cobaltstrike | 12c0ac6bdb93eeb72f99fb6422728326bf1aaef955c141e88018dd50fd7f70c6

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

0ce520b34f80bab5324dc0f4cee84f9c
SHA1

9b5a7e11774483f355615ace756c5929f445bba1
SHA256

12c0ac6bdb93eeb72f99fb6422728326bf1aaef955c141e88018dd50fd7f70c6
SHA512

939153b1ff08bb76b9e38d1418c906bdcbce9dfe910ea6277f6aebdfed741adea46e99c6776a1a662d483c61f3bd248283d572e59a4f59e7dac861782c836885
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUw:Q+856utgpPF8u/7w

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\srganOc.exe	cobalt_reflective_dll
\Windows\system\VVjfJtD.exe	cobalt_reflective_dll
C:\Windows\system\rbDtaVI.exe	cobalt_reflective_dll
C:\Windows\system\afqtyQf.exe	cobalt_reflective_dll
C:\Windows\system\ivysrkH.exe	cobalt_reflective_dll
C:\Windows\system\wNcTuKC.exe	cobalt_reflective_dll
\Windows\system\QUhxwYT.exe	cobalt_reflective_dll
\Windows\system\ITScoqs.exe	cobalt_reflective_dll
C:\Windows\system\cKEKutv.exe	cobalt_reflective_dll
C:\Windows\system\SjJxzQE.exe	cobalt_reflective_dll
\Windows\system\EqKhLHi.exe	cobalt_reflective_dll
\Windows\system\jPkMGmZ.exe	cobalt_reflective_dll
C:\Windows\system\EgJlgFs.exe	cobalt_reflective_dll
C:\Windows\system\TgmwUBi.exe	cobalt_reflective_dll
C:\Windows\system\cqSiMLk.exe	cobalt_reflective_dll
C:\Windows\system\aytMGwr.exe	cobalt_reflective_dll
C:\Windows\system\VnlciFd.exe	cobalt_reflective_dll
C:\Windows\system\dJEbCZT.exe	cobalt_reflective_dll
C:\Windows\system\DuvQRCl.exe	cobalt_reflective_dll
C:\Windows\system\JtyebIS.exe	cobalt_reflective_dll
C:\Windows\system\UjMaCbB.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\srganOc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\VVjfJtD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rbDtaVI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\afqtyQf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ivysrkH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wNcTuKC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\QUhxwYT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ITScoqs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cKEKutv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SjJxzQE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\EqKhLHi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\jPkMGmZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EgJlgFs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TgmwUBi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cqSiMLk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aytMGwr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VnlciFd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dJEbCZT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DuvQRCl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JtyebIS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UjMaCbB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 58 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1964-1-0x000000013FA20000-0x000000013FD74000-memory.dmp	UPX
C:\Windows\system\srganOc.exe	UPX
behavioral1/memory/1208-9-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
\Windows\system\VVjfJtD.exe	UPX
behavioral1/memory/2692-17-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
C:\Windows\system\rbDtaVI.exe	UPX
behavioral1/memory/2540-28-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2620-27-0x000000013FDA0000-0x00000001400F4000-memory.dmp	UPX
C:\Windows\system\afqtyQf.exe	UPX
C:\Windows\system\ivysrkH.exe	UPX
behavioral1/memory/2568-34-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
C:\Windows\system\wNcTuKC.exe	UPX
behavioral1/memory/2444-41-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/1964-40-0x000000013FA20000-0x000000013FD74000-memory.dmp	UPX
\Windows\system\QUhxwYT.exe	UPX
behavioral1/memory/2860-48-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2660-53-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
\Windows\system\ITScoqs.exe	UPX
C:\Windows\system\cKEKutv.exe	UPX
behavioral1/memory/1656-69-0x000000013FC10000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/2424-61-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/2692-59-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
C:\Windows\system\SjJxzQE.exe	UPX
\Windows\system\EqKhLHi.exe	UPX
\Windows\system\jPkMGmZ.exe	UPX
behavioral1/memory/1464-98-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
behavioral1/memory/2568-96-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
C:\Windows\system\EgJlgFs.exe	UPX
C:\Windows\system\TgmwUBi.exe	UPX
C:\Windows\system\cqSiMLk.exe	UPX
C:\Windows\system\aytMGwr.exe	UPX
C:\Windows\system\VnlciFd.exe	UPX
C:\Windows\system\dJEbCZT.exe	UPX
C:\Windows\system\DuvQRCl.exe	UPX
behavioral1/memory/1488-89-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2272-75-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/1576-81-0x000000013F8D0000-0x000000013FC24000-memory.dmp	UPX
C:\Windows\system\JtyebIS.exe	UPX
C:\Windows\system\UjMaCbB.exe	UPX
behavioral1/memory/2660-133-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2424-135-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/2272-137-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/1576-138-0x000000013F8D0000-0x000000013FC24000-memory.dmp	UPX
behavioral1/memory/1488-140-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/1208-141-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2692-142-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2620-143-0x000000013FDA0000-0x00000001400F4000-memory.dmp	UPX
behavioral1/memory/2540-144-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2568-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2444-146-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2860-147-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2660-148-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2424-149-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/1656-150-0x000000013FC10000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/1576-151-0x000000013F8D0000-0x000000013FC24000-memory.dmp	UPX
behavioral1/memory/1464-153-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
behavioral1/memory/2272-152-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/1488-154-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX

XMRig Miner payload 60 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1964-1-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
C:\Windows\system\srganOc.exe	xmrig
behavioral1/memory/1208-9-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
\Windows\system\VVjfJtD.exe	xmrig
behavioral1/memory/2692-17-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
C:\Windows\system\rbDtaVI.exe	xmrig
behavioral1/memory/2540-28-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2620-27-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
C:\Windows\system\afqtyQf.exe	xmrig
C:\Windows\system\ivysrkH.exe	xmrig
behavioral1/memory/2568-34-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
C:\Windows\system\wNcTuKC.exe	xmrig
behavioral1/memory/2444-41-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/1964-40-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
\Windows\system\QUhxwYT.exe	xmrig
behavioral1/memory/2860-48-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2660-53-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
\Windows\system\ITScoqs.exe	xmrig
C:\Windows\system\cKEKutv.exe	xmrig
behavioral1/memory/1656-69-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2424-61-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/1964-60-0x0000000002230000-0x0000000002584000-memory.dmp	xmrig
behavioral1/memory/2692-59-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
C:\Windows\system\SjJxzQE.exe	xmrig
\Windows\system\EqKhLHi.exe	xmrig
\Windows\system\jPkMGmZ.exe	xmrig
behavioral1/memory/1464-98-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2568-96-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
C:\Windows\system\EgJlgFs.exe	xmrig
C:\Windows\system\TgmwUBi.exe	xmrig
C:\Windows\system\cqSiMLk.exe	xmrig
C:\Windows\system\aytMGwr.exe	xmrig
C:\Windows\system\VnlciFd.exe	xmrig
C:\Windows\system\dJEbCZT.exe	xmrig
C:\Windows\system\DuvQRCl.exe	xmrig
behavioral1/memory/1964-85-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/1488-89-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2272-75-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/1576-81-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
C:\Windows\system\JtyebIS.exe	xmrig
C:\Windows\system\UjMaCbB.exe	xmrig
behavioral1/memory/2660-133-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2424-135-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2272-137-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/1576-138-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
behavioral1/memory/1488-140-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/1208-141-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2692-142-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2620-143-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/2540-144-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2568-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2444-146-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2860-147-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2660-148-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2424-149-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/1656-150-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/1576-151-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
behavioral1/memory/1464-153-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2272-152-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/1488-154-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

srganOc.exeVVjfJtD.exerbDtaVI.exeafqtyQf.exeivysrkH.exewNcTuKC.exeQUhxwYT.exeUjMaCbB.exeITScoqs.execKEKutv.exeJtyebIS.exeSjJxzQE.exejPkMGmZ.exeEqKhLHi.exeDuvQRCl.exedJEbCZT.exeVnlciFd.exeaytMGwr.execqSiMLk.exeTgmwUBi.exeEgJlgFs.exe

pid	process
1208	srganOc.exe
2692	VVjfJtD.exe
2540	rbDtaVI.exe
2620	afqtyQf.exe
2568	ivysrkH.exe
2444	wNcTuKC.exe
2860	QUhxwYT.exe
2660	UjMaCbB.exe
2424	ITScoqs.exe
1656	cKEKutv.exe
2272	JtyebIS.exe
1576	SjJxzQE.exe
1488	jPkMGmZ.exe
1464	EqKhLHi.exe
1040	DuvQRCl.exe
768	dJEbCZT.exe
2164	VnlciFd.exe
296	aytMGwr.exe
1924	cqSiMLk.exe
2244	TgmwUBi.exe
2700	EgJlgFs.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

pid	process
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1964-1-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
C:\Windows\system\srganOc.exe	upx
behavioral1/memory/1208-9-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
\Windows\system\VVjfJtD.exe	upx
behavioral1/memory/2692-17-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
C:\Windows\system\rbDtaVI.exe	upx
behavioral1/memory/2540-28-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2620-27-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
C:\Windows\system\afqtyQf.exe	upx
C:\Windows\system\ivysrkH.exe	upx
behavioral1/memory/2568-34-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
C:\Windows\system\wNcTuKC.exe	upx
behavioral1/memory/2444-41-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/1964-40-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
\Windows\system\QUhxwYT.exe	upx
behavioral1/memory/2860-48-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2660-53-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
\Windows\system\ITScoqs.exe	upx
C:\Windows\system\cKEKutv.exe	upx
behavioral1/memory/1656-69-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2424-61-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2692-59-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
C:\Windows\system\SjJxzQE.exe	upx
\Windows\system\EqKhLHi.exe	upx
\Windows\system\jPkMGmZ.exe	upx
behavioral1/memory/1464-98-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2568-96-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
C:\Windows\system\EgJlgFs.exe	upx
C:\Windows\system\TgmwUBi.exe	upx
C:\Windows\system\cqSiMLk.exe	upx
C:\Windows\system\aytMGwr.exe	upx
C:\Windows\system\VnlciFd.exe	upx
C:\Windows\system\dJEbCZT.exe	upx
C:\Windows\system\DuvQRCl.exe	upx
behavioral1/memory/1488-89-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2272-75-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/1576-81-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
C:\Windows\system\JtyebIS.exe	upx
C:\Windows\system\UjMaCbB.exe	upx
behavioral1/memory/2660-133-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2424-135-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2272-137-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/1576-138-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
behavioral1/memory/1488-140-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/1208-141-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2692-142-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2620-143-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/2540-144-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2568-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2444-146-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2860-147-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2660-148-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2424-149-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/1656-150-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/1576-151-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
behavioral1/memory/1464-153-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2272-152-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/1488-154-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\VnlciFd.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aytMGwr.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cKEKutv.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jPkMGmZ.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DuvQRCl.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QUhxwYT.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ITScoqs.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dJEbCZT.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cqSiMLk.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\srganOc.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rbDtaVI.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\afqtyQf.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TgmwUBi.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VVjfJtD.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SjJxzQE.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EqKhLHi.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JtyebIS.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EgJlgFs.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ivysrkH.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wNcTuKC.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UjMaCbB.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1964 wrote to memory of 1208	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	srganOc.exe
PID 1964 wrote to memory of 1208	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	srganOc.exe
PID 1964 wrote to memory of 1208	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	srganOc.exe
PID 1964 wrote to memory of 2692	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	VVjfJtD.exe
PID 1964 wrote to memory of 2692	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	VVjfJtD.exe
PID 1964 wrote to memory of 2692	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	VVjfJtD.exe
PID 1964 wrote to memory of 2540	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	rbDtaVI.exe
PID 1964 wrote to memory of 2540	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	rbDtaVI.exe
PID 1964 wrote to memory of 2540	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	rbDtaVI.exe
PID 1964 wrote to memory of 2620	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	afqtyQf.exe
PID 1964 wrote to memory of 2620	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	afqtyQf.exe
PID 1964 wrote to memory of 2620	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	afqtyQf.exe
PID 1964 wrote to memory of 2568	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	ivysrkH.exe
PID 1964 wrote to memory of 2568	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	ivysrkH.exe
PID 1964 wrote to memory of 2568	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	ivysrkH.exe
PID 1964 wrote to memory of 2444	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	wNcTuKC.exe
PID 1964 wrote to memory of 2444	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	wNcTuKC.exe
PID 1964 wrote to memory of 2444	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	wNcTuKC.exe
PID 1964 wrote to memory of 2860	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	QUhxwYT.exe
PID 1964 wrote to memory of 2860	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	QUhxwYT.exe
PID 1964 wrote to memory of 2860	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	QUhxwYT.exe
PID 1964 wrote to memory of 2660	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	UjMaCbB.exe
PID 1964 wrote to memory of 2660	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	UjMaCbB.exe
PID 1964 wrote to memory of 2660	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	UjMaCbB.exe
PID 1964 wrote to memory of 2424	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	ITScoqs.exe
PID 1964 wrote to memory of 2424	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	ITScoqs.exe
PID 1964 wrote to memory of 2424	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	ITScoqs.exe
PID 1964 wrote to memory of 1656	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	cKEKutv.exe
PID 1964 wrote to memory of 1656	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	cKEKutv.exe
PID 1964 wrote to memory of 1656	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	cKEKutv.exe
PID 1964 wrote to memory of 2272	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	JtyebIS.exe
PID 1964 wrote to memory of 2272	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	JtyebIS.exe
PID 1964 wrote to memory of 2272	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	JtyebIS.exe
PID 1964 wrote to memory of 1576	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	SjJxzQE.exe
PID 1964 wrote to memory of 1576	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	SjJxzQE.exe
PID 1964 wrote to memory of 1576	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	SjJxzQE.exe
PID 1964 wrote to memory of 1488	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	jPkMGmZ.exe
PID 1964 wrote to memory of 1488	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	jPkMGmZ.exe
PID 1964 wrote to memory of 1488	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	jPkMGmZ.exe
PID 1964 wrote to memory of 1464	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	EqKhLHi.exe
PID 1964 wrote to memory of 1464	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	EqKhLHi.exe
PID 1964 wrote to memory of 1464	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	EqKhLHi.exe
PID 1964 wrote to memory of 1040	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	DuvQRCl.exe
PID 1964 wrote to memory of 1040	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	DuvQRCl.exe
PID 1964 wrote to memory of 1040	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	DuvQRCl.exe
PID 1964 wrote to memory of 768	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	dJEbCZT.exe
PID 1964 wrote to memory of 768	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	dJEbCZT.exe
PID 1964 wrote to memory of 768	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	dJEbCZT.exe
PID 1964 wrote to memory of 2164	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	VnlciFd.exe
PID 1964 wrote to memory of 2164	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	VnlciFd.exe
PID 1964 wrote to memory of 2164	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	VnlciFd.exe
PID 1964 wrote to memory of 296	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	aytMGwr.exe
PID 1964 wrote to memory of 296	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	aytMGwr.exe
PID 1964 wrote to memory of 296	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	aytMGwr.exe
PID 1964 wrote to memory of 1924	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	cqSiMLk.exe
PID 1964 wrote to memory of 1924	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	cqSiMLk.exe
PID 1964 wrote to memory of 1924	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	cqSiMLk.exe
PID 1964 wrote to memory of 2244	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	TgmwUBi.exe
PID 1964 wrote to memory of 2244	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	TgmwUBi.exe
PID 1964 wrote to memory of 2244	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	TgmwUBi.exe
PID 1964 wrote to memory of 2700	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	EgJlgFs.exe
PID 1964 wrote to memory of 2700	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	EgJlgFs.exe
PID 1964 wrote to memory of 2700	1964	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	EgJlgFs.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System\srganOc.exe
C:\Windows\System\srganOc.exe
2⤵
- Executes dropped EXE
PID:1208

C:\Windows\System\VVjfJtD.exe
C:\Windows\System\VVjfJtD.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\rbDtaVI.exe
C:\Windows\System\rbDtaVI.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\afqtyQf.exe
C:\Windows\System\afqtyQf.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\ivysrkH.exe
C:\Windows\System\ivysrkH.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\wNcTuKC.exe
C:\Windows\System\wNcTuKC.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\System\QUhxwYT.exe
C:\Windows\System\QUhxwYT.exe
2⤵
- Executes dropped EXE
PID:2860

C:\Windows\System\UjMaCbB.exe
C:\Windows\System\UjMaCbB.exe
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\System\ITScoqs.exe
C:\Windows\System\ITScoqs.exe
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\System\cKEKutv.exe
C:\Windows\System\cKEKutv.exe
2⤵
- Executes dropped EXE
PID:1656

C:\Windows\System\JtyebIS.exe
C:\Windows\System\JtyebIS.exe
2⤵
- Executes dropped EXE
PID:2272

C:\Windows\System\SjJxzQE.exe
C:\Windows\System\SjJxzQE.exe
2⤵
- Executes dropped EXE
PID:1576

C:\Windows\System\jPkMGmZ.exe
C:\Windows\System\jPkMGmZ.exe
2⤵
- Executes dropped EXE
PID:1488

C:\Windows\System\EqKhLHi.exe
C:\Windows\System\EqKhLHi.exe
2⤵
- Executes dropped EXE
PID:1464

C:\Windows\System\DuvQRCl.exe
C:\Windows\System\DuvQRCl.exe
2⤵
- Executes dropped EXE
PID:1040

C:\Windows\System\dJEbCZT.exe
C:\Windows\System\dJEbCZT.exe
2⤵
- Executes dropped EXE
PID:768

C:\Windows\System\VnlciFd.exe
C:\Windows\System\VnlciFd.exe
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\System\aytMGwr.exe
C:\Windows\System\aytMGwr.exe
2⤵
- Executes dropped EXE
PID:296

C:\Windows\System\cqSiMLk.exe
C:\Windows\System\cqSiMLk.exe
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\System\TgmwUBi.exe
C:\Windows\System\TgmwUBi.exe
2⤵
- Executes dropped EXE
PID:2244

C:\Windows\System\EgJlgFs.exe
C:\Windows\System\EgJlgFs.exe
2⤵
- Executes dropped EXE
PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DuvQRCl.exe
Filesize
5.9MB

MD5
c7819c9bc12f73983aa1c3bc225e705e

SHA1
5b1c820ce57615b8c4ea2dc196337ecd620025a1

SHA256
2c7f43bc0f2412747a9ad90e760a17e317023d1c9d732401c8ecbedfa6044a97

SHA512
e32454f3d5e87b50d5ed6c817f3e4feaba4d66b63bcbfc2141d7d2bb8e0d54ebff216fd88ef8a2f56e6b87afe74fb50a8baf185cc035f716e6be71701707d7f9

Download Submit
C:\Windows\system\EgJlgFs.exe
Filesize
5.9MB

MD5
12e0e079e79baf0316598766177380c9

SHA1
e69bd328be9fc7697710fe0dce396173f3ffb441

SHA256
0e2d0a38b3ba1e1bb4c891dd3342dbbc6982b3d1adf170220a23e1ea5c7102ce

SHA512
e5a04569aebd71c456b5e3a36c15e0a1b066944ca1083620d1ea6421e91891c2f775c940d5026cba560fa80525d05fdd82ed848d0effe275346e58e44919752e

Download Submit
C:\Windows\system\JtyebIS.exe
Filesize
5.9MB

MD5
731c977c8ed9574bd7421eb65f20f556

SHA1
eec0d5ce1e9dc1b898e80cff7d62c9052cdc40a9

SHA256
250c13590dafcdebe625be6241b8840760167aaf96e26489d343dbd299e3ba23

SHA512
64b70ae481259e18316baf57197e1372581ac6ab01fb2ca7c19ac43bcad0df78fd05c64ae8d0f0d9ffdf7d326bf743b38b6d44aaccc533ffecb9c911ba8e0863

Download Submit
C:\Windows\system\SjJxzQE.exe
Filesize
5.9MB

MD5
c73be2511eef0d59d52432251cc34632

SHA1
a712e48535049f1aefe199161e7640c598d4ea2d

SHA256
4f60ba1136d203a97cbfb9e999448e64a113b49a2165db8c51f81723e3491b68

SHA512
c9d721bf90ca43bcf41ed371e4e5d122763259dccf3b1cc328e946021fa9d966ee590ea908d51895de7e4fcbd2f0753ae5f24dac652484b6f7b0df262420e534

Download Submit
C:\Windows\system\TgmwUBi.exe
Filesize
5.9MB

MD5
5648baa143995dbf30f3f1db37a5ead4

SHA1
793bd1c0a240b74cc1bfc028f588781586368a0a

SHA256
470ca6be5f8f8aa9cd072bfeb4de3508ad2d63cef1f827f49841bd68c70ea981

SHA512
1e97df5a510170fd59f91e0286c41d9ae502dd293708bb68a914032368d1f1e22c0c8b61387fc31d095d7cfcfde987d813b7f5691910027b9beb18f74f2348dc

Download Submit
C:\Windows\system\UjMaCbB.exe
Filesize
5.9MB

MD5
157b486c85e3a97b23355e192ae8a431

SHA1
267355182adcdbe8e6e368261642703b1372140b

SHA256
9f23b995c13224d6fe6ba73095049db634780f201dd4ac9acc495f47baf4d5f3

SHA512
7aad7ac5695b9885e52671f03853cfbee817e6cb6092bfbaed2a2c69098536653865c15b6faacb6007a438fb703ff260323cfd8b75762f0696e904073f12d351

Download Submit
C:\Windows\system\VnlciFd.exe
Filesize
5.9MB

MD5
e8402c12857b11c4696e43685d0bbfb8

SHA1
1d8e688ac58f04c2d6a8b8fb99ea543582f057c6

SHA256
702556fdc57db5f306c687c96bbcdb5dee8066409025759361b6e51b37500f19

SHA512
f6d7de3368dbf2fee87f56c03c59ec8535100fe0794d3adde5f38eeb83beaa31ce6bbc750068f5e60a48f5cc5e2975620bb10d15f271b47e707adb2e2b6c0204

Download Submit
C:\Windows\system\afqtyQf.exe
Filesize
5.9MB

MD5
8aa0489eaf2b2801e635f5d990faee5a

SHA1
04c7933b14d7bce775963f54fee2dbeff05edb6c

SHA256
250bf55e42f40dd4d2292e24bed143d3afbe32e96d3111a9cae8ad7b1af85784

SHA512
88498ee668d322d725176b2b4ac3a9bd730a52e337d7025545a6473f7c58de9d25180e758888245fc791b375d8abc1e7b53f8b8137b39927a6b6f72129f8d466

Download Submit
C:\Windows\system\aytMGwr.exe
Filesize
5.9MB

MD5
87da63e98df8286963c895e5565fbcf7

SHA1
590fa9f7349dae81baaa0fe7cffc0f8f232bea6f

SHA256
3d3e7f8a9a0ccea904d923c4d9d17df51e2d9990997a8c783caf39ddc35ab093

SHA512
01c9b94b114dddc49031cc950220f0b50b8b02b19b30a7a361dc187ecad5370f7f4d6fa4ea4dfbadec3a309cc0c5d399be0e837243fda51e6339eb6763a7aa7d

Download Submit
C:\Windows\system\cKEKutv.exe
Filesize
5.9MB

MD5
a8f2ad0392b8b5059d5c2811fc465785

SHA1
ef9589ab5a60ee19d0452965ee07383331175dac

SHA256
e37d8c7a88926f94a3bc779406f0807eb5f16d009e3f700aa187c239b7724af1

SHA512
16188700261254a91575a46c783a2576fa7f357358fb09e0ae62c3d395d1148c4e05549cbd969df98b2746a3025c6e6d3e0ce9fa034c6c05bcf7c5c9909065a8

Download Submit
C:\Windows\system\cqSiMLk.exe
Filesize
5.9MB

MD5
190913fa2f8da4038d088b0d98e106aa

SHA1
5433534535efd68c5e7b44ab9e24307b0ffbd07b

SHA256
1bda427b3a540cf711efd4137df55d93d4f48d2ac07cfeb9e2c7b82a830e3be9

SHA512
be0cc9c3bc16f33cdf5c641fb617c27e677628390dfd2c4e849e8ab3d98ff9f964a22271844636180218640611c07585617126ef7221386fae52bade35740a3e

Download Submit
C:\Windows\system\dJEbCZT.exe
Filesize
5.9MB

MD5
01ca9b7bf57400b9102adb8f2bb5541d

SHA1
822e07470d8d51a6b4ef1957b355a8db223544c1

SHA256
9e1eff739b0e2c486b314c268f7b16fff1d5d128b8dade4e6508db95201a44f3

SHA512
48143c2bfbfe26d65e5cd3a6c8cf9d2efc0779d71366ce8b069b8f0c22b709696ed892443568574c434225819b01d8382cf49cda1da81d4e994c26bf6c54113d

Download Submit
C:\Windows\system\ivysrkH.exe
Filesize
5.9MB

MD5
9789e929e5683ef7df7cba0810df1f43

SHA1
124e9e6d267104d227b341c8ac9a9d54e64ebb3e

SHA256
211242102fa25d3f0ecabc68d67aaa7c60b07c787e04f25b2ebe635c4cbf57d4

SHA512
21e4f3d2fa507c21d632b29c991752eb4d629249fe66dc7c9e97b24788bc0e1420c6e441e675e9b206c593760da401b3d911154465a4fe0977290ebf5b7f611e

Download Submit
C:\Windows\system\rbDtaVI.exe
Filesize
5.9MB

MD5
beb91594675200147799ddd2bf6b6f19

SHA1
cff8e6c41895eb20b8b40a5830dc364505b0ad9a

SHA256
bdf7e05b335b823d3eea185153a673a6bd9be152a85c727ac7b94554738b863b

SHA512
50aa852f1644c51a6445cc78a1ea534e8e0d09866bde7486a082f09c3a82de792773aa13844d3993ddfe25639f1d9e2c94323c08bd9a0b2e651258711ff336f7

Download Submit
C:\Windows\system\srganOc.exe
Filesize
5.9MB

MD5
8a7d5c8953c8ddbe106dab1a5061173f

SHA1
164ac1e588213ea8489ffe60ddc07adfb03dc9a2

SHA256
0565fb40214117d6fbe5157fb2bf95d182c00d0f2fa7798d32da6e1f02bff9e7

SHA512
bc7017e0ae8897dad754832bb8eda07a9eaf3c819350c52cd66ab7c6ade483bf2c58eae7a563f16bff58cd8212a65584442d2ab160a16f906c827671921cebc4

Download Submit
C:\Windows\system\wNcTuKC.exe
Filesize
5.9MB

MD5
10d2a8724aa2717effbc51e5c53aed23

SHA1
ad0a1ae3a9a365d126097457d602940aaf8533fb

SHA256
b524f3363b5c3e994eb9602ab7c18ff3245fee91bcb4775246ca07bd7c69fdb6

SHA512
5bbe48566468e1ee1f085a8aa91ea0da7622f464c0e2b926e68036e0e73aa356aa7a3ee7068855683e430a5e8f8702db1dd88734829f5ac8abd2a0a19e187713

Download Submit
\Windows\system\EqKhLHi.exe
Filesize
5.9MB

MD5
f99f66dcb5fb3f98e7cdbe6908a9d38c

SHA1
6674aee8955142f8ce4a409dc4866505c1230087

SHA256
51ee64e80b16e18d599398089f48e73872e258c6d277eb72ad442a8f9e5d9269

SHA512
3f360848dee998cd8f7241ea9dd82c78c68206465b17ecf0b92988d4f19236e366000c0e4abec85b5e6de2144d34a8dca9546ef62438528dc9073eb45e911fe1

Download Submit
\Windows\system\ITScoqs.exe
Filesize
5.9MB

MD5
1c288fdb000b8f79a481d3ec6e81e8fc

SHA1
6261ae4b3c5d7956d5470dac698957e2c1649eb2

SHA256
372a7baf6437d87a98198e1231d72470c7aeac860cdeea2b6d6c31108081220d

SHA512
f5bb192ccc34461727d23e36502064e5ae756379f04720580d49b7182f0fbb9201b0d2677383750a77f81d68ab628b5cc5d4b4086685e4e98a033084fadbb7d1

Download Submit
\Windows\system\QUhxwYT.exe
Filesize
5.9MB

MD5
60303537569407be2b95f1a10a17c55d

SHA1
dd0023195ec7a1a471486020b6c49a7bbb650282

SHA256
1aff7422ca868bea773869cdd63d9934a339b684df3b1caca3dccaaf2051d3b4

SHA512
1d6d9ef26dbd2c4606ea480847abc91bce4b48966bdf0f9cb205cdd29e550bc5b2a08229240bd0355f3c95a4b8714f4b8ba3627c10eafc1f3926fc9b9159c073

Download Submit
\Windows\system\VVjfJtD.exe
Filesize
5.9MB

MD5
223d1eb5060ae1ec8d6b0cb01a254a58

SHA1
d7e6a5b0a1557e8749d9ea94556e3ef38b62439f

SHA256
abbf5169a4e7b2f807e6f3550fe3f7553f1da9320a2a27363cbe17ad1a820d22

SHA512
b64a3c5b05d21b1b12323b90cbd5b28d1cb5ba032bc86ff9b3611974a29aeecd1524593077fbf707cf00bbdafe59fa8c2f16c981691318d98add71c9c7d6f287

Download Submit
\Windows\system\jPkMGmZ.exe
Filesize
5.9MB

MD5
c476d7a7d9dbd2fa3e65777e9fe64aaf

SHA1
38bb358c44e206c55f7da418ddf45fc181798577

SHA256
3b3b2948125abbfa00b0116afda520a49e4c2062d2b9f1fe92db302c0670aba1

SHA512
e4020bdac54fb642a753028d8075dd90c39b0343dca4825350a553792b307db46dd0e18908656b868a095b5e17e89eb9d4518f0ab3484d46c953656b0694c1f7

Download Submit
memory/1208-9-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1208-141-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1464-98-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/1464-153-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/1488-89-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-140-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-154-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1576-151-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/1576-81-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/1576-138-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/1656-69-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/1656-150-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/1964-40-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1964-136-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1964-90-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/1964-80-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1964-68-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1964-0-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1964-60-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1964-14-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-47-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-85-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-139-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-134-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1964-74-0x0000000002230000-0x0000000002584000-memory.dmp

Filesize
3.3MB

Download
memory/1964-8-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1964-1-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/2272-75-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2272-137-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2272-152-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2424-135-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2424-149-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2424-61-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2444-41-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2444-146-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-28-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2540-144-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2568-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-96-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-34-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-143-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-27-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-148-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-133-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-53-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-142-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-17-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-59-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2860-147-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2860-48-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download