Analysis Overview
SHA256
6f9e38ff507e0b72d1c6c856e5c3779801ea0ba1bf183a3a6192b7c09d530816
Threat Level: Known bad
The file 2024-05-30_7862873bedd0879be7a2b74969495d1f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:54
Reported
2024-05-30 00:57
Platform
win7-20240419-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YzIaXZe.exe | N/A |
| N/A | N/A | C:\Windows\System\NotGqIn.exe | N/A |
| N/A | N/A | C:\Windows\System\lHBOqgw.exe | N/A |
| N/A | N/A | C:\Windows\System\nTsAvpS.exe | N/A |
| N/A | N/A | C:\Windows\System\UzOTJny.exe | N/A |
| N/A | N/A | C:\Windows\System\qLnSXOp.exe | N/A |
| N/A | N/A | C:\Windows\System\WYQgCmh.exe | N/A |
| N/A | N/A | C:\Windows\System\jooFTRE.exe | N/A |
| N/A | N/A | C:\Windows\System\VloiCoR.exe | N/A |
| N/A | N/A | C:\Windows\System\fYpBsNj.exe | N/A |
| N/A | N/A | C:\Windows\System\kYakmIb.exe | N/A |
| N/A | N/A | C:\Windows\System\avpLwgc.exe | N/A |
| N/A | N/A | C:\Windows\System\ucZTSFm.exe | N/A |
| N/A | N/A | C:\Windows\System\hwwmfvg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZtZENVv.exe | N/A |
| N/A | N/A | C:\Windows\System\ZtOZPWQ.exe | N/A |
| N/A | N/A | C:\Windows\System\VJgXaZl.exe | N/A |
| N/A | N/A | C:\Windows\System\VCKDmBQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ddISbeK.exe | N/A |
| N/A | N/A | C:\Windows\System\HAQfUhT.exe | N/A |
| N/A | N/A | C:\Windows\System\lVARDNu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7862873bedd0879be7a2b74969495d1f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_7862873bedd0879be7a2b74969495d1f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_7862873bedd0879be7a2b74969495d1f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7862873bedd0879be7a2b74969495d1f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YzIaXZe.exe
C:\Windows\System\YzIaXZe.exe
C:\Windows\System\NotGqIn.exe
C:\Windows\System\NotGqIn.exe
C:\Windows\System\lHBOqgw.exe
C:\Windows\System\lHBOqgw.exe
C:\Windows\System\nTsAvpS.exe
C:\Windows\System\nTsAvpS.exe
C:\Windows\System\UzOTJny.exe
C:\Windows\System\UzOTJny.exe
C:\Windows\System\qLnSXOp.exe
C:\Windows\System\qLnSXOp.exe
C:\Windows\System\WYQgCmh.exe
C:\Windows\System\WYQgCmh.exe
C:\Windows\System\jooFTRE.exe
C:\Windows\System\jooFTRE.exe
C:\Windows\System\VloiCoR.exe
C:\Windows\System\VloiCoR.exe
C:\Windows\System\fYpBsNj.exe
C:\Windows\System\fYpBsNj.exe
C:\Windows\System\kYakmIb.exe
C:\Windows\System\kYakmIb.exe
C:\Windows\System\avpLwgc.exe
C:\Windows\System\avpLwgc.exe
C:\Windows\System\ucZTSFm.exe
C:\Windows\System\ucZTSFm.exe
C:\Windows\System\hwwmfvg.exe
C:\Windows\System\hwwmfvg.exe
C:\Windows\System\ZtZENVv.exe
C:\Windows\System\ZtZENVv.exe
C:\Windows\System\ZtOZPWQ.exe
C:\Windows\System\ZtOZPWQ.exe
C:\Windows\System\VJgXaZl.exe
C:\Windows\System\VJgXaZl.exe
C:\Windows\System\VCKDmBQ.exe
C:\Windows\System\VCKDmBQ.exe
C:\Windows\System\ddISbeK.exe
C:\Windows\System\ddISbeK.exe
C:\Windows\System\HAQfUhT.exe
C:\Windows\System\HAQfUhT.exe
C:\Windows\System\lVARDNu.exe
C:\Windows\System\lVARDNu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1200-0-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1200-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\YzIaXZe.exe
| MD5 | 899cc3c72b117b85063c723bdd871be1 |
| SHA1 | 1eff1755f40cfb9c7e11a4eb94e91ff8f266f8b5 |
| SHA256 | 7a501210873c5a23fbdee6aa76f7c9ee8aa90277be52e335b6962a8f61e39f57 |
| SHA512 | 6a07042573c06ad9c0029ae5d4de12290c6d0ce92985ec4984ba9eb690449c5f163d378982409a84f61d49f538babaceba7068d32980c2933de486f2c7fdede6 |
C:\Windows\system\NotGqIn.exe
| MD5 | e8c8bb607d84f3f06500f6cbdaba20fa |
| SHA1 | c7b289461be7b6956842697dd579f2384de23d83 |
| SHA256 | 5cb615973bb940076b9255d364c31206ae0f542b0aa62e271af85291ba9a18de |
| SHA512 | e61eac8c45c8d7b9a4aad146cde41fc53dcaf5986579e73acc8006814d6234d7a80f3bad3b01285c3c061061206c107e5e05e4bb2efd4473a94f980c361baeaa |
memory/2320-16-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2876-14-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1200-12-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1200-10-0x000000013FBF0000-0x000000013FF44000-memory.dmp
C:\Windows\system\lHBOqgw.exe
| MD5 | a560239f4733b58294839d09a10b0458 |
| SHA1 | 2c7400dc2045374aa170c0e3c6f0732756d72238 |
| SHA256 | bb54c151d4ea2aad2f1802789b76bda05154f4e733eca2c36294017b7331eaa1 |
| SHA512 | 125ab6a81414ab71a8f40f0cba81db3d50c71033093358b6c5b3759a7816a47b50ad3aaf33331d457e46b1ef9944758a8bacc22e3d2394c6a2c05c47eefcf5ff |
memory/2616-23-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1200-22-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\nTsAvpS.exe
| MD5 | 2a339bdaa87483a58cdebd625b9320b5 |
| SHA1 | 487316b12a52cc73fe11eac30e9fe727147539ff |
| SHA256 | 0516f0cd73fc4a02928d42f3c7689589994345657e4bff797c6d3716619f9981 |
| SHA512 | e082e31c4d43b50a37e121eeb0ef1248aae193cc4ee8a4f8f599d3d1249a0072c7e7e0655ceb98e444044f5e8f222204a4491c05302271373f8eb1d72fba6a0f |
memory/2696-30-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/1200-29-0x000000013FE20000-0x0000000140174000-memory.dmp
\Windows\system\qLnSXOp.exe
| MD5 | f2f80de2b31aa4fab1fe7323e2dd2f25 |
| SHA1 | 6b0fe497a9d48e8766e227d3e87a312983e5f6b3 |
| SHA256 | e5db836553393ebb094d70375e281aac94f46b00c1c1ea254bb3f355e1da4254 |
| SHA512 | 4cb6b6006d69a92c886a98890670ea91fd4d1253e3db707b8f2bdebd8a8067e036b885b2451aa568da10136bdb3214ee35d0b10639e023cdc8a051d771eb75c4 |
memory/2756-36-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2604-43-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1200-39-0x000000013F760000-0x000000013FAB4000-memory.dmp
\Windows\system\WYQgCmh.exe
| MD5 | a35ceb1115458648a50af03c7ecf02ea |
| SHA1 | 12e623c35d058829edf5680b94d1f259b547ec1d |
| SHA256 | ca6073863ee29a5a66ca8a5cf2f0e0847c8f965f09a63ade2028954598488ea2 |
| SHA512 | 5c96e0c5da4b71e50a06cfec382a56e86a0c874bf74f4e04ffe3d1e8a79094ea96ac343396cf1507c393a408cb59e8884a4e77a6d36c062d8c53b10105fe80b8 |
C:\Windows\system\UzOTJny.exe
| MD5 | 8e2f246caa5abfeaede6b78ae78ba5e8 |
| SHA1 | e4044e43853d967ddf521681ae05bb16654fd8a2 |
| SHA256 | d14fbfa041fcdee57a882aad4320db8d5cf4191e4a92750cb486e109be04458f |
| SHA512 | a6d4aa6b7277653dfdf301f681fe20d04898eb7eb2ccb7f3aa4087df9d07eeec18ecfd16bdae7b76bbc1082eef6c18e7eb393ed549338927e957dc451615cbc3 |
memory/1200-32-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2512-52-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/1200-51-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1200-46-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
\Windows\system\jooFTRE.exe
| MD5 | 9aee22fcaf3ef964a5109a1574aa7b81 |
| SHA1 | 9ca3d07098d4b72757090cb9500ab70246073abf |
| SHA256 | dfa721095e946882960a5cb2bdacb4da97e6570f2fdfa2d1d0c111ba4e8ce1cd |
| SHA512 | 5a80d5fc125d7e90f9edb1531df8ca233f08c3d458db191309a4881d8f2281ff442403c891096a76847b070d9c09cf4a268959c7d93238f03f119606fee1c4b3 |
memory/2740-58-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1200-57-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\VloiCoR.exe
| MD5 | 52023709900bc5668764fbf74ede6259 |
| SHA1 | 4000f860c23d5f12779c6f2a5e8249341f9a6917 |
| SHA256 | 5d3faa0953864a1e015c3ce4e0b92d487aa4a61f84ddee6f7e15929f0dc6c1c3 |
| SHA512 | 25f661bdc549b88a314b0c756335c308afb2f221e3bc96517edc75617f8c35cc846801a6fe7efe7d827655d4a7da381075acdfc538b6d0a5e9a6f71c6086ef26 |
memory/2504-65-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1200-62-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2320-61-0x000000013F5F0000-0x000000013F944000-memory.dmp
\Windows\system\fYpBsNj.exe
| MD5 | fe25d3fd2bf2413edeca9c690e5b3f30 |
| SHA1 | 16d08686ba8cf4578957c24e7cf0c6ac8060b737 |
| SHA256 | b5a4073bd25d344ca58c13fe082a66aef16bdae5ac96ae687cf641085cf6c686 |
| SHA512 | 64273e7ecc36058f7496e13f9876e73d69634efd4279328f21b25472b91d058be3a6119287635d92a13d61582ab25b4e64917e44d5a2504efaf928c0d1e90ac3 |
memory/2952-75-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2756-73-0x000000013F5D0000-0x000000013F924000-memory.dmp
C:\Windows\system\kYakmIb.exe
| MD5 | 3559aa235e3b003406446e44bac810cf |
| SHA1 | ceb693f14bf0ad31ac35d0779da7ad51ee8309c2 |
| SHA256 | eb686e1da69a3354ded5cadab965f8404bf41f118ebc6c05156f38ba650697ef |
| SHA512 | 4d91edc0ca9085859f23accc3eb421b94d78cd81fb6529e205c53b73ee3efebc8caaa4d760081000662b65b8d90d365f8ad996634e3ac15b06ae2e4a0cc37479 |
\Windows\system\avpLwgc.exe
| MD5 | ecaf99640a881914f26777b78a2c2cd2 |
| SHA1 | ccbf1f859ca040525905d77d7508fc5536750b56 |
| SHA256 | 420e08d01c8261c7188dc1f9b0f065bb9ceb6de40c5f62b9ed86c74fc2658154 |
| SHA512 | 85f43f0fbb7749247897fe940b8399a725bab1de162eef56319ebb4ceed38727b8e3b7169c273bf55aaddd342f16459550b13919e60d3c2cb0cae102e7e1da3d |
memory/1200-84-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2556-89-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1200-99-0x000000013FB50000-0x000000013FEA4000-memory.dmp
\Windows\system\lVARDNu.exe
| MD5 | 437f84f7cf88fbfb78dc5ea9e895271f |
| SHA1 | b4e08db6c474d60b67138cd1d23a2ee2bbccad04 |
| SHA256 | 5fe901d81de6c9e107ccfacb94b523e91db000cee0b1b37104fd599a10eb1bce |
| SHA512 | 01d2d41b75ec21786398d4d770569ab5bfcfc3560d269879282ef7f4866eda6771728aaf6b9b1626d9fab1cfe837cf739f8637d73cd18de4a580aa8512b9a6d0 |
C:\Windows\system\HAQfUhT.exe
| MD5 | 61bf658173667bcae0217641d6911a44 |
| SHA1 | 5f003f74e216486e7b5eacf7eed7f0636f6e7f37 |
| SHA256 | 7c14a4198f8df95ccd3c3bf3f7f650107e0e76d2cc0d26e1d44c6cb4fd01fc30 |
| SHA512 | c957d4d2d3fc62b7109c3d81d9d008d8c56997a3ba384c9fe18f47b07ad8b57b3719b1f5ed01d2920619c37a091b94fde2cbc2a75f4ccc1514bc4abc4af323f0 |
C:\Windows\system\ddISbeK.exe
| MD5 | 0a35defa83e8b14effeca5820747d0a4 |
| SHA1 | 4fd98db910203ac1b98ba7daaea9c8b183db5556 |
| SHA256 | 532adf6400aecf4ef0fa47e0edfd68ee9371e3c26e0b3577bc6628362ca7e35f |
| SHA512 | d60a5fcc0bb3a05976dd0c8256b3b49d521bc9d60c97f91a2eb3e14750cc69c459d1a30b145a844b963ecdbab340fe0b16e0e35ad34648b39d4ba6a518a6a214 |
C:\Windows\system\VCKDmBQ.exe
| MD5 | ccd28baf2aac388800798a5f109b1d9f |
| SHA1 | 09a874b749e1b5d9ac705c218906e69b9783d992 |
| SHA256 | b0f4453d610e8edc6e5bb64a0fc477bed4efca82d0edb5d9180b11862c2c0cf7 |
| SHA512 | c24ebfe4e68b3f6ba278e5133f4b1e30dafdd168ff76f3b5eb032005232a4a168ea921eb9c8c19daeca6636c718395bb59cdd714b2fee3e54de5dd87efaffb10 |
C:\Windows\system\VJgXaZl.exe
| MD5 | c8e431723ee5b6870199a37f9ffc2706 |
| SHA1 | 871dc6d88e756e5848984a795e6637234007b655 |
| SHA256 | cfdcb2ff7cb4062d5a764261881bb15d84463b56e10450b5ef5bb558ba21c776 |
| SHA512 | 11e054346d06ef941a9d09468f6f92878b3e4e963aea7ad19edd2807f9cffce48774de8a900af4fd32e606a74d408fe81622e186b0e43963b34528809e29e115 |
C:\Windows\system\ZtOZPWQ.exe
| MD5 | 104217ba146342d9b00b2978f3d72c2f |
| SHA1 | 4f6a91fb7ecf6c0d12ba8861c2d86942a9be5acc |
| SHA256 | 40667ee20dc96c0b4258a5625db26575821c00f060d9ed2c06e6b7ba8a5bded3 |
| SHA512 | b038e920cf7140e8d25abe75ac37fd85d5f5c5d3d49a4271a2c87ee8b71c57ad76b74a60e8a160667cdcc3d4d500886c82b648443a37e40dae7342d583fa7ca6 |
C:\Windows\system\ZtZENVv.exe
| MD5 | e579c6c893ff47b7f6ec822365882616 |
| SHA1 | 4ddcf9179c8ef302a14b63c5b4843fd145ea3dc9 |
| SHA256 | 4d2a4394a138f62b806f99219d5bfa20e0ad690c6981e0d6e023516b4e46fa53 |
| SHA512 | 661a6b64299bd5f8c2d6b3b7c5da6c7324deb0f8c626e81418fd90a661dfd4208f44a5a75a693133783a18780dfa804423147a3a7fbffc3d0ea4b08c6c2572f6 |
memory/1200-108-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2852-106-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2504-105-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\hwwmfvg.exe
| MD5 | a5700a144a111952c03b5a9808ce36d0 |
| SHA1 | 876919ad10754b75bd063cd6c80411fb4a5aa047 |
| SHA256 | d2f09392a08a395a1c5a3bd12e723ddcd63d561113743e31385366fcfbd9c72c |
| SHA512 | 4c1f1a29cc407cd685f7678df913cebdb1ba5742d58aa631b61340e94eafaaffa4ddf283395a58c93b64735f973a9ae8a908278acde2612cc97ab080f9ff4fe2 |
memory/1200-100-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2812-95-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2740-94-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1200-93-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\ucZTSFm.exe
| MD5 | cc2e115dca38b004db07c6b116bed242 |
| SHA1 | 9805afd9ee2f1bfe0b27270596a17a080a066411 |
| SHA256 | 69d12501059a70143ad30b6870eed6bc789516da1921fab795e3734bb1922957 |
| SHA512 | cad48bd0511cad703951e582283014898e3b3a21a1085af77efdf99c4fa593667c5d9b290ee5faf4f03f46b68afb1bc1673e0b01d66abe0fe949bf1b0d7711c6 |
memory/2604-83-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1896-81-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/1200-80-0x0000000002340000-0x0000000002694000-memory.dmp
memory/1200-71-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2952-142-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/1200-143-0x0000000002340000-0x0000000002694000-memory.dmp
memory/1200-145-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2812-146-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/1200-147-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1200-148-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2876-149-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2320-150-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2616-151-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2696-152-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2756-153-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2604-154-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2512-155-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2740-156-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2504-157-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2952-158-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2556-159-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2812-160-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2852-161-0x000000013F410000-0x000000013F764000-memory.dmp
memory/1896-162-0x000000013F170000-0x000000013F4C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:54
Reported
2024-05-30 00:57
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
102s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_7862873bedd0879be7a2b74969495d1f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7862873bedd0879be7a2b74969495d1f_cobalt-strike_cobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2700-0-0x00007FF74D030000-0x00007FF74D384000-memory.dmp