Analysis Overview
SHA256
a7c8008564bb4286f520a565d952d41a349b5ff3f39adac472d45e38c470960d
Threat Level: Known bad
The file 2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 23:41
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 23:41
Reported
2024-05-29 23:44
Platform
win7-20240221-en
Max time kernel
145s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NRUkWSQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CWpwCVp.exe | N/A |
| N/A | N/A | C:\Windows\System\PPacOcK.exe | N/A |
| N/A | N/A | C:\Windows\System\xrPTFuI.exe | N/A |
| N/A | N/A | C:\Windows\System\IAMduhO.exe | N/A |
| N/A | N/A | C:\Windows\System\WyReCqB.exe | N/A |
| N/A | N/A | C:\Windows\System\KOsURqk.exe | N/A |
| N/A | N/A | C:\Windows\System\fyqnKTN.exe | N/A |
| N/A | N/A | C:\Windows\System\IXMwGSX.exe | N/A |
| N/A | N/A | C:\Windows\System\GxUFVvx.exe | N/A |
| N/A | N/A | C:\Windows\System\bopxnLf.exe | N/A |
| N/A | N/A | C:\Windows\System\rgznPxV.exe | N/A |
| N/A | N/A | C:\Windows\System\XHMGPJM.exe | N/A |
| N/A | N/A | C:\Windows\System\fFjFSsA.exe | N/A |
| N/A | N/A | C:\Windows\System\ccszpOj.exe | N/A |
| N/A | N/A | C:\Windows\System\qsarLDS.exe | N/A |
| N/A | N/A | C:\Windows\System\VpCZPyD.exe | N/A |
| N/A | N/A | C:\Windows\System\WEgYIkP.exe | N/A |
| N/A | N/A | C:\Windows\System\dxWiOgi.exe | N/A |
| N/A | N/A | C:\Windows\System\ZREhdTH.exe | N/A |
| N/A | N/A | C:\Windows\System\ckGlFgi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NRUkWSQ.exe
C:\Windows\System\NRUkWSQ.exe
C:\Windows\System\CWpwCVp.exe
C:\Windows\System\CWpwCVp.exe
C:\Windows\System\PPacOcK.exe
C:\Windows\System\PPacOcK.exe
C:\Windows\System\xrPTFuI.exe
C:\Windows\System\xrPTFuI.exe
C:\Windows\System\IAMduhO.exe
C:\Windows\System\IAMduhO.exe
C:\Windows\System\WyReCqB.exe
C:\Windows\System\WyReCqB.exe
C:\Windows\System\KOsURqk.exe
C:\Windows\System\KOsURqk.exe
C:\Windows\System\GxUFVvx.exe
C:\Windows\System\GxUFVvx.exe
C:\Windows\System\fyqnKTN.exe
C:\Windows\System\fyqnKTN.exe
C:\Windows\System\bopxnLf.exe
C:\Windows\System\bopxnLf.exe
C:\Windows\System\IXMwGSX.exe
C:\Windows\System\IXMwGSX.exe
C:\Windows\System\VpCZPyD.exe
C:\Windows\System\VpCZPyD.exe
C:\Windows\System\rgznPxV.exe
C:\Windows\System\rgznPxV.exe
C:\Windows\System\WEgYIkP.exe
C:\Windows\System\WEgYIkP.exe
C:\Windows\System\XHMGPJM.exe
C:\Windows\System\XHMGPJM.exe
C:\Windows\System\dxWiOgi.exe
C:\Windows\System\dxWiOgi.exe
C:\Windows\System\fFjFSsA.exe
C:\Windows\System\fFjFSsA.exe
C:\Windows\System\ZREhdTH.exe
C:\Windows\System\ZREhdTH.exe
C:\Windows\System\ccszpOj.exe
C:\Windows\System\ccszpOj.exe
C:\Windows\System\ckGlFgi.exe
C:\Windows\System\ckGlFgi.exe
C:\Windows\System\qsarLDS.exe
C:\Windows\System\qsarLDS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2248-0-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2248-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\NRUkWSQ.exe
| MD5 | 42d4947a564ba3e1f9aee024574933bd |
| SHA1 | 96ac4bd0956e50eeaec98d41dec6e19f9b8bbe9a |
| SHA256 | 70bbd6f0bb7559f61d42c262058d95bacbfdfba40da5c557207bfa7ae8a5d4a2 |
| SHA512 | d975b8c257d8ab7c14d7459872038e363e71685805a14cb9962369802b3f275de8723f4829fecb0539ca326aa402ddca99d9094962a2540b0d604e7887992b85 |
\Windows\system\CWpwCVp.exe
| MD5 | e1c4778b6da9accb86d0bb9f64575df7 |
| SHA1 | 99787bf8d56841200eb9a56d3717fbd89659f171 |
| SHA256 | f5d2066d586a3f559dbc0c7f290709dd6854ee98c825a8d2ddd4e72b5cf3acf9 |
| SHA512 | 6f6407e18e617f4db96e178bac1f39add932c752eae3fe5efa8880f4d15dcf20ffe974acdb00e46cbce55526686f7c273cd172d53a8f948908df6651b86feca2 |
memory/2248-8-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2588-12-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2248-14-0x000000013FAB0000-0x000000013FE04000-memory.dmp
C:\Windows\system\PPacOcK.exe
| MD5 | f6723f917b0074566fa027f020d18018 |
| SHA1 | f932edc872ab6881a3487a062ac3f54d5497da34 |
| SHA256 | 64e22a9e2baeccca4c113ffa3128aab37203fcab25a4523ab75c56b2bdc62c1d |
| SHA512 | 579290869c34dc5d41d0c79f49751cf281216747f90e11f2bbc1d077cc5d44b4fbcd6ec96a67d790d9ec041fe1bcec40b0bd63930a2ac6ebdc5d4c1c03c09ddd |
memory/2248-22-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2748-30-0x000000013F1C0000-0x000000013F514000-memory.dmp
\Windows\system\bopxnLf.exe
| MD5 | d1cef47701d002decd9cf599130489d0 |
| SHA1 | d5e72275ea9410530ee4b42192a4665f2737273f |
| SHA256 | a96792828cc187a6d7f011af80424dcc646d9b0e3bd311097f66958c537cb8a6 |
| SHA512 | c2c353ab6b63a65aa877d00ac8da8334833e539bb4febc79203e7e40733a7b148dfdbd2ab6caac969eb68c66a34d6f12daf11a87c91bf79ceda1312a924b3b2d |
memory/2248-127-0x000000013FA20000-0x000000013FD74000-memory.dmp
C:\Windows\system\rgznPxV.exe
| MD5 | 8cdcef3a576f06f6fb41325787589771 |
| SHA1 | 54ac587bafe55d99ec0d7e30db976f7f5dfabe5c |
| SHA256 | c0178dbf9827621172fd5c1faf3c8754035987648339901149cb4326ba11cccc |
| SHA512 | 2025dae13e492996baffcf45d4c5a54fa9761428238cd5cee14019ead04bf891d33a4626272b423ccfd80e7af8da7df9dad7438fef3fb34c6057de1c6188b335 |
C:\Windows\system\ccszpOj.exe
| MD5 | 53f98f71e894a0eca962be0732011265 |
| SHA1 | a636e5dcbb7458098cc799fdb4ca761745c8f937 |
| SHA256 | 73577874dcac8bcdba9d8a40ecf3e05ed2bf2c0e1355b3252e19aa0fd22f911d |
| SHA512 | bd09bec9af5619392b3a0a0ccdde5a4694296492b4501d82d87dbf788b6c17550332a31bf63dca6c83491949c97ff1ce74246eba3d82bb174757d52f80999f72 |
C:\Windows\system\fFjFSsA.exe
| MD5 | 5ac47eca39656b2b5f7d888317945451 |
| SHA1 | 7184313ff2d5c740dd19fadbf380e84d9016f590 |
| SHA256 | 3143e779ee11cd3c69defdcd7fe69924dd759cca209f2329e2945c6663a7106f |
| SHA512 | 4c0f92c9fbdad66aef7719b4e0065a11768062727345a57ea9dd76f42d83bdb1cf9b4dc5a3a7f787cb6b464315fd9e5f594f461ed7e9322b3e60150e12356cc9 |
memory/2248-101-0x000000013F800000-0x000000013FB54000-memory.dmp
\Windows\system\ckGlFgi.exe
| MD5 | 471f21caa5f8efc675f006412309f265 |
| SHA1 | fa599a586b16dcdd92afcb7fdf106fa7fb3d3df0 |
| SHA256 | af11696308682a452d436ed29521cfa510e91f3fe8ba86cf89c8ad648ae74bd1 |
| SHA512 | 0667cd2e05c466426dfa87d33b7abd7418d15dc7de24dde611ca823e1fb79dd5653555c78c246571121f434a6d953b004fc7fc203befba85475e4534687c243f |
\Windows\system\ZREhdTH.exe
| MD5 | 8a267198bbafb96b3e168d4577b32874 |
| SHA1 | 4ed4dc4f74923cf3f0c08a10c46f1c0430bb1431 |
| SHA256 | 09e5ad09519ed466d8574a8835d386d9b684c9deab732872e3ac1025c03e3478 |
| SHA512 | 301972a074227d091a4c1815394adcfd93dfa62b3de988798a580ee47cb5aad066694f7b4bffe30e5d133b60e3ec1ed748c9689840234af25be046bcc5de978b |
memory/2248-87-0x000000013F190000-0x000000013F4E4000-memory.dmp
C:\Windows\system\XHMGPJM.exe
| MD5 | 525313a39cbc8d3a8087b4bd629760dd |
| SHA1 | 9de23c3de55c3fbeda7c071fccf2a37be7c72bea |
| SHA256 | e14fc0f0f1723eae8b754f9eed7ac03d70bf8535f96e00a0a3e6fe54ce667063 |
| SHA512 | 22664704a1890bf8ae9a116d11b6d80d8e1a00e0b2caecd0bc9ffd14bbdadd98ca515c6a65fc4f0b7d5d320db791dbd9887cccbf44215568549a0fe358087c85 |
\Windows\system\dxWiOgi.exe
| MD5 | 1a14d98d85ebd98c56574201134a0f40 |
| SHA1 | 1aa2b2a753d50b7dbed1f7fd6552eb57786b84e0 |
| SHA256 | 342a459c8562e63d1d25484712f6b13c3e812564c16f0275883f8d15d45c0458 |
| SHA512 | 49375694ac041374ec1267676bf877944e060f629d856546b24960a7a9173c98e5af61503cfdd59788ca555062bb45a84b97224952cd9480260f7d2194b9635d |
memory/2248-76-0x000000013F600000-0x000000013F954000-memory.dmp
\Windows\system\WEgYIkP.exe
| MD5 | 6e7d35b364f1319a56f54790bece7e5a |
| SHA1 | 2899f9873521991d8479668810e7ccdb1c00846d |
| SHA256 | 135a46cce1aebe159d74978f24332a4e448d24408c5f193e2e7da4052230eead |
| SHA512 | ddded9a78521e71796873e32aa558ae3c9ea3378407a4d92a1ca4cc3d3b0c44f7540fa81958d3311e76efd0f20e300eed0117f01298695d6667a3ad0647b320d |
C:\Windows\system\IXMwGSX.exe
| MD5 | 0fdee688fb3de7031ed889b3ddc7585f |
| SHA1 | cfc0b09c68a80be93a09dd3be2492a932b771b9e |
| SHA256 | f4c57253db8e812781cb7ac1be712599d77acf1be358e0f556cb08989b28e257 |
| SHA512 | 6d297ca34af83a35427b2b8ffcf7a634f80d3d83414ed5f0879fd6ac616982324ec5dbeab0fd57cb01386e09574fd0f86366518714034a48de4bf2a6b7c375de |
memory/836-126-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2248-125-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2248-124-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2156-123-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1636-122-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2248-121-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2248-120-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2392-119-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2420-118-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2248-117-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/2940-132-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1712-116-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2248-115-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/1724-114-0x000000013F190000-0x000000013F4E4000-memory.dmp
C:\Windows\system\VpCZPyD.exe
| MD5 | 0f41fd8f5f3c20f6871e76615e7ee64a |
| SHA1 | 4f617a2fc9492973efd9d75ecffaf642a47a1aac |
| SHA256 | 23abdcccb4517432d57f8fbb12e4e9903978f09827b784a33c7620b0704c368a |
| SHA512 | 73c1574094b2bc8fe98ddd6d4a426b8de68b3c59de69a6186f8c16aad3061d6dadc0afbde8a631648ae3c75780b3471ba8f566988e22e33513408e3c5a882695 |
memory/2484-110-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\qsarLDS.exe
| MD5 | 32f48e96c7b4eda0f73a6d50063f081e |
| SHA1 | 9f623b5690e3750c45785c12e734f1fc0124593b |
| SHA256 | 68cbcc0ff548e8b074fb33b54ba9bcfd7f3a762d9e1ab1ee98fd857bef507e19 |
| SHA512 | 3b8650ec0fcc77a397a82debda8c0b3ab403623a379cf69ba30672f5fe7decd7c3689c87d43cf3644b42b297e44d9597a4ff943d262a00d5cd0bc4252ffbdaff |
memory/2604-108-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2248-56-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\GxUFVvx.exe
| MD5 | 5ab4899127bf72f25886c832ba63ce37 |
| SHA1 | 6e39866f7a59dc33cc4e9c0ad90f889315a5f67a |
| SHA256 | 59f3b97a006b1e80b709c1778a13a9bcf7a615bdf3e15f4294d5e9f593dca7a7 |
| SHA512 | ec7beb7d3b11de9af7845fc93b02096176665d373cf6bb463a4cc649a9000b1d8fec80df3d27965ef82a39c82e63ead14a6b680e447e054ec78cba56f427995a |
C:\Windows\system\fyqnKTN.exe
| MD5 | 4b4ad39a03e4d795ed7a9836ad3b9032 |
| SHA1 | 5f19014623061bc6ad4229efe5f543f6336ae64c |
| SHA256 | 7893aa121a0c9aac22803bdcd9d5593f2f20c233a556a7bed3af3fa1ce4a129d |
| SHA512 | 4b8f5ded45e853e74a5a207c29f929f3e93a801f98ab3f3ebe3e845fb7e3e37cb51df8bc6d187d1671982a1dfdf20a00f56bddd80113af90c7ec0d3e8b661c14 |
C:\Windows\system\KOsURqk.exe
| MD5 | 13f6c687bfe96f23b9a954ee9b23a0bc |
| SHA1 | 3e533973c306bb6f5d978fb3a265de8b494517ab |
| SHA256 | 47243ae985b9fd47d1dde5b3a737ee684aedbb7f056f8dfcb077ecc77a7c561a |
| SHA512 | 6ed7aafcad12f2fb60869b2b8e29a3e0c990e7c92f224f616852292744616c335fb65d3c66e79c97cde9f48a257ee6c8eabd7a38da90292c4e02719deb9fb3aa |
C:\Windows\system\WyReCqB.exe
| MD5 | 61ce43e3431058c919f7d3034f22d7d6 |
| SHA1 | c5338737111dffc7be51059652b03b5c8dbbcede |
| SHA256 | a1cfdb2d626cc6f765769949d14f3f40ef948da407ace77cf96ed53c63b38b12 |
| SHA512 | d855ce8920664848a78b376b697aa9a16ab839b166f035136435663bda3f63bd5b56ad8937fb849a6af312994057ebe549eb37e016d4a782f148c91f54e8254a |
\Windows\system\GxUFVvx.exe
| MD5 | 245025aee6dd8e352f1947871977f66b |
| SHA1 | 294fa3a83b0bb00c918d7a0b5d8ca7bed3c24948 |
| SHA256 | 41b3ac7143fe9071702417c2703d358d82cccfd59484f32c5606654d4e089c2c |
| SHA512 | 454aeb023a977c01ecafa3cf1eae31d52298f30cf26c751fccfc0d16e8e23bebb2cb8ba7f7a589d68ebf5711558f4e8eaf940e6fb6e0aa1511821aef9391db44 |
C:\Windows\system\IAMduhO.exe
| MD5 | 21c8b8727e5a564bc6d4759abee5fa36 |
| SHA1 | d51139a03e5af66ef3a5459e71b10de3b4c62366 |
| SHA256 | d51397c1547faf53277f4ca24337a80c8b139859aa0cd22769ae4f379eaf3ef1 |
| SHA512 | da6bff63afe8c1d458389dad34c4a1ca5c8a326cdf7e56013cf72af9fbc968e8ddfd68d299d354f80125183178d67a04ff053d8e03ecdec994f5f7d37e984f96 |
memory/2248-36-0x000000013F810000-0x000000013FB64000-memory.dmp
\Windows\system\WyReCqB.exe
| MD5 | b3b377556cd207ff64bff468421fdbfb |
| SHA1 | 50fff6f8821c91e2669e2ae7cfa25cc22802fa6b |
| SHA256 | 5246fb7502c3ad62b55c19be7d20e4dc8167ae36f0e9e5b293c4f81310d95efe |
| SHA512 | 0c5b578eff6c4edd06795a44064c542b41f6101d468b709743be8a5e80c80c8a12a781cfdd8acc8a56747bf12e727c4eda4009db65c9bfaa0c5ae40ca84ea8a6 |
C:\Windows\system\xrPTFuI.exe
| MD5 | 8ef060d20912971e1ca2a64098f2a477 |
| SHA1 | 07d78539d89f98e4c566a6651da1c6facba3a477 |
| SHA256 | 05d08e6205b23f5e2cb594cdba47c1014e2ada67ff02efa3259035020b586997 |
| SHA512 | d432c4528e5f2216abd4a7bde411ebd134fdedff3d02e5e42ee5584d7046f06b630a98bc614116fdacdce5ad238ad2c30bb1271ad55ec17085a8aa00dbbf417d |
memory/2248-27-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2540-26-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2940-19-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2248-137-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2588-138-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2940-140-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2540-139-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2748-141-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2156-142-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1724-144-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1712-146-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2420-147-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2484-145-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2604-143-0x000000013F600000-0x000000013F954000-memory.dmp
memory/836-150-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/1636-149-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2392-148-0x000000013F800000-0x000000013FB54000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 23:41
Reported
2024-05-29 23:44
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
memory/3352-0-0x00007FF7B4970000-0x00007FF7B4CC4000-memory.dmp
memory/3352-1-0x00007FF7B4970000-0x00007FF7B4CC4000-memory.dmp