Analysis Overview
SHA256
88e8aa0784c4ff0e4cffbb05c7219c76ef267078318735dfeb550ec9a4fc0b07
Threat Level: Known bad
The file 2024-05-29_8fb137261c0707c09092c062a3a3701d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 21:34
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 21:34
Reported
2024-05-29 21:36
Platform
win7-20240221-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mnooJAQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GMAsezb.exe | N/A |
| N/A | N/A | C:\Windows\System\mlMWSYl.exe | N/A |
| N/A | N/A | C:\Windows\System\UiMvxdx.exe | N/A |
| N/A | N/A | C:\Windows\System\yhNShVE.exe | N/A |
| N/A | N/A | C:\Windows\System\fmPVewo.exe | N/A |
| N/A | N/A | C:\Windows\System\dKpYWAB.exe | N/A |
| N/A | N/A | C:\Windows\System\CjGpWur.exe | N/A |
| N/A | N/A | C:\Windows\System\asfillR.exe | N/A |
| N/A | N/A | C:\Windows\System\tPoAFHC.exe | N/A |
| N/A | N/A | C:\Windows\System\PLwYOFg.exe | N/A |
| N/A | N/A | C:\Windows\System\SmWwLcR.exe | N/A |
| N/A | N/A | C:\Windows\System\UFuuAyb.exe | N/A |
| N/A | N/A | C:\Windows\System\QVmpzvd.exe | N/A |
| N/A | N/A | C:\Windows\System\hXFLpZy.exe | N/A |
| N/A | N/A | C:\Windows\System\OFBteLg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZWusgLz.exe | N/A |
| N/A | N/A | C:\Windows\System\lHfNpGv.exe | N/A |
| N/A | N/A | C:\Windows\System\nPfxEfR.exe | N/A |
| N/A | N/A | C:\Windows\System\ZEjmvGz.exe | N/A |
| N/A | N/A | C:\Windows\System\eLevLAu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_8fb137261c0707c09092c062a3a3701d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_8fb137261c0707c09092c062a3a3701d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_8fb137261c0707c09092c062a3a3701d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8fb137261c0707c09092c062a3a3701d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\mnooJAQ.exe
C:\Windows\System\mnooJAQ.exe
C:\Windows\System\GMAsezb.exe
C:\Windows\System\GMAsezb.exe
C:\Windows\System\mlMWSYl.exe
C:\Windows\System\mlMWSYl.exe
C:\Windows\System\UiMvxdx.exe
C:\Windows\System\UiMvxdx.exe
C:\Windows\System\yhNShVE.exe
C:\Windows\System\yhNShVE.exe
C:\Windows\System\fmPVewo.exe
C:\Windows\System\fmPVewo.exe
C:\Windows\System\dKpYWAB.exe
C:\Windows\System\dKpYWAB.exe
C:\Windows\System\CjGpWur.exe
C:\Windows\System\CjGpWur.exe
C:\Windows\System\asfillR.exe
C:\Windows\System\asfillR.exe
C:\Windows\System\PLwYOFg.exe
C:\Windows\System\PLwYOFg.exe
C:\Windows\System\tPoAFHC.exe
C:\Windows\System\tPoAFHC.exe
C:\Windows\System\SmWwLcR.exe
C:\Windows\System\SmWwLcR.exe
C:\Windows\System\UFuuAyb.exe
C:\Windows\System\UFuuAyb.exe
C:\Windows\System\QVmpzvd.exe
C:\Windows\System\QVmpzvd.exe
C:\Windows\System\hXFLpZy.exe
C:\Windows\System\hXFLpZy.exe
C:\Windows\System\OFBteLg.exe
C:\Windows\System\OFBteLg.exe
C:\Windows\System\ZWusgLz.exe
C:\Windows\System\ZWusgLz.exe
C:\Windows\System\lHfNpGv.exe
C:\Windows\System\lHfNpGv.exe
C:\Windows\System\nPfxEfR.exe
C:\Windows\System\nPfxEfR.exe
C:\Windows\System\ZEjmvGz.exe
C:\Windows\System\ZEjmvGz.exe
C:\Windows\System\eLevLAu.exe
C:\Windows\System\eLevLAu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2476-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2476-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\mnooJAQ.exe
| MD5 | b257bc9ac91192c7e4c6b30e218fd472 |
| SHA1 | 4e1dbbf27395dc3d0559a13eb72ac0ca60d7c372 |
| SHA256 | 03aa295e5d18a3f8a84f4e8c27f7b4b4b9f198cc4090b2a0727cb22961cd4811 |
| SHA512 | 977991a9b64684f478ba8b704a31514c7374ead5d8b19284109d396eb217d54c8efbcdab1ed5e5a7f9928fc9773b3b3113b4cc070314853026fb1cd3ac71acd5 |
memory/2476-8-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\UiMvxdx.exe
| MD5 | fd388f9cce379efabcec1158a6df3056 |
| SHA1 | 84b12b2d4b839d07b6b0e499fb9d9bbca6ded9f9 |
| SHA256 | f313ffbcf4f88dd4f649d3e61a2a78a19095a5b164d7029ab987eaec629354ea |
| SHA512 | 995ad24c89789155c2fb3a0944c5c62cac33f2408d5c8857e15f78b4ada8deea74ea48d29178221219556cbea8f39128e87175f88a8d88b9dbef9ad1c7745954 |
C:\Windows\system\GMAsezb.exe
| MD5 | 629ef1454b975d20c94646ad69f88f2f |
| SHA1 | e553c9cf72ed307e8dcaae724e218d85675a7e12 |
| SHA256 | 2921331211df22fde8d0a699164ec6e5e20ee9ce50e67ef3269a6dc33a9f00b5 |
| SHA512 | 68c62063052201cf114f9f076ea5b9409822b26d1110bbd23f36a4b0fe0d17f37e085574daa11244a67cd0d6cbe138b2322d8835bcd8e1984548ebbb645ef2d0 |
memory/2596-28-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2516-23-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2476-22-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/3024-21-0x000000013FC00000-0x000000013FF54000-memory.dmp
C:\Windows\system\mlMWSYl.exe
| MD5 | 7ac912b52173a2e32b77ff023bf999b5 |
| SHA1 | f9e2c217c8e0c28e25c1f16c31a3db54ccb501d3 |
| SHA256 | 8b0efec720a7d8cedb0efb8955d9d2a3fbb5387386d93cc1ddfab8c0af656fba |
| SHA512 | c915acf5464165727d636f6a5fbe4ab3efbd221484267dbc0267b5ea841af3ef292248bc2f756bd58803eaf9e5fa3c97a83de137f8b2815ada7901111c03c3d9 |
memory/2572-11-0x000000013F560000-0x000000013F8B4000-memory.dmp
\Windows\system\yhNShVE.exe
| MD5 | 7051af26794e2475b282c4b10c8d1b41 |
| SHA1 | 16f234b03a2466782535d5d38b83cc6f50e027cd |
| SHA256 | 1c43a4e88d273b32fe65f7b0912d8c050ae705e013b01bd9af26bb0cd52f43d7 |
| SHA512 | a0c8da07c07be1fced63a03ed20b48de545cad81767293e0156b016e0ec0443479685e2dcf60c8c1b6120d8b623a9bac0283e1448cc4d8f5321550e6d876b97b |
memory/2520-34-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\fmPVewo.exe
| MD5 | 59289ebea0d24140b4da0b0afecc5433 |
| SHA1 | ce5885e8f02b97dda17ebfc0d5adcf5dc3ec6610 |
| SHA256 | d57ba05222b4348ba54616721c75d1b5548c08d9668e039c4d0b40714cdd4f43 |
| SHA512 | 7f933e2d54f49123a62bfbb702b94d7e9316eee848f99330776f51588f02de0207f01dbb37eae2943217536dc374d31b1b1de03f09c04949212a14ba014883d7 |
C:\Windows\system\CjGpWur.exe
| MD5 | 28d9da5a9ac98c903c263619ff9d15f4 |
| SHA1 | a13cb01d47ecb3771f4fd92c9ba52961092876fc |
| SHA256 | da57bb9a2d7e52167803ea2a43f3f74c53ab4a379dbaa034fa80ac97c68c90a5 |
| SHA512 | d16e53e6ed13380c5983ad11e6668dd3cde38db39a0a838ebd42c5f84721860bc81ba8014987a9360fe81b4bffb4410e311571e7a339cd5e1f2377f767fa8b8d |
C:\Windows\system\SmWwLcR.exe
| MD5 | 9cdef5a47d2031cb8a812550917c17a3 |
| SHA1 | da83e3f45a3fa9b192e68d18a509a74f5ba3fca5 |
| SHA256 | 25052db4e3813eb694d2dd646da4919a0863097ed8bff8c9721129316c9d675f |
| SHA512 | 278262488d515f755d123f3d11a91de966e32becf0dedba2bea1f24d13f7a34717edf62a61122c94cd8406a617986e9f5ee2693a6fe7dd93f059daa4fa7a0ba9 |
memory/2120-77-0x000000013FDC0000-0x0000000140114000-memory.dmp
C:\Windows\system\UFuuAyb.exe
| MD5 | 48d85d2ab0741dc35686cca9d6dc6bd2 |
| SHA1 | 94e02936d1ea430295db2e7668bf367cef8356bf |
| SHA256 | 44033fde030e7d2a3227be46864a913192552bbe15ef62e1605019c1fa290c2b |
| SHA512 | 0bdb9416d18bfc7f34e0dba81fbb2a42f90fd61b66ed8b605dd00e42c3b2bacdd6104ea67012d4b3bb642b653dab39b9027b4b6f2de8b31b98b45790ed5fd87c |
memory/2732-88-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2476-87-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2152-86-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2476-85-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2500-84-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2476-82-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2388-76-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2476-75-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\PLwYOFg.exe
| MD5 | c919fb14a98b064d7f8d7cc286ac7af7 |
| SHA1 | 4a10029a6cf3b6797dafb801f86b79432b9b230d |
| SHA256 | 6e27f63d537bf180f6cd1fc14f4006b5cf42426a69c6058fde7c4f9c3cd49a48 |
| SHA512 | 7bb3655b6d6ed9b239d5ac262db237accf951ece6002cfefd152236eeeff489654c4124988fa47bf1f69878e2fedc53dd1d282955c774a49606af8b2d5c17198 |
C:\Windows\system\tPoAFHC.exe
| MD5 | 80789623e152708d744c2f36842543ba |
| SHA1 | 6d62cfc6e93f055194d5c7a7fcd816f76edc114c |
| SHA256 | f9858a5cfe8de3507903d751cff05a17f91b02766045bb7cdd4fe9bc772f40d1 |
| SHA512 | b51b85cde9085a59cd7cef95fd919cb730317d11e8bcc123543586c03cf13569f0fde6fec90b34706a7c14f820e6d670a7b2b150acf8e2527bd9d92b6de6e9bc |
memory/2524-68-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\asfillR.exe
| MD5 | 4cf06ec0eeed0321d8729b511ee94421 |
| SHA1 | a5cd6151cdabedaddedeb0d84b820d8f6721fc83 |
| SHA256 | aa1e9bd155cf0210cea1ca4c2a8dc9c3be52ae6e8458516ff4a6c49aed6fc926 |
| SHA512 | 18879a7d07b1aa09a731e407b607e3afbb7f41e835958370ba6763cc79aef4f4fa79347bef8cd3dbf45d400b36dc41000cb7155b244b487162a3b8b5429c76c7 |
memory/2772-55-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2476-63-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2704-49-0x000000013F410000-0x000000013F764000-memory.dmp
\Windows\system\QVmpzvd.exe
| MD5 | 210d8584486687256b6409f14f2f2f79 |
| SHA1 | f584c075232f88e321156c1ff52709bd6afe5f4b |
| SHA256 | bf0393a48f7a7f1c6030b37031d4079079fec84435b9ec4a3c5d97d433c58d43 |
| SHA512 | c17698bb157c24d6cabb3fd2e62bb63700979e693f6a46d49564acf4bf1a545a76c175330b2aeafaeda3bb719b923b951909be793114b0d7ae65f386798d9831 |
memory/2476-93-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/3024-95-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/1440-96-0x000000013F440000-0x000000013F794000-memory.dmp
\Windows\system\hXFLpZy.exe
| MD5 | 6048f76d50cf5f6c671b23502d38e398 |
| SHA1 | bca2b63090b4ea96c3c2a566d2c32d61b96d8caf |
| SHA256 | 84ca08cd0b4304a17934ee9c671e4bd65b76a591c7ec11c2f336dcaa2542dd1e |
| SHA512 | 442f3abf195062da656a4de3e5f119049b0915ef598d34379b5c3015706adae55a58aaf3a056cff1e0adc26980ec07d6faf17128c886ebe18dce4c33216d42a7 |
C:\Windows\system\ZEjmvGz.exe
| MD5 | af01eb9ab95a78c78efff729cde06d2a |
| SHA1 | 23a6c7120fab31beaaccf1fbec6c443ef3d879d1 |
| SHA256 | 4d1ef5fef4178357e2929df09c708f9eddceb738e9d9dd4cb9b16dfc06a66c85 |
| SHA512 | 26ca64e0c18667004e7a9dbec543f340c5403ef28abc1fc0e2515e7422595ea9922745777e95c59a2edb9ee33452aae7c49c1d503aa26ec29bc6de6cd419fe1b |
\Windows\system\eLevLAu.exe
| MD5 | a2e98ac8902723965cefc381c97cc627 |
| SHA1 | 586b21fc11c981f7eeff5955f975e77bd14abf59 |
| SHA256 | b3f31c35d34167f7e946e395d60d845a326f6d77ffa742476fcc35d4f70e0662 |
| SHA512 | 3ed33148f5707f363296d59b3fecdcc8700153386d8dbe382edc97b4893041f956c4d7d3972a3481d8834879bd0531643839f0f20c36ff9b8887b628a6a8c030 |
C:\Windows\system\nPfxEfR.exe
| MD5 | 8952b56ed337ac611097913faa14047d |
| SHA1 | b52a789e32ab413679fe9a50dcb638869cb80026 |
| SHA256 | ec258004e0bd87ef24b3c9059c87b9d80ef26a681dd1f6e4ef68ea7f907e577f |
| SHA512 | ce8eb71f062add99e807dfe2c87a0659d945d8dbf950328a565940d31c037be5e94ab36093d6caf698b9cfff44db0c1c0f38dbaab069d8e2d6c07101cd3e3af3 |
C:\Windows\system\lHfNpGv.exe
| MD5 | 16cd67311ee7e8214e4314bda6deb116 |
| SHA1 | 82a9525bc4fcdbdc59b2ab9e86d28479c8c4a49c |
| SHA256 | ea12ea937f00f7c7e51315c09524b4010061eab9be5329c809bbca971f96ca29 |
| SHA512 | 7827e572f2ebc859338beb0f14f8ae027d7c52720c0ddfc8f6902857f93bfd8942f35ea0bbe6f39625f5dbe4004d3fabae649cc7db720ebab5d989ba1177d9e5 |
C:\Windows\system\ZWusgLz.exe
| MD5 | 2198fcf91b79b2f7c4bdcf2661e5fba0 |
| SHA1 | efc99f844a0875c450e86458d7990f157e2e91e2 |
| SHA256 | a8c62200c5a0a63409dc35134c938dd5797ec9d8ac5f72363ada086e03653348 |
| SHA512 | 50b69126adc1f73ff00388bdde28d7d323426f898c52da8faff9e2ecfe105add43e798cff115759d7db036bba34389f9da040fa284efe488d90b8c21a63e2365 |
C:\Windows\system\OFBteLg.exe
| MD5 | ec2219c22e2f5fe521e388329e461eef |
| SHA1 | aca72764e85a5fc7254091985e28515dbef6d20b |
| SHA256 | eda7b56bd2dfda2bde5a4dd13c48b03121dbe4228d71ce509de00cd05b825325 |
| SHA512 | 1f847963632d30383eacadeb791f2441122a2434891347bd19f39df8053ddeb1b94bcad5e22ad9343d60526856aa2538380f9102433117c4811dd39bf1b70976 |
memory/2476-100-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2476-44-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\dKpYWAB.exe
| MD5 | 55fae0e814e7357637dcf3c9f6aeb1e2 |
| SHA1 | c51d8dd4d18be9e9dda05caabf762e521ff8b1b7 |
| SHA256 | 065a22f0a5163450313e2443e8930afe34f60176ba85bcef145839f8d578e82a |
| SHA512 | 06e9dede8b38fb27af5612ad3f6f7777bbe670ecbab34c0d82fa5f0875d303ecc33cc2cdbd23bc39e5ab3f6e9036b594b8f573426af1e6b5ae0bf83fe75d39ff |
memory/2516-132-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2596-133-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2476-134-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2476-135-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2572-136-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/3024-137-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2596-139-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2516-138-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2520-140-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2704-141-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2772-142-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2524-143-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2120-147-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2388-146-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2152-145-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2500-144-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2732-148-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1440-149-0x000000013F440000-0x000000013F794000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 21:34
Reported
2024-05-29 21:36
Platform
win10v2004-20240508-en
Max time kernel
95s
Max time network
97s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_8fb137261c0707c09092c062a3a3701d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8fb137261c0707c09092c062a3a3701d_cobalt-strike_cobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
Files
memory/212-0-0x00007FF794540000-0x00007FF794894000-memory.dmp