Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 13:56
Behavioral task
behavioral1
Sample
9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe
Resource
win7-20240903-en
General
-
Target
9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe
-
Size
5.2MB
-
MD5
a62aadd95b5c7b7dc274d81dd746fde0
-
SHA1
43c9838be06d26639a799ff84dd81091680307d2
-
SHA256
9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8c
-
SHA512
c0388964ec9800a8aa06e526d46ab4b6bbea9e08bd6552c56b39e8cf1688820598fcdaa82df5f5c4765a53e36810b4df88b189f3ef3870389a955926333cf24d
-
SSDEEP
49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ls:RWWBibd56utgpPFotBER/mQ32lUg
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
resource yara_rule behavioral1/files/0x0007000000012117-3.dat cobalt_reflective_dll behavioral1/files/0x0008000000016115-11.dat cobalt_reflective_dll behavioral1/files/0x00080000000162b2-12.dat cobalt_reflective_dll behavioral1/files/0x000800000001642d-16.dat cobalt_reflective_dll behavioral1/files/0x0008000000016d29-53.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d68-74.dat cobalt_reflective_dll behavioral1/files/0x0006000000017079-105.dat cobalt_reflective_dll behavioral1/files/0x00060000000173a9-121.dat cobalt_reflective_dll behavioral1/files/0x00060000000174cc-136.dat cobalt_reflective_dll behavioral1/files/0x0006000000017492-132.dat cobalt_reflective_dll behavioral1/files/0x0006000000017488-127.dat cobalt_reflective_dll behavioral1/files/0x00060000000171a8-120.dat cobalt_reflective_dll behavioral1/files/0x00060000000173a7-116.dat cobalt_reflective_dll behavioral1/files/0x0006000000016fdf-97.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d89-89.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d6d-81.dat cobalt_reflective_dll behavioral1/files/0x0006000000016d64-67.dat cobalt_reflective_dll behavioral1/files/0x0007000000016d5e-60.dat cobalt_reflective_dll behavioral1/files/0x0007000000016814-29.dat cobalt_reflective_dll behavioral1/files/0x0007000000016a66-38.dat cobalt_reflective_dll behavioral1/files/0x00070000000165c2-25.dat cobalt_reflective_dll -
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Cobaltstrike family
-
Xmrig family
-
XMRig Miner payload 41 IoCs
resource yara_rule behavioral1/memory/2508-68-0x000000013FA00000-0x000000013FD51000-memory.dmp xmrig behavioral1/memory/2056-78-0x000000013FDC0000-0x0000000140111000-memory.dmp xmrig behavioral1/memory/1944-94-0x000000013F640000-0x000000013F991000-memory.dmp xmrig behavioral1/memory/2508-111-0x000000013F140000-0x000000013F491000-memory.dmp xmrig behavioral1/memory/2772-107-0x000000013F180000-0x000000013F4D1000-memory.dmp xmrig behavioral1/memory/2972-98-0x000000013FBA0000-0x000000013FEF1000-memory.dmp xmrig behavioral1/memory/2648-141-0x000000013FD80000-0x00000001400D1000-memory.dmp xmrig behavioral1/memory/2508-83-0x000000013FD80000-0x00000001400D1000-memory.dmp xmrig behavioral1/memory/2704-82-0x000000013F500000-0x000000013F851000-memory.dmp xmrig behavioral1/memory/2952-144-0x000000013F530000-0x000000013F881000-memory.dmp xmrig behavioral1/memory/3012-57-0x000000013FE20000-0x0000000140171000-memory.dmp xmrig behavioral1/memory/2508-145-0x000000013FA00000-0x000000013FD51000-memory.dmp xmrig behavioral1/memory/2328-48-0x000000013F6A0000-0x000000013F9F1000-memory.dmp xmrig behavioral1/memory/1812-30-0x000000013F120000-0x000000013F471000-memory.dmp xmrig behavioral1/memory/2860-44-0x000000013FD90000-0x00000001400E1000-memory.dmp xmrig behavioral1/memory/1176-166-0x000000013F310000-0x000000013F661000-memory.dmp xmrig behavioral1/memory/268-165-0x000000013F2F0000-0x000000013F641000-memory.dmp xmrig behavioral1/memory/1096-164-0x000000013F1A0000-0x000000013F4F1000-memory.dmp xmrig behavioral1/memory/1304-163-0x000000013F350000-0x000000013F6A1000-memory.dmp xmrig behavioral1/memory/2968-162-0x000000013F5F0000-0x000000013F941000-memory.dmp xmrig behavioral1/memory/2836-161-0x000000013FB30000-0x000000013FE81000-memory.dmp xmrig behavioral1/memory/1580-160-0x000000013F140000-0x000000013F491000-memory.dmp xmrig behavioral1/memory/2508-39-0x000000013F1A0000-0x000000013F4F1000-memory.dmp xmrig behavioral1/memory/1832-37-0x000000013FB70000-0x000000013FEC1000-memory.dmp xmrig behavioral1/memory/1736-27-0x000000013F1A0000-0x000000013F4F1000-memory.dmp xmrig behavioral1/memory/2096-24-0x000000013F070000-0x000000013F3C1000-memory.dmp xmrig behavioral1/memory/2508-167-0x000000013FA00000-0x000000013FD51000-memory.dmp xmrig behavioral1/memory/2096-220-0x000000013F070000-0x000000013F3C1000-memory.dmp xmrig behavioral1/memory/1812-222-0x000000013F120000-0x000000013F471000-memory.dmp xmrig behavioral1/memory/1736-224-0x000000013F1A0000-0x000000013F4F1000-memory.dmp xmrig behavioral1/memory/1832-226-0x000000013FB70000-0x000000013FEC1000-memory.dmp xmrig behavioral1/memory/2860-228-0x000000013FD90000-0x00000001400E1000-memory.dmp xmrig behavioral1/memory/2328-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp xmrig behavioral1/memory/3012-239-0x000000013FE20000-0x0000000140171000-memory.dmp xmrig behavioral1/memory/2704-241-0x000000013F500000-0x000000013F851000-memory.dmp xmrig behavioral1/memory/2972-243-0x000000013FBA0000-0x000000013FEF1000-memory.dmp xmrig behavioral1/memory/2772-245-0x000000013F180000-0x000000013F4D1000-memory.dmp xmrig behavioral1/memory/2056-247-0x000000013FDC0000-0x0000000140111000-memory.dmp xmrig behavioral1/memory/2648-249-0x000000013FD80000-0x00000001400D1000-memory.dmp xmrig behavioral1/memory/1944-251-0x000000013F640000-0x000000013F991000-memory.dmp xmrig behavioral1/memory/2952-260-0x000000013F530000-0x000000013F881000-memory.dmp xmrig -
Executes dropped EXE 21 IoCs
pid Process 2096 rnlDFHl.exe 1736 oxLfYpC.exe 1812 vGKaJQF.exe 1832 dsmKYdO.exe 2860 KFPoFWg.exe 2328 riqvWkP.exe 2704 CbjxYLB.exe 3012 ZFlLtOP.exe 2972 MBayiyI.exe 2772 jsxZAxv.exe 2056 YBKPqup.exe 2648 fNkaaGg.exe 1944 PouiAeA.exe 2952 CMmyUfV.exe 1580 VyxUwaG.exe 2968 uqzhUhm.exe 2836 ftrPwmC.exe 1304 zxfVcpp.exe 1096 upIrkor.exe 268 qzHlpFZ.exe 1176 CvhcTiv.exe -
Loads dropped DLL 21 IoCs
pid Process 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe -
resource yara_rule behavioral1/memory/2508-0-0x000000013FA00000-0x000000013FD51000-memory.dmp upx behavioral1/files/0x0007000000012117-3.dat upx behavioral1/files/0x0008000000016115-11.dat upx behavioral1/files/0x00080000000162b2-12.dat upx behavioral1/files/0x000800000001642d-16.dat upx behavioral1/memory/2704-49-0x000000013F500000-0x000000013F851000-memory.dmp upx behavioral1/files/0x0008000000016d29-53.dat upx behavioral1/memory/2972-63-0x000000013FBA0000-0x000000013FEF1000-memory.dmp upx behavioral1/memory/2508-68-0x000000013FA00000-0x000000013FD51000-memory.dmp upx behavioral1/files/0x0006000000016d68-74.dat upx behavioral1/memory/2056-78-0x000000013FDC0000-0x0000000140111000-memory.dmp upx behavioral1/memory/2648-84-0x000000013FD80000-0x00000001400D1000-memory.dmp upx behavioral1/memory/1944-94-0x000000013F640000-0x000000013F991000-memory.dmp upx behavioral1/files/0x0006000000017079-105.dat upx behavioral1/files/0x00060000000173a9-121.dat upx behavioral1/files/0x00060000000174cc-136.dat upx behavioral1/files/0x0006000000017492-132.dat upx behavioral1/files/0x0006000000017488-127.dat upx behavioral1/files/0x00060000000171a8-120.dat upx behavioral1/files/0x00060000000173a7-116.dat upx behavioral1/memory/2772-107-0x000000013F180000-0x000000013F4D1000-memory.dmp upx behavioral1/memory/2952-100-0x000000013F530000-0x000000013F881000-memory.dmp upx behavioral1/memory/2972-98-0x000000013FBA0000-0x000000013FEF1000-memory.dmp upx behavioral1/files/0x0006000000016fdf-97.dat upx behavioral1/memory/2648-141-0x000000013FD80000-0x00000001400D1000-memory.dmp upx behavioral1/files/0x0006000000016d89-89.dat upx behavioral1/memory/2704-82-0x000000013F500000-0x000000013F851000-memory.dmp upx behavioral1/files/0x0006000000016d6d-81.dat upx behavioral1/memory/2772-69-0x000000013F180000-0x000000013F4D1000-memory.dmp upx behavioral1/files/0x0006000000016d64-67.dat upx behavioral1/memory/2952-144-0x000000013F530000-0x000000013F881000-memory.dmp upx behavioral1/files/0x0007000000016d5e-60.dat upx behavioral1/memory/3012-57-0x000000013FE20000-0x0000000140171000-memory.dmp upx behavioral1/memory/2508-145-0x000000013FA00000-0x000000013FD51000-memory.dmp upx behavioral1/memory/2328-48-0x000000013F6A0000-0x000000013F9F1000-memory.dmp upx behavioral1/memory/1812-30-0x000000013F120000-0x000000013F471000-memory.dmp upx behavioral1/files/0x0007000000016814-29.dat upx behavioral1/memory/2860-44-0x000000013FD90000-0x00000001400E1000-memory.dmp upx behavioral1/memory/1176-166-0x000000013F310000-0x000000013F661000-memory.dmp upx behavioral1/memory/268-165-0x000000013F2F0000-0x000000013F641000-memory.dmp upx behavioral1/memory/1096-164-0x000000013F1A0000-0x000000013F4F1000-memory.dmp upx behavioral1/memory/1304-163-0x000000013F350000-0x000000013F6A1000-memory.dmp upx behavioral1/memory/2968-162-0x000000013F5F0000-0x000000013F941000-memory.dmp upx behavioral1/memory/2836-161-0x000000013FB30000-0x000000013FE81000-memory.dmp upx behavioral1/memory/1580-160-0x000000013F140000-0x000000013F491000-memory.dmp upx behavioral1/files/0x0007000000016a66-38.dat upx behavioral1/memory/1832-37-0x000000013FB70000-0x000000013FEC1000-memory.dmp upx behavioral1/memory/1736-27-0x000000013F1A0000-0x000000013F4F1000-memory.dmp upx behavioral1/files/0x00070000000165c2-25.dat upx behavioral1/memory/2096-24-0x000000013F070000-0x000000013F3C1000-memory.dmp upx behavioral1/memory/2508-167-0x000000013FA00000-0x000000013FD51000-memory.dmp upx behavioral1/memory/2096-220-0x000000013F070000-0x000000013F3C1000-memory.dmp upx behavioral1/memory/1812-222-0x000000013F120000-0x000000013F471000-memory.dmp upx behavioral1/memory/1736-224-0x000000013F1A0000-0x000000013F4F1000-memory.dmp upx behavioral1/memory/1832-226-0x000000013FB70000-0x000000013FEC1000-memory.dmp upx behavioral1/memory/2860-228-0x000000013FD90000-0x00000001400E1000-memory.dmp upx behavioral1/memory/2328-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp upx behavioral1/memory/3012-239-0x000000013FE20000-0x0000000140171000-memory.dmp upx behavioral1/memory/2704-241-0x000000013F500000-0x000000013F851000-memory.dmp upx behavioral1/memory/2972-243-0x000000013FBA0000-0x000000013FEF1000-memory.dmp upx behavioral1/memory/2772-245-0x000000013F180000-0x000000013F4D1000-memory.dmp upx behavioral1/memory/2056-247-0x000000013FDC0000-0x0000000140111000-memory.dmp upx behavioral1/memory/2648-249-0x000000013FD80000-0x00000001400D1000-memory.dmp upx behavioral1/memory/1944-251-0x000000013F640000-0x000000013F991000-memory.dmp upx -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\System\rnlDFHl.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\uqzhUhm.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\CvhcTiv.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\dsmKYdO.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\YBKPqup.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\PouiAeA.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\zxfVcpp.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\MBayiyI.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\CMmyUfV.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\VyxUwaG.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\qzHlpFZ.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\vGKaJQF.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\riqvWkP.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\CbjxYLB.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\KFPoFWg.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\ftrPwmC.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\upIrkor.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\oxLfYpC.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\ZFlLtOP.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\jsxZAxv.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe File created C:\Windows\System\fNkaaGg.exe 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe Token: SeLockMemoryPrivilege 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2096 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 31 PID 2508 wrote to memory of 2096 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 31 PID 2508 wrote to memory of 2096 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 31 PID 2508 wrote to memory of 1736 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 32 PID 2508 wrote to memory of 1736 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 32 PID 2508 wrote to memory of 1736 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 32 PID 2508 wrote to memory of 1812 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 33 PID 2508 wrote to memory of 1812 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 33 PID 2508 wrote to memory of 1812 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 33 PID 2508 wrote to memory of 2328 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 34 PID 2508 wrote to memory of 2328 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 34 PID 2508 wrote to memory of 2328 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 34 PID 2508 wrote to memory of 1832 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 35 PID 2508 wrote to memory of 1832 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 35 PID 2508 wrote to memory of 1832 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 35 PID 2508 wrote to memory of 2704 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 36 PID 2508 wrote to memory of 2704 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 36 PID 2508 wrote to memory of 2704 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 36 PID 2508 wrote to memory of 2860 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 37 PID 2508 wrote to memory of 2860 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 37 PID 2508 wrote to memory of 2860 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 37 PID 2508 wrote to memory of 3012 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 38 PID 2508 wrote to memory of 3012 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 38 PID 2508 wrote to memory of 3012 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 38 PID 2508 wrote to memory of 2972 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 39 PID 2508 wrote to memory of 2972 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 39 PID 2508 wrote to memory of 2972 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 39 PID 2508 wrote to memory of 2772 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 40 PID 2508 wrote to memory of 2772 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 40 PID 2508 wrote to memory of 2772 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 40 PID 2508 wrote to memory of 2056 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 41 PID 2508 wrote to memory of 2056 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 41 PID 2508 wrote to memory of 2056 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 41 PID 2508 wrote to memory of 2648 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 42 PID 2508 wrote to memory of 2648 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 42 PID 2508 wrote to memory of 2648 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 42 PID 2508 wrote to memory of 1944 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 43 PID 2508 wrote to memory of 1944 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 43 PID 2508 wrote to memory of 1944 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 43 PID 2508 wrote to memory of 2952 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 44 PID 2508 wrote to memory of 2952 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 44 PID 2508 wrote to memory of 2952 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 44 PID 2508 wrote to memory of 1580 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 45 PID 2508 wrote to memory of 1580 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 45 PID 2508 wrote to memory of 1580 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 45 PID 2508 wrote to memory of 2836 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 46 PID 2508 wrote to memory of 2836 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 46 PID 2508 wrote to memory of 2836 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 46 PID 2508 wrote to memory of 2968 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 47 PID 2508 wrote to memory of 2968 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 47 PID 2508 wrote to memory of 2968 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 47 PID 2508 wrote to memory of 1304 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 48 PID 2508 wrote to memory of 1304 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 48 PID 2508 wrote to memory of 1304 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 48 PID 2508 wrote to memory of 1096 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 49 PID 2508 wrote to memory of 1096 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 49 PID 2508 wrote to memory of 1096 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 49 PID 2508 wrote to memory of 268 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 50 PID 2508 wrote to memory of 268 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 50 PID 2508 wrote to memory of 268 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 50 PID 2508 wrote to memory of 1176 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 51 PID 2508 wrote to memory of 1176 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 51 PID 2508 wrote to memory of 1176 2508 9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"C:\Users\Admin\AppData\Local\Temp\9f7889898ba750f81e116a98575018d85618de7e5cb79cca5d4da6fe85027a8cN.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\System\rnlDFHl.exeC:\Windows\System\rnlDFHl.exe2⤵
- Executes dropped EXE
PID:2096
-
-
C:\Windows\System\oxLfYpC.exeC:\Windows\System\oxLfYpC.exe2⤵
- Executes dropped EXE
PID:1736
-
-
C:\Windows\System\vGKaJQF.exeC:\Windows\System\vGKaJQF.exe2⤵
- Executes dropped EXE
PID:1812
-
-
C:\Windows\System\riqvWkP.exeC:\Windows\System\riqvWkP.exe2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Windows\System\dsmKYdO.exeC:\Windows\System\dsmKYdO.exe2⤵
- Executes dropped EXE
PID:1832
-
-
C:\Windows\System\CbjxYLB.exeC:\Windows\System\CbjxYLB.exe2⤵
- Executes dropped EXE
PID:2704
-
-
C:\Windows\System\KFPoFWg.exeC:\Windows\System\KFPoFWg.exe2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Windows\System\ZFlLtOP.exeC:\Windows\System\ZFlLtOP.exe2⤵
- Executes dropped EXE
PID:3012
-
-
C:\Windows\System\MBayiyI.exeC:\Windows\System\MBayiyI.exe2⤵
- Executes dropped EXE
PID:2972
-
-
C:\Windows\System\jsxZAxv.exeC:\Windows\System\jsxZAxv.exe2⤵
- Executes dropped EXE
PID:2772
-
-
C:\Windows\System\YBKPqup.exeC:\Windows\System\YBKPqup.exe2⤵
- Executes dropped EXE
PID:2056
-
-
C:\Windows\System\fNkaaGg.exeC:\Windows\System\fNkaaGg.exe2⤵
- Executes dropped EXE
PID:2648
-
-
C:\Windows\System\PouiAeA.exeC:\Windows\System\PouiAeA.exe2⤵
- Executes dropped EXE
PID:1944
-
-
C:\Windows\System\CMmyUfV.exeC:\Windows\System\CMmyUfV.exe2⤵
- Executes dropped EXE
PID:2952
-
-
C:\Windows\System\VyxUwaG.exeC:\Windows\System\VyxUwaG.exe2⤵
- Executes dropped EXE
PID:1580
-
-
C:\Windows\System\ftrPwmC.exeC:\Windows\System\ftrPwmC.exe2⤵
- Executes dropped EXE
PID:2836
-
-
C:\Windows\System\uqzhUhm.exeC:\Windows\System\uqzhUhm.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Windows\System\zxfVcpp.exeC:\Windows\System\zxfVcpp.exe2⤵
- Executes dropped EXE
PID:1304
-
-
C:\Windows\System\upIrkor.exeC:\Windows\System\upIrkor.exe2⤵
- Executes dropped EXE
PID:1096
-
-
C:\Windows\System\qzHlpFZ.exeC:\Windows\System\qzHlpFZ.exe2⤵
- Executes dropped EXE
PID:268
-
-
C:\Windows\System\CvhcTiv.exeC:\Windows\System\CvhcTiv.exe2⤵
- Executes dropped EXE
PID:1176
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD57f7855bb32d61379bd313dc9612a3ab3
SHA1f725c4b0acf47e5f0ad4ecb02e48157d3c01b6f2
SHA256d11b6926d9942dba366752f3a4e525b746c3cc15bf94e37d9e981e84a0df5001
SHA51289f375045f079c67516da36a4714f651c74620b373be1c518397f2c2f58ed66b093540b4c69c2c765359b335a5a0ed0d4bf9fdf0c8eae807524acaa84f2c263c
-
Filesize
5.2MB
MD5528487bd22d8aaedbcb34cd30ed0d454
SHA117c3f4654ec0bebde4e0952e29a111d5bd6c022b
SHA256b8cfb92a5246823c7a06d0d2555ecee91232162a48c590236d4866c18c4fe1d2
SHA512b10745187e93f120ecd0d724a86893f7d2936cf3103451b60bccf0bdb9d7b47c0e99ee82c672217eacefe91982e2b96dacba33ef7d5c0b281014e31e7fb74d11
-
Filesize
5.2MB
MD5c01aaf976b3f1805161be1295ad47ffb
SHA1bcf3fc7cbcd470b5f1b9332e55e4c5c06653d644
SHA256f756b6e68bc9393c232cc60844113369119bef2e680a8c7d4c5e2a83f6f98eff
SHA512f4ce638b817d7f9bb3206e63f6b8c76ace2fca28affbe2717c94fd167f399f2e1bd38ef4752883aeb5a971269d1a513b93d0b42fea7a351467ba83107be76909
-
Filesize
5.2MB
MD517cecb58005483958d285fca1d8dcf66
SHA1463183e162e3e4d42ac5474d06f8e6a008721e1a
SHA256d93fe5ac33c1908c5745e1832ac19965a6f012c316b6da5c6e3bb5a59f356d31
SHA512fa9a964df0b15ec8da12b67496bf26d9188af45e2912800d2e5b68203ba611606f01a576fc6e59b7b123dbbb2700c5fa2ab338847729ba6d63e70d910fbcd602
-
Filesize
5.2MB
MD55ebe9a875dc9d9ebae02aaef0658befd
SHA1033bb5fd05d098bf97792d3969fc1ccb34e8d350
SHA25638a5fba0b035ff74637603f649c0f2ac8b62247df104b7d9781bbc75c68c6032
SHA5122edd3c5dcee63ea7d28799f23742b4085dc03db9966e4b7633776dd38588af8932e1222fd978d6dcda854865a9884788bff037823537b0e41a9932dd277e1c68
-
Filesize
5.2MB
MD5cc1b255b321c7f17406a619a52da0ce3
SHA16fb4e401a42597a7e73dfee8654c34a5420ce9c6
SHA2567a93e43201eb785cac09f75b570b96280b111f434f41d55a9ae977a414360594
SHA512880b0f1caff1e53ccac3f83e698005cad107372f5234e0124181799cf731cf2f158e40a67c17330a662a2de44874b60e6b8acf54d76d5a388693332dd69368aa
-
Filesize
5.2MB
MD522f0e5e3c1a5efccbb317fc372a743b9
SHA109777b0fa21602af72398850459366e6da654e86
SHA25633ac40a98b5bc9d9991317321328094e811732313d3f1ea5d772ea5f78b76e85
SHA512fe013b44888857fb4635801830423c1f7fe5aae2289d548ba89bb1f160202d3fe5432f06909c4842d00641ec1fc0b09e4c9925c4e8dec2ca23f7fd173065c5d0
-
Filesize
5.2MB
MD5f1e611a4c7a6ba6486fdb2337c35625a
SHA1705edba064c998608ca96e05b4cdd95e7f7edbdc
SHA256f38d392dff2352a277016b799102225bd30234019b933485aa5dd8fc5fec83e2
SHA512167cd6dac92a9750219e25f54879dc98af662db7cdacdd9c16167ca2ad85703850cf6271f83eac51a481d4622987e10f4fa2914c64f01bc6863c41f0c3302cb3
-
Filesize
5.2MB
MD5c499ce736a196384754de67cfb405e77
SHA1fcbffaa6827c1b176aae8e07c847d9c4282a8cc7
SHA2568048171c61a46d15cff34662e6e3b5c953f1a20e3059a60cef770fb7f9deb920
SHA51263202aff1c95db66a3b6e7e6e5c9a81d1f690f2219b9d645fedf758baa2d1386f3574343e6059d72d2af5eaaa0a5e0ff0de262efb5b5178603295c13abed9cee
-
Filesize
5.2MB
MD5cd283d70a182800c582a284c808093e1
SHA1414b0423fd53b1f4b7c32ad7d5b03b1e4fb4ff33
SHA256f45c8ae56971622b8c4300c4dcd7d1801cec56b881ae9bc0f2ceffddc3c4f72a
SHA512e146bbdd4388e222ec4b1f4a1ba52d44ca56cbbd6d63c0aa5e106a9ab1fd5909b35562fe02d04c5714628325d51b1e04c866a208e7a944d6e2292bc502f1916c
-
Filesize
5.2MB
MD58d42319951dd7caa560087b49dd5e137
SHA1d64434ce2ad9fd600f270a7f1a8fa1fa540b972f
SHA25669efd87b0d0a91aad982d6698c5a976aaf28d696c6fcfe7d8d940ed6a25feeff
SHA512e2d4bca91bf7dfc542d99857744e709d41544a236dc480936fb7e67465e5c844b8f9aa813f015e93270d852305ce269b98221fcc3932405ef45f756eaf7ff98e
-
Filesize
5.2MB
MD5f1c8c4dc179781ec9a0127dc289a9f18
SHA1c748f23880914dccf8802ae8ab9436a93e58b46c
SHA256250ba2a844e61d9470e643a79bc4565504b141b644bbecc23ec94301af4894a7
SHA5127d9687c7ef7b898c6456265553a3123004c3ffab1714ba389e32c798af9d55877e263e83f2f3253d3ed94c49eca9a3a26ddeb3187a7e0c979a98a1688618def6
-
Filesize
5.2MB
MD52c59c4f96f9e32d318c3161176c695a9
SHA1fc0bb3971240a721a368f9d21c9656529d601a1a
SHA256d36183c2ca4a1ab264569c03483d09de821d1ed70c13a3b63cd49713a7d76aa0
SHA512c20b85f6e35ba6fa33c686b2a460a9c656cbcb8202bfcbe97fc2954960c77a222611afc136fb897b029b539e8489d6d7d6f9faf0f541089e9829cf0183a32c19
-
Filesize
5.2MB
MD5d54db5238803216dc6d1c1b79e1c6c8e
SHA17b2101ab4610d6e989fa46d1a72d1041a9546178
SHA256e1bb77389269b10e8c0bfa55370a05a8ea0569f9edb072223736bd3d82ca2366
SHA512b061ce3d166e44cc486d6422cf13998195506ccc56d1392ceaa046a19d0df50a0387bbfc12f25fa65251f15c1a0ae797764093c525522b4d3a22fe90f985f5dd
-
Filesize
5.2MB
MD5f94de6e51ca3277c3b1342d09991780e
SHA13506866840492f90308baf9b5a442d4dd654ee58
SHA25685c800e3550b83011c069d39e67a7b6a92caa331166047376dc099986afe0e2a
SHA51220d7e902a6d3c0b5967800d0bfaae60690bfc09d02da90a0c793ca9d7292afe0ebef8a65739809c65414e49e43ce8f7ffa94dbbbd9b57d835483d494b060ebe9
-
Filesize
5.2MB
MD5e9818cf3a5d53bae721bea34d02c3c13
SHA150f6d19528c09dd112c9bdb02a49e065711bcc1e
SHA256a3911bdbebe51cfd1fc19d59f4318d95be78a64482d0f2ba7e8265f762246317
SHA51231d1504e19531182ae82a586712ada0f247172108ff232f1f36aa3f4ad7eaf16c4d027dd5169eabf59e08b3b3419091d44af679bc9ed1d2cc076db002421a0af
-
Filesize
5.2MB
MD54d465948e271b78accfa6d0a58f7bdae
SHA1eba3a3406722c67af98db3f5fa36a20e4b57f9fe
SHA25659062140e201b40e4efa14aa6475864793c69be96f9e140d736328626c1203c1
SHA512c9ca736219c72b781841fd9036d23ce9c6647e4c69dca90dfb866291a66492acad9e4a4a13c7c3886bd8e8ae261f2abece29c0e35bdc7e50907e40f4b9c50c91
-
Filesize
5.2MB
MD5f5784d5054be473e75c4e6d5cb912f3b
SHA15873574d31298a86c6c8a888adf35de9808f83b4
SHA25623b5f4d23e287e8bfa3ef850c58dc371b9cd22beb9b7f20fa91acd58ecf1fcba
SHA512098eab8d43897dacec213ebd343515d558b639041ff09f7aa3a1aff2e8a8f16cff5d0a6c077cdea880fc2890d231c66d2898a40740d4ada75f3e788562a0a841
-
Filesize
5.2MB
MD540277bc9b9b3460f75c8c03824a63736
SHA1d5cfeae0e7d193b0fac02bb3ae1a466e18751ab5
SHA256a6d147bfbf511042ea346954b775a793eb3b8a6d1b0d6ffb8ff2b87d7b09ff63
SHA512f2c53d8684a5d03aa78041ecf4791c9b327de28199aec3bd3b18f08ae4a054abe906c40cc71b4a65b23b05faa091c401b8e96e3d0f50d5b684f2607490780fca
-
Filesize
5.2MB
MD5c0ff4510fd451d832fdb2c3d9ea5d679
SHA1d104c8c59290f936151222217b3bcbbad6ecf09b
SHA256b0a4da9a34000a280bd0debf109e10bf63890c6beef36657fabd5fe9c1d0319c
SHA5120b058848a06a9a350879112da4651f0901bb4d01c857d980cf288ed0a824712eb14d296e0b789cc5d45f0b09dcb9f7187fc5be3473753796e3b6b346f8e2b328
-
Filesize
5.2MB
MD540554e4d69e8e24338e0159ecaa59938
SHA19f09f9cb5285c668f1427412f83d870a3b63dc4f
SHA25616b5a403311aed0d73f1db1142f44e0b9fb208433a0b275743d4784ee6f1c825
SHA5125800944f37b0ea837ce3ea06118d084afb9c2ac2db237224a59aeebd6046dc5156187f9c90d264fb6172e465a701e6d720a3518544d0547030b8078f3021feed