PID 3068 wrote to memory of 2392	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UpxLhZi.exe
PID 3068 wrote to memory of 2392	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UpxLhZi.exe
PID 3068 wrote to memory of 2920	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	EtSEFum.exe
PID 3068 wrote to memory of 2920	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	EtSEFum.exe
PID 3068 wrote to memory of 2920	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	EtSEFum.exe
PID 3068 wrote to memory of 2632	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UWxixaq.exe
PID 3068 wrote to memory of 2632	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UWxixaq.exe
PID 3068 wrote to memory of 2632	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UWxixaq.exe
PID 3068 wrote to memory of 1168	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	zKLmSqu.exe
PID 3068 wrote to memory of 1168	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	zKLmSqu.exe
PID 3068 wrote to memory of 1168	3068	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	zKLmSqu.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\System\xxuwuRU.exe
C:\Windows\System\xxuwuRU.exe
2⤵
- Executes dropped EXE
PID:3020

C:\Windows\System\DXhWcUu.exe
C:\Windows\System\DXhWcUu.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\iCDvSkJ.exe
C:\Windows\System\iCDvSkJ.exe
2⤵
- Executes dropped EXE
PID:2512

C:\Windows\System\ZZDAjJF.exe
C:\Windows\System\ZZDAjJF.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\gVKmeIB.exe
C:\Windows\System\gVKmeIB.exe
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\System\CnxcxoI.exe
C:\Windows\System\CnxcxoI.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\KWHfLCn.exe
C:\Windows\System\KWHfLCn.exe
2⤵
- Executes dropped EXE
PID:1504

C:\Windows\System\MgBgwuG.exe
C:\Windows\System\MgBgwuG.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\aUETXhF.exe
C:\Windows\System\aUETXhF.exe
2⤵
- Executes dropped EXE
PID:380

C:\Windows\System\UfJizcA.exe
C:\Windows\System\UfJizcA.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\System\NAclPnn.exe
C:\Windows\System\NAclPnn.exe
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\System\NOhjGNx.exe
C:\Windows\System\NOhjGNx.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\System\SQpWJCT.exe
C:\Windows\System\SQpWJCT.exe
2⤵
- Executes dropped EXE
PID:2816

C:\Windows\System\VLssnKC.exe
C:\Windows\System\VLssnKC.exe
2⤵
- Executes dropped EXE
PID:2464

C:\Windows\System\CxUOtcJ.exe
C:\Windows\System\CxUOtcJ.exe
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\System\McimbTL.exe
C:\Windows\System\McimbTL.exe
2⤵
- Executes dropped EXE
PID:1536

C:\Windows\System\WXHrfUf.exe
C:\Windows\System\WXHrfUf.exe
2⤵
- Executes dropped EXE
PID:1416

C:\Windows\System\UpxLhZi.exe
C:\Windows\System\UpxLhZi.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System\EtSEFum.exe
C:\Windows\System\EtSEFum.exe
2⤵
- Executes dropped EXE
PID:2920

C:\Windows\System\UWxixaq.exe
C:\Windows\System\UWxixaq.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\zKLmSqu.exe
C:\Windows\System\zKLmSqu.exe
2⤵
- Executes dropped EXE
PID:1168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CnxcxoI.exe
Filesize
5.9MB

MD5
1dbb2134c6a100fdfbe64d876f975ae7

SHA1
3ec50fb1d39f284d311f763c4ef13a10722fff4c

SHA256
aaef1ebb49d568e91524386ba8f0952cb98e086b96bb2deaf5cb632c2cf4c6a8

SHA512
9671f3075a43214176a882195ba44b17f28a1acb6c30daf6298217d8fb41429e769b6cba2a548c771293f6d2bd94feec48ba110c8e9bee2468e17796d0f4fc15

Download Submit
C:\Windows\system\CxUOtcJ.exe
Filesize
5.9MB

MD5
082221b97d86e6fabe5f9154c530caba

SHA1
ba757c8c47ff7700f26307f29cebfe8b7ab024a7

SHA256
5778b24f8a9aaa0e19d9b142efa928677d49f8c6111cbe076a74cd23661047b0

SHA512
e64499f738a3466bc68093eea5c51b8d881b5883f3956e0e483e50932f8137a43ca698f615858e6e6f262bef3bcb9a04263567ab0c9da1e80e02a3abde18e1dd

Download Submit
C:\Windows\system\DXhWcUu.exe
Filesize
5.9MB

MD5
0b543d7e77bdb9e7c31e53877c5f61f5

SHA1
a0d40ef3b442d6c3a6add3c7b8765bb45344312b

SHA256
dda099f0fc6b042bb5a782703522d3e99a54109dd2035bb70a78dec8b7d8ad61

SHA512
beeb20d9d59f53d5c54c9c0d88d28db98c499eaca7909b9a5ec5ffa0eb72fb56998f4ba449fab634793f1972c42ca7ec8664ec68c51bb1cc5507ca47e4e42d7c

Download Submit
C:\Windows\system\EtSEFum.exe
Filesize
5.9MB

MD5
b5304f6fd51b0b48dbae2b1c8e538e15

SHA1
0751e8ec4829823739df4c8df55521f33f545d0e

SHA256
ca23281777306918e4a1bba4d3481756b413be1859540a61f170a233892da7ab

SHA512
0d62c9a80c716bd8022c1085f8289f65e9349cfd3309f5e3f55d65b76d788054a1c7767000da9642f01d74800312fb39937ec46a7e462dd9789258a46b9cd3a7

Download Submit
C:\Windows\system\KWHfLCn.exe
Filesize
5.9MB

MD5
90eab85d124ae2413d56163bb84a85bc

SHA1
dd2970a8fd042d61271a0ea725c55487e8315d72

SHA256
8f566be213ffa46bc3d43039ff47b3320954a3923dca01da073e55d6cb509a94

SHA512
411c37e0fe664bf9d9d6a282a7e89c105f7decbfd59d300e4bdaafa0ea98c070702c516e4235b8237a3bb7071ab871fbba94275558dec445fc9a8d26a0cbe5f3

Download Submit
C:\Windows\system\McimbTL.exe
Filesize
5.9MB

MD5
8d023437f9c167c91a736b75ae6bf8f4

SHA1
efb432afd314bdf258229dadc8b61265858b3179

SHA256
d15a9b297a856181f28174377c1d1a42c05c4d3cacf0a191409d31e9c331513f

SHA512
869105aea731e3f023c6d25ce2d6f494ae06cf058488aa1d6dce886f814dfd8be154060a505ca1f788f7a945a1b8fee336f53b1c762e775019a8b812e5f08bed

Download Submit
C:\Windows\system\MgBgwuG.exe
Filesize
5.9MB

MD5
e003f2f57b871cad7d3d7274bad12dde

SHA1
9d10ed7bcb62a282fdc7a2c7ef0df50c46e8b6a6

SHA256
4bfb3e537c5d69eb28cfced3c9b4ec7c6f9aa6db682c4b03e545f765673ac12e

SHA512
f4809938a5a19c7619dc0bf56ac7c7bd2282439b3b82345129817714033afb7f61d1d706184e648fa3879cae182794aed357b4bb749d86d20cd3c13c1d16ab1f

Download Submit
C:\Windows\system\NAclPnn.exe
Filesize
5.9MB

MD5
f45ad7a36f6b4d0f3670a407bdee7be7

SHA1
0bef34dc9f83436d491d921d608e4f3d1f7bceeb

SHA256
7e8ba3ef67d94f91f4119a50a36806101c36037841ad59a0557002a62439759c

SHA512
dc0defcbe305eaf37945cca4612f23f248d359251cd5f4e78d584f5144258bdb6fbc6ab7a7c149b17aecb34010ac1de7a880343fffff5191575e1bb5dc045271

Download Submit
C:\Windows\system\NOhjGNx.exe
Filesize
5.9MB

MD5
3568dd784a026e96c3a2cac344c2420b

SHA1
4373577574fa081dcb5a31088291e079bf175d4b

SHA256
dd5e3655e9ace65bdce8819fdc55f1e6d30519e1808548e536b522e1586a776b

SHA512
7d9e06f1795470716d9e3c32376856796f05d5e03c076ef05d81494c226d702705a9a59456b11faee3089756f903aa911849f6b9696d12eff02bfc67c5726b43

Download Submit
C:\Windows\system\SQpWJCT.exe
Filesize
5.9MB

MD5
0df113c56ddfbb89f16b057e2691880f

SHA1
f4d2d0a362311111fe1cd9607d5a23214bf6d40e

SHA256
aca03e3a24d1a3175d17347a33f7eaf695ffe4af405bed8b80011c57ad8b0b7f

SHA512
242c9a42f602f85795af185e45c6bceea562e7ecda38c206c375c3d088327ce370bf647095238e525f3ed922ff4666f191f140007fe610718a0fc1569b3eb646

Download Submit
C:\Windows\system\UWxixaq.exe
Filesize
5.9MB

MD5
7f9cf1c2267064530d192b9fbc7f3889

SHA1
33c87b210c8dcf3279b69fa31afdba2cf99d3876

SHA256
773b628577a198176274f0d4b80ffd6b3d2c33711970e8f6a716bb930ecad7ee

SHA512
b6ea972a3fa6d7cb1f2f984092bac0be8978f63c446f09f4df13b00de27e39b905dfefa89d368a329fdc7ef4e8ff3d8330089ee295844bb932e2259ec331bb6b

Download Submit
C:\Windows\system\UpxLhZi.exe
Filesize
5.9MB

MD5
183e3dc97062dd327482f6c89514a1e6

SHA1
4c5e91e2cb1fc29d888ceb2d1e0aefcea8484a7c

SHA256
407b0ba7352cd1fcc09ef2000982f87c05865b2741aa9f59718d88cbbb88bf96

SHA512
fda4e206351b1c7e135c6d82b005cce965ac53e7dc712d9e0f8bddc2ae7fb4fab26d4f0f9d8db104bc48f9d00c02825e769816a631305eb14a6aa93aae66b7a4

Download Submit
C:\Windows\system\VLssnKC.exe
Filesize
5.9MB

MD5
a9d9e6d7eebc6ae34b1051b2f71e9e86

SHA1
aabb7187bf0286acf39f5ac49f493555dbb4f06f

SHA256
1795aa9dd70fc63543471f1767e620ed7591ddceafb1468388c8da5e812fe862

SHA512
2c3ecb3b994c98c46bca4716d6dcb8297f0ccfd8ab186feccaf6e2c1f91d9a8d39fd683158eaf7f883a95ed6dc56158dc9dda95098454bc8db462ccb0a45c060

Download Submit
C:\Windows\system\WXHrfUf.exe
Filesize
5.9MB

MD5
dd02fbe8615250b8e6bc5e3f77ae9979

SHA1
6eed8b67e62952f42ea5347e773ee534a52a2c88

SHA256
f297cc9e46d4f1598578095478d865daa621ab2261800c3ebfa2fdb1812fd6bc

SHA512
18e1208cff925d207bbb4a3000a6cbb361ec83a007038d1998e253966d2afd8e056844716676ed519c80d532d357f82c7a19e9cf8dcec337b269830f60665ad0

Download Submit
C:\Windows\system\ZZDAjJF.exe
Filesize
5.9MB

MD5
a8cad41f327ade97e5f21b22cdf3b2bb

SHA1
e817f94d4ae6002ed98b736f4008088210874581

SHA256
ad663d764bae06d8944169045b6499af139097b0b08f1cd35d5e33daab5a28c4

SHA512
7622b81d039e5d5d89b70653e90b838926ddd6a0d05bda9d68591667c210fa81779078cb2d11299d5e0a8e90767cd1bd93263be75f4dbefe74ef78759580bebb

Download Submit
C:\Windows\system\aUETXhF.exe
Filesize
5.9MB

MD5
f75b7b9094e810a51575c29bbfb19ebb

SHA1
d3f8338613173a6a41503db21f51c83781337046

SHA256
69dfba597b644e8a0557cb6780e260f66574d08a54f9a753adde8d1c6cf4d49d

SHA512
34d059402658e847950cb88559904478255de9e30a621fa45a5150398b674bc25e567adac0ec8e3c82e6e88d0c9de183289bfd15d521eae1952f98accaaf1d76

Download Submit
C:\Windows\system\gVKmeIB.exe
Filesize
5.9MB

MD5
522ce300f8b1d46df762fe8ee5177cfc

SHA1
7af34431582010333cff5f1d7b299199277e0771

SHA256
f96a62d5f2274f750784d40c6fc88966050a7e169d78b9c68f4e8b0c4ef64e87

SHA512
9dba85dfde0fd979cf120f3c993a3c4aec5d0dcfde23849e35e3cd9130f13fd2465f307607dbe43b9c865621391734d6c60b22a9d6ad52dda7d84fbef85a111d

Download Submit
C:\Windows\system\iCDvSkJ.exe
Filesize
5.9MB

MD5
dab575d6e2c4e3cf44cb89c20144f3b8

SHA1
b0548777fc6de584c13956f383432880ba362db7

SHA256
b4cb7ce43dbd04e9346ca1ea26ce788174e81001bf330afd5526955e48ed712f

SHA512
e1b7297f9c4a38e9b2e4fd391fc8f8fae343e3902aecfbe47fa6cebc3314d287044df268ac2155d0c51adf5a55ad213b3af389df14bf7d2eefdd060eac5ba8ba

Download Submit
\Windows\system\UfJizcA.exe
Filesize
5.9MB

MD5
e1742ec7685a1413cff90036a2611a3b

SHA1
14ef5338ff598e5ebbcb6c73629239c9d215757f

SHA256
bdb67d58a300496385feb73a5460f44af63fabbf760ba58c265efb1475291eda

SHA512
a674047082195653241507e88c00fe6b5779af260b9659e9adc4ab54489ba813f0e804bb809fc3a0df2bcfcda17fb4f7cfd08ab478a87901127af522e53933ce

Download Submit
\Windows\system\xxuwuRU.exe
Filesize
5.9MB

MD5
2dd6d8299ff304862a4cbe348d3ae9cd

SHA1
6c41dec3b3ea19f654b31ddf5edb833569a626c6

SHA256
ccf7935464ddfc0d12098fae4120ce2bdc2b28986377e56c66f2d50db0e0e12d

SHA512
7f0ae4dc59262738ff3fc9f406aa4f64bad9f1559f54068b4eaee0065c487561db4bcf313197472dd822692f05baf137b981280910d28cee456b903187e26a0e

Download Submit
\Windows\system\zKLmSqu.exe
Filesize
5.9MB

MD5
2ef37d1833f2c68017551a035fbc0c76

SHA1
4ebd717fef82fc2721c92151f2a23975e146bb75

SHA256
f94bdfe13e2f8920dc7424aa5d66645ccf6900eacc867810ccb06d36a503bd52

SHA512
3054e45df88b02b00373003e3a685c568ffd9a848564d69dc8b089e7cd3995727d34f1e23e399cef821071575946391d210d8bc874f9624e195c20600b78f91e

Download Submit
memory/380-61-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/380-152-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/380-136-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/1504-48-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/1504-150-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-55-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2412-35-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2412-87-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2412-158-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2452-153-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2452-70-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2464-157-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2464-143-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2464-98-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2500-15-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/2500-145-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/2512-22-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2512-147-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2568-96-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2568-40-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2568-149-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2684-29-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2684-148-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2768-155-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2768-82-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2768-139-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2772-138-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-154-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-75-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2816-141-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2816-89-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2816-156-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/3020-146-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/3020-68-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/3020-12-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-144-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-104-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-39-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/3068-54-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-34-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/3068-0-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/3068-60-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/3068-69-0x0000000002210000-0x0000000002564000-memory.dmp

Filesize
3.3MB

Download
memory/3068-21-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/3068-142-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/3068-81-0x0000000002210000-0x0000000002564000-memory.dmp

Filesize
3.3MB

Download
memory/3068-28-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/3068-140-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/3068-97-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/3068-88-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/3068-137-0x0000000002210000-0x0000000002564000-memory.dmp

Filesize
3.3MB

Download
memory/3068-14-0x0000000002210000-0x0000000002564000-memory.dmp

Filesize
3.3MB

Download
memory/3068-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download