Analysis Overview
SHA256
7a0bdbd07c96cb478518ff4ab48bbe5c5d7564ad2b795120f5fbf19266a2eb90
Threat Level: Known bad
The file 20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
xmrig
Xmrig family
XMRig Miner payload
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 19:19
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 19:19
Reported
2024-05-22 19:22
Platform
win7-20240221-en
Max time kernel
136s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TbRTbhM.exe | N/A |
| N/A | N/A | C:\Windows\System\gulQWmr.exe | N/A |
| N/A | N/A | C:\Windows\System\PrzUfgd.exe | N/A |
| N/A | N/A | C:\Windows\System\vxdkRxt.exe | N/A |
| N/A | N/A | C:\Windows\System\LgMlkMs.exe | N/A |
| N/A | N/A | C:\Windows\System\aKhYtMc.exe | N/A |
| N/A | N/A | C:\Windows\System\hrEvlaN.exe | N/A |
| N/A | N/A | C:\Windows\System\cSUDiPV.exe | N/A |
| N/A | N/A | C:\Windows\System\QtShKSX.exe | N/A |
| N/A | N/A | C:\Windows\System\dWNcrqt.exe | N/A |
| N/A | N/A | C:\Windows\System\krHzldi.exe | N/A |
| N/A | N/A | C:\Windows\System\iXhnjZz.exe | N/A |
| N/A | N/A | C:\Windows\System\MjsSCuN.exe | N/A |
| N/A | N/A | C:\Windows\System\tZtMgCi.exe | N/A |
| N/A | N/A | C:\Windows\System\ikOPwFw.exe | N/A |
| N/A | N/A | C:\Windows\System\LAovnHZ.exe | N/A |
| N/A | N/A | C:\Windows\System\pmynMrf.exe | N/A |
| N/A | N/A | C:\Windows\System\MyXCkwD.exe | N/A |
| N/A | N/A | C:\Windows\System\PpoqiQP.exe | N/A |
| N/A | N/A | C:\Windows\System\PMbmMuE.exe | N/A |
| N/A | N/A | C:\Windows\System\AksQFIo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe"
C:\Windows\System\TbRTbhM.exe
C:\Windows\System\TbRTbhM.exe
C:\Windows\System\PrzUfgd.exe
C:\Windows\System\PrzUfgd.exe
C:\Windows\System\gulQWmr.exe
C:\Windows\System\gulQWmr.exe
C:\Windows\System\vxdkRxt.exe
C:\Windows\System\vxdkRxt.exe
C:\Windows\System\LgMlkMs.exe
C:\Windows\System\LgMlkMs.exe
C:\Windows\System\hrEvlaN.exe
C:\Windows\System\hrEvlaN.exe
C:\Windows\System\aKhYtMc.exe
C:\Windows\System\aKhYtMc.exe
C:\Windows\System\ikOPwFw.exe
C:\Windows\System\ikOPwFw.exe
C:\Windows\System\cSUDiPV.exe
C:\Windows\System\cSUDiPV.exe
C:\Windows\System\LAovnHZ.exe
C:\Windows\System\LAovnHZ.exe
C:\Windows\System\QtShKSX.exe
C:\Windows\System\QtShKSX.exe
C:\Windows\System\pmynMrf.exe
C:\Windows\System\pmynMrf.exe
C:\Windows\System\dWNcrqt.exe
C:\Windows\System\dWNcrqt.exe
C:\Windows\System\MyXCkwD.exe
C:\Windows\System\MyXCkwD.exe
C:\Windows\System\krHzldi.exe
C:\Windows\System\krHzldi.exe
C:\Windows\System\PpoqiQP.exe
C:\Windows\System\PpoqiQP.exe
C:\Windows\System\iXhnjZz.exe
C:\Windows\System\iXhnjZz.exe
C:\Windows\System\PMbmMuE.exe
C:\Windows\System\PMbmMuE.exe
C:\Windows\System\MjsSCuN.exe
C:\Windows\System\MjsSCuN.exe
C:\Windows\System\AksQFIo.exe
C:\Windows\System\AksQFIo.exe
C:\Windows\System\tZtMgCi.exe
C:\Windows\System\tZtMgCi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2292-0-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2292-1-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\TbRTbhM.exe
| MD5 | ef7181f7d55b40e895a202c2b4b48695 |
| SHA1 | 853928a819a87637d4d29858fa2841a6e4ca2f70 |
| SHA256 | 9bd4332323fbbdb23e06a01bbb73f4bdc4c28229f89fb657eafda3b653751cfa |
| SHA512 | 202ae66f301e9ffbe62c7a278c5d49d3313fb2e5c10e2693948e5afaeb5033210ddd5e9d221d2273772bd49b84765ce89b8b42a28f520460a83e170a39574558 |
memory/1064-11-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2292-19-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\aKhYtMc.exe
| MD5 | 6614bfd83aa83877fdc6d703f645ebf7 |
| SHA1 | ee08434bf1613a40528a5d49a996f6918ec65673 |
| SHA256 | fd090cc1ba521dd12c3c20637ce6788d9ea88cec0273bb69056cc2e3d1ce72c1 |
| SHA512 | e41e42980c31cca09ed77c9bf3c4d962c93f2043321cb37bd00c5091fbdb993640835c133d7df3e0159aa17d408e457fe8f373c85db9abe155ffa9325d8cf926 |
memory/2292-115-0x00000000023C0000-0x0000000002714000-memory.dmp
\Windows\system\ikOPwFw.exe
| MD5 | 3caf99e2895a9e7093e8551bacb73cad |
| SHA1 | 81051988b4d8747115679dd987a2663855971496 |
| SHA256 | af5ee75e7dad87be440c5b536c4bb36545b2e369975323bae2654dd23d246608 |
| SHA512 | ee3b00dbc455fbd5fcff2990dfd82658c9414764f04a8f2f07bcfd155f802b936f659b7bebe1f2c7bf0ddaa20bd815d390fe390e5ce042372dc7491e5099c032 |
C:\Windows\system\MjsSCuN.exe
| MD5 | 8c61f7b6e8679c2dfc281a7eb27219b2 |
| SHA1 | 8e27e31e54e1a64a2e9f593ea9184f8bf9d26401 |
| SHA256 | 9c9b4a5d9a832c7acb8b94d5b1ce3ea44155c5a32a6e2678b9f81a7c23484db4 |
| SHA512 | 2ff11a6c439439626a33c72f0b6b379aa102e61a0fc460e2da1a58802126884a33c3bf4b3d15d49431a6656617ccc8bf1bc26fc707cb7718531f5e063c6e1dc4 |
\Windows\system\AksQFIo.exe
| MD5 | f340027590e0060a1b4dad9a9b63f10a |
| SHA1 | 134743e05942e86f636fff53db242b9028087b08 |
| SHA256 | ba362b3028dfd3fd10e1cff733653a7665bbb60151e4e522e922da8213e645a3 |
| SHA512 | 1e43065f8a5c5e1ee76e1515338a88c096638e59ef0e9242c6e444f16a89911bfa12c65ce2bd2b6412944a18a8252e498a3d3513fb10592b2f0b27cb8f3e0585 |
\Windows\system\PMbmMuE.exe
| MD5 | 77352144316c18144deb15a83ad228c1 |
| SHA1 | 685a9de040743315659521ed45611bbe25995b3c |
| SHA256 | 1b25ab627648fcd0d7744700e3d31b768cba334a0eb1aeb66fe3827ea545bf80 |
| SHA512 | a84599bccdb1e650e04b2297f0b679d17666ebd95e03a38822684b73f07b20ee2f28ec2da2afd6a04921735042ce1cc1594b2eeb0746b75ea0884f10a7763dff |
memory/2292-82-0x00000000023C0000-0x0000000002714000-memory.dmp
\Windows\system\PpoqiQP.exe
| MD5 | 2ccf3f006a4a7e4e235993329887a3ca |
| SHA1 | f620a413f18793a7828d9e92f52d8faf606fa249 |
| SHA256 | ca6f65aeb8c0feec41c9f696619b03ab294eda3b365ba3b7eacf1252ebba6c87 |
| SHA512 | 50b505dd0c962a5a53a48b7f5b87e13a19fc99a4891906c5f5bfa9d9a9a2a3dc18d6995a8bcb1a31054ac5499306c4ff0326f1bfac7cdd577f3b3b765a362e5b |
memory/2656-71-0x000000013FE30000-0x0000000140184000-memory.dmp
\Windows\system\MyXCkwD.exe
| MD5 | 3dbeb18afc2ba6b7c960d67b53e576cb |
| SHA1 | a81134432c49154d88d6897167a9c2b7b0a71add |
| SHA256 | af474e667a2ab901c3edf50c1a6e3c11c27f9c49055500186479d43d2e10ca43 |
| SHA512 | f0a0577d92d55723dc90526114756db7fa63e8957034412df9234b95d61987e03586f0b7900c40e359927a228262d3498fe661b79942a8fbd8340b551a2d83e7 |
memory/2292-62-0x000000013FE30000-0x0000000140184000-memory.dmp
\Windows\system\pmynMrf.exe
| MD5 | 84d162dded4ccaa77eb59d92b60feb90 |
| SHA1 | 25fffa56f348cf4cb93b81c32faed61712c0dda3 |
| SHA256 | 39e1f001839327435ecee15600e43ec5ef92df856a968f35b06db3e678751203 |
| SHA512 | 3b1caf28a1513cc0899a27b5edfec14eeacd91696a8ba9c1163de44896c9cb44a3dd33646f755144f1955a4930c7e2263bb4781bb18e792227511c99395cd3cd |
\Windows\system\LAovnHZ.exe
| MD5 | 6e9fe282c38e1ee630d117d3716ef046 |
| SHA1 | efd5d35027f0f7adfb164b4f14b3538c47d6e97c |
| SHA256 | 0eec04c4ca5cdbf7b6e486c02127a9ae8c24365321cd5bb745c814450482b314 |
| SHA512 | 63e7cbabc27bac4a4c9ad4f159bcfadebaecdb31fd8dd21507e59f7193db9bce1d1ef5f1acb22ac47631ec123791e3ef8bb84c0409c87c491b3055d2ca2c803f |
memory/564-117-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2292-116-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2292-114-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2292-113-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/1972-112-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2292-111-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/3024-110-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2292-109-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2396-108-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2292-107-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2292-106-0x000000013F9B0000-0x000000013FD04000-memory.dmp
C:\Windows\system\tZtMgCi.exe
| MD5 | 9e923cb509c0b52bc66bc590522b402f |
| SHA1 | 7858877cae47f7c25100ab8963a82ad8fd9e9341 |
| SHA256 | 61d1df8a1934239e8923b22aa03cb3e5599d45498fe79bf253bc86f47153c6c1 |
| SHA512 | 6158c126da62bbf54f21f9fcdc75f4c3d0fea569d1e1e12edfe0b738a0dab6da3dd88461e5c354d23079b379b776a552fe2d0210c4cceb47324b8107f34d3d24 |
memory/2528-103-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2292-96-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\iXhnjZz.exe
| MD5 | b31b2cd89dd7dafb6cf8fab677245b27 |
| SHA1 | 8214d650dec8eed0caad22efc507e8feeeae124b |
| SHA256 | 7a3cb7161e87394b63e67b45b8eddccf2247e0d86bcb203fae842dcb31dee73c |
| SHA512 | 5027327ff7336e17ac57165f217d3a5efcee308c2e3731f81aee53f3dc752b121ddb1266f64182670db8f6bcb3c2446ad69b706ddb6656c4b6cb090641ccdd08 |
memory/2148-85-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2292-133-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2388-78-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2292-77-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\krHzldi.exe
| MD5 | b87faa7f837ef6f0d75c4b13427aec32 |
| SHA1 | ff47d57c3db6f8f08de909d6d8abe62e89aa56a4 |
| SHA256 | 3351a68505a3816c95e4c8a339a95c4f7c4ac3d70b8e09cd1626d8d1ef654fc3 |
| SHA512 | d420a36a5fed57fa202bf5347a9e3cef743e6d06e33afa7462a64fb0112899d3d72a3381647ea02c598ab70816fee0ae0052b1955ee1c22193e6d2be3dfd0444 |
C:\Windows\system\dWNcrqt.exe
| MD5 | 7758254974566bc5f555cac965d9aa02 |
| SHA1 | 74fb5319b4c2378e1eda91ee4b200e31cacf3362 |
| SHA256 | c1c16e5e7dfb610f763fc83fdf2332659e9d9377d43de2687d958709b8d39729 |
| SHA512 | 4d9eab1a8c0df6de4bd02f8a3901d777e2315680dbad20c072e9c86b3c1c9b671b00a875e8d8598b8fbfd0449ad7e71c2cf3ae95176a9b81b35c49aff9f64799 |
C:\Windows\system\QtShKSX.exe
| MD5 | 7b7403b6d9fa2205835f4391dde1aea4 |
| SHA1 | c1b8b030d6f7ac5d98debe3495baee33b0e6186e |
| SHA256 | e9b2579f1672824c69352bae10d0dabb711eae9dafb5abb4a27c3fac69dcb996 |
| SHA512 | 197b3e8ce610334153158b7435659c482ee2df9b555e4ecfcc4077a569cfc34cd1718967e633873c5563855890960035442ca30432f68084d123b27be8caa05e |
C:\Windows\system\cSUDiPV.exe
| MD5 | b5c8e737e59dcc9d91e21cdbed8aeb67 |
| SHA1 | 53d2b205245aae4458d68549b9ee5b00617eb951 |
| SHA256 | 8b7e9c2e971afc841d4439b648e2e0ba291cd19e22a67dd89aa3884641934e77 |
| SHA512 | 0868625f154e2fa3cf95417311797ff6fb366ac27ae80e3705431c105ed959d66d7df9a60bbf926ef53a8b9e9eac0e30d1e8fb51dc5721932ae9e962235882db |
memory/2632-27-0x000000013F9B0000-0x000000013FD04000-memory.dmp
C:\Windows\system\hrEvlaN.exe
| MD5 | a9e2d89ad139b75b677062441ba125f1 |
| SHA1 | b9a25c20b1118070fa95ad4a857c719ff44657e8 |
| SHA256 | 6253b9749055a98f169528816f015baf4a4f2b112979e51e47b29ecbb7ab2434 |
| SHA512 | 5fd12d9215c470464a4fe2e9ddcee2b975f2596e4606573b5b0bff860d8c1a12d3dc0c5956829d93f85ab25f5cd1cf61f9b30f4bd5d180e30a749e79c69dc5e8 |
C:\Windows\system\vxdkRxt.exe
| MD5 | 3f6f345a242ad6185019431ef2735769 |
| SHA1 | 051c77c3218d87fd823afe7546b82d7366d19697 |
| SHA256 | 0e945f905ad4c37f5ca4d4e04d46cf9f8a75f3a3e567f265a9f459d0e51add4b |
| SHA512 | cf0741410d569ea58b174f191c097af90133192871d23df1f83b5120992fae4a7df25c8dcae686d70c7bfd2c69bbed454b078d8e0fa080d5408d067c388617ef |
memory/2292-25-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2744-24-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2924-23-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\LgMlkMs.exe
| MD5 | 9171af05c46c8a2177375984b179f9fb |
| SHA1 | 17b8d3dda461a201b52e18a221bcb77f85333fde |
| SHA256 | 61af6724fe63b5631ce288dd42e424e0bc27ad1f4b1b105111d7e7be80701fdb |
| SHA512 | 3cc7feb0f97f81045cc37fd557f941bee515e1eebdcce78637f164d593868a120453692a1ef10733853450d306f7a7f59252fbbee19d7aed9213ff70c49ffe01 |
C:\Windows\system\PrzUfgd.exe
| MD5 | 3357873d24f64dfbbc5930c02c71cbdb |
| SHA1 | f470b4a26b1f6ba10ed3286b38194614c9eea3c9 |
| SHA256 | 5fdfff051325e23f05ba927ea097f75b7480291b4837021fc6e7bb73276eb99c |
| SHA512 | 659210249938c7ff5ef79b2306ab299c3d0b969a709337424d0a069463c2369ddd2ab360cdd7dd58942a207147802d0196e446fd9f27f6bf844e8b29be123835 |
C:\Windows\system\gulQWmr.exe
| MD5 | 7b302306f41f4633702d784d9d2b6888 |
| SHA1 | 749b5980ea5b7472cd19ad728511f6130a481c42 |
| SHA256 | ad957921916dfe2e9965ec82a5fa1b5a4c0972b47748a7cc1cca094d1f155fc3 |
| SHA512 | b180895be2d928048fb2c39cc36dc98305a5e13f0522a12f04822023071674401dea722ca0fec8c25908e330ab07a8f44209f75a544504ef1982329fcb12b852 |
memory/2292-134-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2632-135-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2292-136-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/1064-137-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2924-139-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2744-138-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2632-140-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2656-141-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2388-142-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2528-143-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2148-144-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/1972-145-0x000000013F510000-0x000000013F864000-memory.dmp
memory/564-147-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2396-148-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/3024-146-0x000000013F3C0000-0x000000013F714000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 19:19
Reported
2024-05-22 19:21
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
124s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\20240521a22a2fe878952d00322a58d3e0681f08cobaltstrikecobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4544-0-0x00007FF7AF1D0000-0x00007FF7AF524000-memory.dmp