Analysis Overview
SHA256
4c6bac6bb293ae4cf30ff726c3c6e4dab7d03424556aea3b55299366a97a5b50
Threat Level: Known bad
The file 2024-05-30_438aa3501acba3f61aa4a250a2a5a9aa_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:49
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:49
Reported
2024-05-30 00:51
Platform
win7-20240221-en
Max time kernel
137s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qNgswbG.exe | N/A |
| N/A | N/A | C:\Windows\System\HFYRpZT.exe | N/A |
| N/A | N/A | C:\Windows\System\bOvgRNW.exe | N/A |
| N/A | N/A | C:\Windows\System\dMPrlEu.exe | N/A |
| N/A | N/A | C:\Windows\System\WbzKfhz.exe | N/A |
| N/A | N/A | C:\Windows\System\QzzbOEn.exe | N/A |
| N/A | N/A | C:\Windows\System\AnzCByP.exe | N/A |
| N/A | N/A | C:\Windows\System\kwEmQuS.exe | N/A |
| N/A | N/A | C:\Windows\System\qXgaWfv.exe | N/A |
| N/A | N/A | C:\Windows\System\YmKsrcB.exe | N/A |
| N/A | N/A | C:\Windows\System\OVRNFMd.exe | N/A |
| N/A | N/A | C:\Windows\System\iaGMgcG.exe | N/A |
| N/A | N/A | C:\Windows\System\TTQDuQA.exe | N/A |
| N/A | N/A | C:\Windows\System\wNRZBZh.exe | N/A |
| N/A | N/A | C:\Windows\System\dIzaTEC.exe | N/A |
| N/A | N/A | C:\Windows\System\Nixmvke.exe | N/A |
| N/A | N/A | C:\Windows\System\ivkOVAO.exe | N/A |
| N/A | N/A | C:\Windows\System\YRlNbqE.exe | N/A |
| N/A | N/A | C:\Windows\System\GLCNcei.exe | N/A |
| N/A | N/A | C:\Windows\System\JYBbjDk.exe | N/A |
| N/A | N/A | C:\Windows\System\DaSJiGi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_438aa3501acba3f61aa4a250a2a5a9aa_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_438aa3501acba3f61aa4a250a2a5a9aa_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_438aa3501acba3f61aa4a250a2a5a9aa_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_438aa3501acba3f61aa4a250a2a5a9aa_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qNgswbG.exe
C:\Windows\System\qNgswbG.exe
C:\Windows\System\HFYRpZT.exe
C:\Windows\System\HFYRpZT.exe
C:\Windows\System\bOvgRNW.exe
C:\Windows\System\bOvgRNW.exe
C:\Windows\System\dMPrlEu.exe
C:\Windows\System\dMPrlEu.exe
C:\Windows\System\QzzbOEn.exe
C:\Windows\System\QzzbOEn.exe
C:\Windows\System\WbzKfhz.exe
C:\Windows\System\WbzKfhz.exe
C:\Windows\System\AnzCByP.exe
C:\Windows\System\AnzCByP.exe
C:\Windows\System\kwEmQuS.exe
C:\Windows\System\kwEmQuS.exe
C:\Windows\System\qXgaWfv.exe
C:\Windows\System\qXgaWfv.exe
C:\Windows\System\YmKsrcB.exe
C:\Windows\System\YmKsrcB.exe
C:\Windows\System\OVRNFMd.exe
C:\Windows\System\OVRNFMd.exe
C:\Windows\System\iaGMgcG.exe
C:\Windows\System\iaGMgcG.exe
C:\Windows\System\wNRZBZh.exe
C:\Windows\System\wNRZBZh.exe
C:\Windows\System\TTQDuQA.exe
C:\Windows\System\TTQDuQA.exe
C:\Windows\System\dIzaTEC.exe
C:\Windows\System\dIzaTEC.exe
C:\Windows\System\Nixmvke.exe
C:\Windows\System\Nixmvke.exe
C:\Windows\System\ivkOVAO.exe
C:\Windows\System\ivkOVAO.exe
C:\Windows\System\YRlNbqE.exe
C:\Windows\System\YRlNbqE.exe
C:\Windows\System\GLCNcei.exe
C:\Windows\System\GLCNcei.exe
C:\Windows\System\JYBbjDk.exe
C:\Windows\System\JYBbjDk.exe
C:\Windows\System\DaSJiGi.exe
C:\Windows\System\DaSJiGi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2096-2-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2096-0-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\qNgswbG.exe
| MD5 | 0ea7ed819f8f569e8dff0f9868f8db92 |
| SHA1 | e6aa595c3eca863e3bf6012a8ff433b48bcee29e |
| SHA256 | 24e6c2c48256c0a0c12c083b6172d3ed1f4c361a3164c1e58fa45078fae0c360 |
| SHA512 | 9ce75bc6dd0616bba8cc748b98dbdaf635a95e11c75dee8667359cdb3275435d118aecd67e029d98e9318522a6fba693a1dcafa2f376443d5d9da9677ab69404 |
memory/2096-8-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1996-9-0x000000013FB60000-0x000000013FEB4000-memory.dmp
\Windows\system\HFYRpZT.exe
| MD5 | b576a7ff96af6f2963587e905d23525d |
| SHA1 | 5aafca226ab565aea22f7d4f4d9f6a89f13bc86a |
| SHA256 | 4f2989b72ee0559c2b30f87bc8188c214b27f1b1be4e51cb30c3a63db7cae177 |
| SHA512 | ac5fe415122073bbe449b9f2de3bc3d4341ebd5054a8dc78df312ff97287bac50643a66bcd9bf4296d3f419d130152d842a468672d5c8bf41b27e91bee64b4fb |
memory/2840-14-0x000000013FB30000-0x000000013FE84000-memory.dmp
C:\Windows\system\bOvgRNW.exe
| MD5 | 1ae6ae36b250ddde96af149512f40c00 |
| SHA1 | be02366723e7fede67570c244b9096c1c64d5cd0 |
| SHA256 | f313c9a4a513a2210c612f2c193e1e3f03a6750f44243bf95a4b8e2dc9067c71 |
| SHA512 | 0e4e7027a45851e03b261a5467ddc966f4332f1270a6cbb95e5fa7f63967ea9f34fdcfd7b084572b36daddc17bb9b491a2a924fb0b387e2e6891b7899c376e8c |
C:\Windows\system\dMPrlEu.exe
| MD5 | 76152dc939edb2822ec9cec3c31d06a6 |
| SHA1 | 97f04a5de15616f31b8e60ccce87420e2d8a8546 |
| SHA256 | af1c21e5e1cf628f16843ccb015b4fd549d00e9121fd150ab1863d6000fd37b5 |
| SHA512 | 48b719b6f8f58e5963765c3af6c6b8b6f6e44a038853fed91657d1b0030116cc9ec50aa7089a14edef90d4a61ff49de2f5cdbc98657713e1b3a885aef3f4fcc0 |
memory/2096-27-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2644-30-0x000000013FED0000-0x0000000140224000-memory.dmp
C:\Windows\system\QzzbOEn.exe
| MD5 | 7b329e0d34139d8c055bc1b5d90271a6 |
| SHA1 | 756dcaa110dcb7bae804451063ebde031ee481b0 |
| SHA256 | b02b8f33b3481e76bb9eadb69e9863de172a4a82889d1614754727a7c755f20d |
| SHA512 | ab99ee03aeef2a309ee0df5920a787d9e901443d22af80a68eb73ba1555c629e97192b7513faa0cf35851df46ec10f1ee84a74bdc1024c4ef54b01fa353f7735 |
memory/2568-41-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2592-42-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2096-39-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2096-36-0x000000013F070000-0x000000013F3C4000-memory.dmp
C:\Windows\system\WbzKfhz.exe
| MD5 | 380c2970f75f86fabe4c4a7f608ccca4 |
| SHA1 | c470b5aebc1b0e35e7558f87e25a3fc5db49e7e0 |
| SHA256 | 0745d353eefcb341ca41300b7b8fafd921112f7a38e4e56acb056a49088a9165 |
| SHA512 | b9f236c4afc503b82eca17fc2bcef0caab6ca4036857747175a57c4d661edccce0b524d39f1a4c18e92d6ab880a2dc0699b4e65233807fb94f9ea64185bcfb77 |
memory/2576-21-0x000000013F830000-0x000000013FB84000-memory.dmp
\Windows\system\AnzCByP.exe
| MD5 | b27b1e4c1e761060085a65158749c71c |
| SHA1 | 81842fb1ccc15b55928ac1b12d54d4ea6ed2fd34 |
| SHA256 | 98eac336d78c8c702c8dacbd3b7ee0bfdac5b6ac16f92d4972d376245178509b |
| SHA512 | f5752e85f487deecb1914cbf552f4f629e13a5037b8453d23d9cb1eb36d644b170e8b1acc10d4b7b414df50909b2b1a4a0c8cd86870eaa301ae2e2be19d65121 |
memory/2096-48-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2664-49-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
C:\Windows\system\kwEmQuS.exe
| MD5 | d8e352269bd8504fa1e9e2499ad5cd94 |
| SHA1 | 4e5baf10b3eb621ea7f6676387d39c2d272fe956 |
| SHA256 | bb36956a61b595423efc22f826bb5182ec87baeb3821c80aceda82120412e3d5 |
| SHA512 | 1af3ee1c857e586a5631207716c097a753df3aa251bf47356c539390b4562ab35892fbd104d4d4d88a172f6e8ed56ba07f5e7b521d538fa427bbaaad29fbcd83 |
memory/2004-56-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\qXgaWfv.exe
| MD5 | 357538f1da3de5cb205d3e82ee9b78cf |
| SHA1 | 1bd3732c47eb8d0c875ef02d1add879a6bcf8341 |
| SHA256 | 599df4e324207bfebc823f5eac09da02386a4a5648ada89593bdd85d837cd616 |
| SHA512 | a1379328f3c39288fb542251b1d4da390d0cb1cc8f9c9d1c5ca641e10146788f1b5feb0a11dafe23c14dff820942784d2d81115a93fe3574e8d2c3bc60ff7be0 |
memory/2096-54-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2480-64-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2096-63-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2840-61-0x000000013FB30000-0x000000013FE84000-memory.dmp
C:\Windows\system\YmKsrcB.exe
| MD5 | 0948a464b1c1ac91d5028a527a7b3c88 |
| SHA1 | bb3b8f3a39730697643bfda75037114fb9f77ae4 |
| SHA256 | 768792eacf42166f89866f4cc3f49bdeac096b8fd761501800ec29611e4ec86a |
| SHA512 | 50312ec48a2ff399de678320b124f7a4ce8703a701f4da9adaebe43a4e07afa9fa2993d6279356f9dbd19c0a0140dc1c3acfd7ef0b01e8fc3b2f91865abc6091 |
\Windows\system\OVRNFMd.exe
| MD5 | 31989ebf7c293da2d5c3b3b1fafee545 |
| SHA1 | 42e70fc7fd018f01348f466e9902bbcaa4d5a484 |
| SHA256 | 3bc2ffc2895b07a8123aba64f02a501f6d9b78dbb53d1294f6c0101dde6338cb |
| SHA512 | 59b0e4573eadfb70ca0abd08fb43ff863883fb63d4b1f008e767fe69247072144cc2a56eb63302b581e3879bfbddb512dc497be153f7d5aeab20a73b9b095fcb |
memory/2096-74-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2096-75-0x000000013FED0000-0x0000000140224000-memory.dmp
\Windows\system\dIzaTEC.exe
| MD5 | df82d072503647e6eaac915df1ea7377 |
| SHA1 | de44ef8dd0f72ed02a50d06fa1f8123d45b4baa7 |
| SHA256 | 6c610e6ebaad5a974cb0849ee48cdb7a7fccea34dc46b14c25b7b6dd98165621 |
| SHA512 | fdf04ba3c42b1d915f91c193767731475d21068340c1196fbd5a972cc0e18d395713fd68063c73fb89e055a063e17675f0cbd87e80d235324983b6ce7edd9ff5 |
memory/2096-106-0x00000000023E0000-0x0000000002734000-memory.dmp
C:\Windows\system\GLCNcei.exe
| MD5 | aaa633cfb776fd4f7bf9c8bdbb1e397b |
| SHA1 | d85f237e15e684442499e640c4419f55176d40a4 |
| SHA256 | 800a80d75c50f03ef0971766ec42d826ad6a4e9b94ccc28fad77d3cf789ebf6a |
| SHA512 | d5d8ebc7090686f73f761d33621c32203070d47ad8760abc27ddf4dcc201a20eaa912e34af1df6eabf9da6b68abe794c5e63b7b5e7d91354d52bb1ff6c15cf1a |
\Windows\system\DaSJiGi.exe
| MD5 | 8126c88f32e76c68a1b17acbed48a829 |
| SHA1 | 35155393514391c0f0ecb883348afdb0b1e6a878 |
| SHA256 | 7a674d664a92e931bb1a4cb586da999d5e8f4ec050779973ed6347703713171a |
| SHA512 | 89317dc0c00cc368bd75d95eaa3d5b4b1ed1cbf9b696b8d4940530b862629169266791551d0a281f7769c19fc8f9635e13d217218b0613b001b3e5105c0dfd8a |
C:\Windows\system\JYBbjDk.exe
| MD5 | 33552f9a703b30195d0213b713da5789 |
| SHA1 | 0b01cfdd0c1f40d6192b991065f5eaa793266b72 |
| SHA256 | cee027604232f52212e2e8742a65319fe2d27021437504ebf1e3f6d1bede0461 |
| SHA512 | e96338b3adae526fce81cf7f9c00ed04da6ce5da031de0acc8e0f098d15e3cbfdd49b215b5d2bf443296c1e8fdc3ff901474e55556220b240a5ebbf3bb65ba3a |
C:\Windows\system\YRlNbqE.exe
| MD5 | fec76f86a17483810f2ac9c4bc1ef72d |
| SHA1 | 46cdcb5f7ec72a3654c628c1844d7a6480dfe294 |
| SHA256 | a8c3664b12d73b54093dfc1cf2ef3b0a038f35f496cff47c8c8e3ee2c05b6f7f |
| SHA512 | e5d93010b56653e038be4cf8049f6f0f8fa28403230598175995d7a22fbbdca166f96edd5a10331abfe7c5a13235a97cde0945bfab1a3a6de63c8e9a0b9d28b1 |
C:\Windows\system\ivkOVAO.exe
| MD5 | 7103476f4216c4a92b772971abbd13a8 |
| SHA1 | cc3d8c5ad5843da266c7056160ffd83d0a8dfabd |
| SHA256 | 8e57b2b18e4ad07300e94700503e5c3d84e370e7d3efe8a596fa0cdc5e7e74f4 |
| SHA512 | cb0ab18f12bf1219ca9eba488170c8dce10da04c7b2c49ea59b2bfd35b95929c78c3d6b9e8e08b0a475ac5b80e46bc03ac94ef1134c9f51ae0fd52f721f58b61 |
memory/2096-111-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\Nixmvke.exe
| MD5 | 888db3e10b13790ab52ed236bd7ae1df |
| SHA1 | ac08413763f9de64b09354e0df15f94ce1ce2493 |
| SHA256 | 8c4bbdc1311fabf98211832f4f80e949918a0cc5baa2afc0d3a0a23f37bc8d5a |
| SHA512 | b653b95845897fa5c39d0b4fea6242da2926dfc1c36443ff12d8267679fbd292561251db34c1458ed221b59531bd58750edc129ca9d4fbfb78c7421af324abec |
C:\Windows\system\wNRZBZh.exe
| MD5 | 6cbb35d151e0f17a00537ff30a495cbe |
| SHA1 | 67cfa3e30dae6826e6c65f072b9498ff776d597f |
| SHA256 | 31eceb6b7e21bc24cb5a7c96d0a504da0a904224cc071611c6dfdd03c3913d4a |
| SHA512 | d2215fdec164affe99d1d145c1cd0070693b4f4a4c2785e4a5c2d445065ce222fb7b6bcb63eda2cb01c4393de35261ff3c17b9c431651f5d0bb2ef3e29c73ab2 |
memory/2740-101-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2096-98-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2096-95-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/1632-93-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2096-92-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\TTQDuQA.exe
| MD5 | c1020988c2c31a753048abebb7bcb615 |
| SHA1 | 11516fe64174b1c35d4280988f3ede9429e88fc3 |
| SHA256 | 2b38b9d6b4d9d54671abdf2879317b52275e5c7f075f1833974367a11c4ee14c |
| SHA512 | ab9eb6bd9f8ae270bdb40b8f7ef7b1ad4e18f50628ba5971bcf3060381e2f81da4747b9a307179221cbd60bc7e2cd3d4f1bbedbd5707d2315658dd630438e750 |
memory/1300-84-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2608-83-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2096-80-0x00000000023E0000-0x0000000002734000-memory.dmp
C:\Windows\system\iaGMgcG.exe
| MD5 | e7c8270c2b1bb8e02341029514741812 |
| SHA1 | 6d9f3b51605b1540a51e2b1920357819e551b48b |
| SHA256 | 6c4a94737be2067366872faadc626e062031f5d942dcc4b675c8af2deaf67523 |
| SHA512 | 9fe091bff62de88e835e4a7e74e70fed6579fa9d6e084a1ab954619286437886d84f1721cd1d1b49eac6a9b3729bba9a61629b07994452c5691fb8b499e63db4 |
memory/2004-137-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2096-136-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2096-138-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2096-139-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2096-140-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1996-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2840-142-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2576-143-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2644-144-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2568-146-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2592-145-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2664-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2004-148-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2480-149-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2608-150-0x000000013F210000-0x000000013F564000-memory.dmp
memory/1632-152-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/1300-151-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2740-153-0x000000013FAE0000-0x000000013FE34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:49
Reported
2024-05-30 00:51
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
153s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_438aa3501acba3f61aa4a250a2a5a9aa_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_438aa3501acba3f61aa4a250a2a5a9aa_cobalt-strike_cobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3012-0-0x00007FF7FD1E0000-0x00007FF7FD534000-memory.dmp