Analysis Overview
SHA256
88d46dc0a05fd53639f0364ade97a26eaa60b76903d356ef502d04eeb7e45f33
Threat Level: Known bad
The file 2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:14
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:14
Reported
2024-06-01 02:17
Platform
win7-20240221-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gvjnVbh.exe | N/A |
| N/A | N/A | C:\Windows\System\APqvtHG.exe | N/A |
| N/A | N/A | C:\Windows\System\ZWhMfep.exe | N/A |
| N/A | N/A | C:\Windows\System\dkRQjWb.exe | N/A |
| N/A | N/A | C:\Windows\System\cGjKaNs.exe | N/A |
| N/A | N/A | C:\Windows\System\eLhmdlp.exe | N/A |
| N/A | N/A | C:\Windows\System\lcwOkXn.exe | N/A |
| N/A | N/A | C:\Windows\System\rqPoiOY.exe | N/A |
| N/A | N/A | C:\Windows\System\MfHZcwh.exe | N/A |
| N/A | N/A | C:\Windows\System\BtqvMmS.exe | N/A |
| N/A | N/A | C:\Windows\System\EqZgjeT.exe | N/A |
| N/A | N/A | C:\Windows\System\Dtdxano.exe | N/A |
| N/A | N/A | C:\Windows\System\RNohDUU.exe | N/A |
| N/A | N/A | C:\Windows\System\zzVklUU.exe | N/A |
| N/A | N/A | C:\Windows\System\skzrASG.exe | N/A |
| N/A | N/A | C:\Windows\System\UbPdmsr.exe | N/A |
| N/A | N/A | C:\Windows\System\wbfFIxV.exe | N/A |
| N/A | N/A | C:\Windows\System\qJbwtlw.exe | N/A |
| N/A | N/A | C:\Windows\System\Abotbqm.exe | N/A |
| N/A | N/A | C:\Windows\System\mggiSjD.exe | N/A |
| N/A | N/A | C:\Windows\System\xtqqwkX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gvjnVbh.exe
C:\Windows\System\gvjnVbh.exe
C:\Windows\System\APqvtHG.exe
C:\Windows\System\APqvtHG.exe
C:\Windows\System\ZWhMfep.exe
C:\Windows\System\ZWhMfep.exe
C:\Windows\System\dkRQjWb.exe
C:\Windows\System\dkRQjWb.exe
C:\Windows\System\cGjKaNs.exe
C:\Windows\System\cGjKaNs.exe
C:\Windows\System\eLhmdlp.exe
C:\Windows\System\eLhmdlp.exe
C:\Windows\System\lcwOkXn.exe
C:\Windows\System\lcwOkXn.exe
C:\Windows\System\rqPoiOY.exe
C:\Windows\System\rqPoiOY.exe
C:\Windows\System\MfHZcwh.exe
C:\Windows\System\MfHZcwh.exe
C:\Windows\System\BtqvMmS.exe
C:\Windows\System\BtqvMmS.exe
C:\Windows\System\EqZgjeT.exe
C:\Windows\System\EqZgjeT.exe
C:\Windows\System\Dtdxano.exe
C:\Windows\System\Dtdxano.exe
C:\Windows\System\RNohDUU.exe
C:\Windows\System\RNohDUU.exe
C:\Windows\System\zzVklUU.exe
C:\Windows\System\zzVklUU.exe
C:\Windows\System\skzrASG.exe
C:\Windows\System\skzrASG.exe
C:\Windows\System\UbPdmsr.exe
C:\Windows\System\UbPdmsr.exe
C:\Windows\System\wbfFIxV.exe
C:\Windows\System\wbfFIxV.exe
C:\Windows\System\qJbwtlw.exe
C:\Windows\System\qJbwtlw.exe
C:\Windows\System\Abotbqm.exe
C:\Windows\System\Abotbqm.exe
C:\Windows\System\mggiSjD.exe
C:\Windows\System\mggiSjD.exe
C:\Windows\System\xtqqwkX.exe
C:\Windows\System\xtqqwkX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2968-0-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2968-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\gvjnVbh.exe
| MD5 | 9551a97504c27bb8df6143cb4fdb0863 |
| SHA1 | 8beba8497c309f5aea2fac9cd7730daf38a521f4 |
| SHA256 | c09d57c233b857891ba7d4f5bd9f4bd4123278a2941512bb2bf4a594af768fb5 |
| SHA512 | ad3388014ab3fe8b9e9f54f9648042f292f1b4783433cd575e01aacb54b6e0662829a265f2b1095010c656815370a194af73a23176893f12e6b62a918f94711f |
C:\Windows\system\APqvtHG.exe
| MD5 | 81dddcda2357eab8b1fc766504194d7b |
| SHA1 | f1363b4b68c3ca1c953b3b006e2de407aa167b21 |
| SHA256 | d18a684a7c9aa982ecf4ba6f61a21c9b0905ae9947eecbf9f5821ee403dd8b62 |
| SHA512 | 1ed4c29b8c02bad54021b164806cd79114ca481cd2813027b296bf876e74cf1352e1a5ce20e569a8247a97bd759f9c2d80461cebab2272ee001e599572c6cef3 |
memory/2968-10-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2796-14-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2464-15-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\dkRQjWb.exe
| MD5 | 3412689a63715a62805f1e1a1e26681c |
| SHA1 | 3e96e16a75bad6e1eca2dd3fba92bc99544d6825 |
| SHA256 | 1951ae907ee2a9579db9025f42a50f5657e5e67713a6c4adb7659c35d0306ab6 |
| SHA512 | 30629227c9a6285a1ab17cbdff6fbe2d02c746a8b9a3ae97247dae30221b1231c6e9746aec36e197bba8aeb25309c470f6a888f21b3368a66dbd5c8799cd9dd0 |
memory/2820-28-0x000000013F720000-0x000000013FA74000-memory.dmp
\Windows\system\dkRQjWb.exe
| MD5 | 76bf0466328f407fb8356697751e9d17 |
| SHA1 | ab6d60cc0022bd9fcb09a7b133772948f1b44e71 |
| SHA256 | bc9432097e5cf86f7734fcdba0e6bde844e37f3c7c22e1538d1d567922da9884 |
| SHA512 | 6cf2f8e6b124936088948bc61460f2c7dcf57e07e3b8a91ff6d8b8fbcfd1e6fcee7a878c2ad962cc9277cb4e28a8224410d0fb4788d1a0cedc18fa4f9e3db4a6 |
memory/2968-27-0x0000000002210000-0x0000000002564000-memory.dmp
C:\Windows\system\cGjKaNs.exe
| MD5 | 9a62edcbf534cec0b79db8238d62fb70 |
| SHA1 | c62af0c4ce93035f2a620591c2fc2d7f4d325092 |
| SHA256 | a6d6e538a009077c7c0cfe756f808c3fdf78e136c6050706f75a01215f4ec5ea |
| SHA512 | f5a9df47c301c7acc62b6a58da21a598dc27759c9c662e24ad3ae3629b802e6efdf46c4da7e436af0a6642c3bfe25ea8883a3c9b9c2e2dc0922820d66629bdf9 |
C:\Windows\system\eLhmdlp.exe
| MD5 | da49f1b1f2b96b49705866203751f59f |
| SHA1 | 1fb490e694febd4abb5609eba7058906c7c62fc1 |
| SHA256 | db17ce16538e3104d76c2865f6043929089867615332842fb4539363fa1e158f |
| SHA512 | 64230d121060a4ecf7e8546c8f3f841eea180c2377add458625a54155c0dd3d899c021538950ea3047fd426aed50dfc97cdf1f7e2bcab143f2777fd079bf8bf0 |
\Windows\system\eLhmdlp.exe
| MD5 | 8a74009f7dd9c036cc12b3f189bd9ac6 |
| SHA1 | e53d33c260bb77d6ec7f4c05d6b7a52ccd5f9de0 |
| SHA256 | b349cfcd57c9962c2310b863621992c24963856bb8765a72596762e3d22c0932 |
| SHA512 | 6b058797ebf39246aeec4041256bec3900d2fe258c40c7a628ad2f0a7c71cd84516d0e4598c1b869d273f2d776086698842e42f21ab1a8adea547d9c55a56876 |
\Windows\system\lcwOkXn.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/2732-47-0x000000013FE80000-0x00000001401D4000-memory.dmp
C:\Windows\system\rqPoiOY.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
memory/2568-57-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2968-62-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2392-63-0x000000013F630000-0x000000013F984000-memory.dmp
C:\Windows\system\Dtdxano.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/2092-81-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2656-96-0x000000013F320000-0x000000013F674000-memory.dmp
\Windows\system\xtqqwkX.exe
| MD5 | 42ed348ff06c36680b3920f2fa2d6d5c |
| SHA1 | 58e96af96ff18706771238cff03dbe22eff179e1 |
| SHA256 | 93903e3b7b64a8ea2928b1656e2f843088981754b3546e9a9c4b4e2dd3595439 |
| SHA512 | abb4c915808fde9e95f563b8637f03a4e9a90e421386e7fe42c76f40d73e5bc0be5776c31701a8c0b12f88cc46fa43644280a3d6e725264bd40359b3af68e30d |
C:\Windows\system\mggiSjD.exe
| MD5 | 06e7776c45522cd727375134e965e22f |
| SHA1 | b3c6cc8ec21bae0f0aa8708062a4e0f18fd21432 |
| SHA256 | 2e168c5305fc6931df6647569f2eac771398a9fe5bbc1782667bc1c201007bfb |
| SHA512 | 0b18810a5223438d648db6031a4bc963ddc222296395333088b069467dd1914822ad34fd9a3ff6c6694db24c914bdda3b30ab67d7943ad9a074d0ee7d9dc226d |
\Windows\system\mggiSjD.exe
| MD5 | 0d5922d66ecf7b23254aac7defebabc4 |
| SHA1 | f8f74ef7fceb8f6780890e2f0ba332016a8ad820 |
| SHA256 | 8029813c118663f7da438f62d257b0c00141da5beb2bb27feb57c2a559600558 |
| SHA512 | a4fcefd8a3e122eee39a2017137d41c7fa9c5d1ee53662148494aa1fb89f76a4ebd28ffd2c626d59911e63857a55eda822637fdbf9a492f8c2446d19e91ce3dd |
C:\Windows\system\Abotbqm.exe
| MD5 | 793af579bfad95c31ad4a03390456f93 |
| SHA1 | c0dab586d18870223ffef1f667885fe6a802ce7f |
| SHA256 | 64622c439c50ec3a80030fe9b474b3793ca4f0128a371e8cebbbcd32b0853755 |
| SHA512 | b1c4fb1459418e1aaf987279d8a8921ff31b98413f33494300a9fb635c9adda993cd352208a32ff485f23e25a7e5a937e4cc36c36fef91722ee6cddeeda09165 |
C:\Windows\system\qJbwtlw.exe
| MD5 | ef9d2894dc7fd6bf56c8946f3b2b25a1 |
| SHA1 | 8feb8f7d46e112949136f433bdd6465eefa01618 |
| SHA256 | cc2cf1199c493fc1c13bbb3a6a384ad8c6dec862c93ba537e793979eb5ae8f99 |
| SHA512 | 0f45432ae711aa1a5b0624e2dfdc8c6c6423baaf55c7c6de8f149c95d5753087150974afaf1dd039e41018ffc2b41581eb65aa14c204929c6eae996cf294981a |
C:\Windows\system\UbPdmsr.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
\Windows\system\UbPdmsr.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
memory/2968-95-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2820-94-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2488-133-0x000000013F740000-0x000000013FA94000-memory.dmp
C:\Windows\system\wbfFIxV.exe
| MD5 | 7cc5fbbea1692cf657e7ef0c5a977968 |
| SHA1 | 2ae19a8b4e4e4d276e58c3645e5f83256ef4321a |
| SHA256 | 32f1ec516f7112312a6c3c21f6053293fce0007f315eea57788c867fd18ab650 |
| SHA512 | e2d7ff60d73e1453168bf43decabb08decb133da3c46b4eb519c00fbbc4a882f98021e47850a6c3dee36db83efc26367208d61e8b9489b5f1b7031373561a2b4 |
memory/2968-103-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2504-102-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\skzrASG.exe
| MD5 | 5fa795b3b7fbfdb00bd1230752e0c717 |
| SHA1 | c04df1c0104752fc707883394c20b7a38d950291 |
| SHA256 | 824077dfd6a62e9e36be5c206334d0508de5a3b956ad1bd496fa2e71eb9a9179 |
| SHA512 | de08f47b777576f6d8782f91ad503bcf8fdc3c8ebfac425ac7200b990be02ae05d557511a5745c3ce08c930b4d0fe264f704e0ed5826f20f19f9a35af8cd315a |
\Windows\system\skzrASG.exe
| MD5 | c216c25bff310c3dc3b0d10a8ea553f7 |
| SHA1 | 0aba1cdce814cd7d0c8a8a2d47c6c670a05d1b89 |
| SHA256 | b690cebfff78168c4d0ca1e2d20773af81b34f6777265412f0ef5df683abe0a1 |
| SHA512 | 5de5947ddd0689f9d54598fbb96014592577ee6c5743f4c7856f508f5fa03f95507730c1bb4e4c395fbac420d3532b98ec0a5d58ef8706dc4b4267ff757b3264 |
C:\Windows\system\zzVklUU.exe
| MD5 | 2435df1edab34daca5fca9838e34cde8 |
| SHA1 | ab0b10f5ac41d1c0b7d4b5d345c82195a529a279 |
| SHA256 | 54cd37188b9f4bc8319e93b6e592cc1421a11df7de477b22a6fdcc28564bfe2a |
| SHA512 | 7b4e28ffd3d94571aacaf9b2c23348a9dbd49930cbe6e325c21bbd3f2d4e3c89448f1031d13f6ae2adf3f6c14b71cb37a636b94c989ed7b2fda1ce84480b17af |
memory/2724-88-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2968-87-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2572-86-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2968-73-0x0000000002210000-0x0000000002564000-memory.dmp
C:\Windows\system\RNohDUU.exe
| MD5 | d7cba203857ea6f14d32c9970e7db51c |
| SHA1 | acc71a2ec2329e592ecdcbb91b3e51f6877c30ea |
| SHA256 | 35c09f2c3f41ba570cedc8bed52e3122af420f9d13005f797ec4d561d0edb9cc |
| SHA512 | c0836205f4fbe8cc3cac3cba970dd0ecb3d1193f6a8fbd07e81db4f53a285917ad2a04bc3afac27dab62ca7acf7680e0fb45258e59166e6f19fecda9094d8923 |
memory/2732-135-0x000000013FE80000-0x00000001401D4000-memory.dmp
\Windows\system\Dtdxano.exe
| MD5 | a701f409988e14835842cd294ff916ea |
| SHA1 | 6023d09e68b4a45c4fabe344f09cf9984146df65 |
| SHA256 | 7beb2c97c99ea22eda29d01c1eb63addcc72f5ecaf8936dac8ae4e894fa1ae5c |
| SHA512 | 790f82c7995068dadd6cae634cef3242361af88f515dd709a2c8eff6abc79bf1d7b6d437aee68243147f8fcccc7a87ff9afdc8cd029177ba35374f69c9d2a999 |
memory/2296-68-0x000000013FE40000-0x0000000140194000-memory.dmp
C:\Windows\system\EqZgjeT.exe
| MD5 | 7afc71e94704cf4a1b0156ec8878e107 |
| SHA1 | 4b06e8c85c2de7e73fefdf253449427500e4adc4 |
| SHA256 | 146149d579a4878bd3982241ad435f60e3891e40d31769fee467c7a1181aceaa |
| SHA512 | 699a0fa4c32e72bd9135ed75861b2d409971bf1ab995cd0e15b51146e8016ee48b5cb98d2aad6c14c347c9ed65510571540d3a26c5b96616dcf2a9e456be5b8e |
C:\Windows\system\BtqvMmS.exe
| MD5 | 08199d7a4ad8beba33a04c0e66328fe8 |
| SHA1 | 9e256e8469b45fc26587fb63a7428f7d7853e1a2 |
| SHA256 | c910fd92012d9453ea467fe9dac73b7545f8e18b26643328976d6656ca997b90 |
| SHA512 | 23b4cb5b25a4c73f083fee77a06f6c94076a476ae025bc93df11e001f13ac912397c740445671f485441d91a7a99cbfcc18a8374509cce5bc7e9788f6944b3f2 |
C:\Windows\system\MfHZcwh.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
\Windows\system\MfHZcwh.exe
| MD5 | 5a7904c6cf1a29e8392e1da0b9339bb0 |
| SHA1 | e89af2cbf3e07227ae8edd30a249d76acc9335fd |
| SHA256 | 8c3180307c5778d91b5f9d63705c29a1ab7e0cf9e14be129ddbff61e0917d822 |
| SHA512 | 23223222fb6275d698ce7703554dc58cf1b0dbb8ad1701b16e1fed581b3e0db861a3011ce6fec8fbc0ebe25b91c2d3961b85ebbacd378888b1e9a794a6598857 |
memory/2536-52-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2968-46-0x000000013FE80000-0x00000001401D4000-memory.dmp
C:\Windows\system\lcwOkXn.exe
| MD5 | 4c8db5a2a5c5b8f585a0987bef8f8337 |
| SHA1 | 819c7178bfcddedfb7608a1050bffd63c15df8de |
| SHA256 | eabb47df9bac2b9bbc4bccb71a561c765cc4f4c8ee770fca487682de4ebdabb0 |
| SHA512 | 3d3e715bf12f47f188e67560fc5411af2de7ac3336ee8e300397366fc48aacc92ad03fb1f672bb622751859db92fd9fb72411198faef8baea37a57ccde419887 |
memory/2488-40-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2504-35-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2968-34-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2572-22-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2968-20-0x000000013FBE0000-0x000000013FF34000-memory.dmp
C:\Windows\system\ZWhMfep.exe
| MD5 | ef453b474d0c5e36ac3ced12136640a1 |
| SHA1 | 1803f86bd300d5c81a50994e1bd86da105c22e13 |
| SHA256 | 5dd81f5fbef75391d2620c627eaaf45d41ff44f7d8ad402d2926194e5ba33dac |
| SHA512 | 8716ce23cac555deb4c37f67bae2e106297a09e383e0ff5a217dc52addcd0946872a5ec5e313e2a07dc14c88fe1627fb8b251d4de79399605b5cb0dcac17d2e5 |
\Windows\system\ZWhMfep.exe
| MD5 | 520306f0af217a723b94881629ed2c1f |
| SHA1 | edfebe61571cd3958f1312a9985e7616d97f5058 |
| SHA256 | 753b1655c90b67a0e9ef8ac7f9ad5137a5f68ca7523e64de621b55f82736ad40 |
| SHA512 | 9ac6a96dd03c1ec975477a89483a2d662a3a654c6c49304a4eef6675c320419be317a4ea86000c6b38c10beb98f86f51309fa6427a10328bb6e8081fbc42222e |
memory/2536-136-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2568-137-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2392-139-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2968-138-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2296-140-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2092-141-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2724-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2968-142-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2464-145-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2796-144-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2572-146-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2820-147-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2488-148-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2568-152-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2092-155-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2296-154-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2392-153-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2656-156-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2536-151-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2724-157-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2732-150-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2504-149-0x000000013FC20000-0x000000013FF74000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:14
Reported
2024-06-01 02:17
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DZsGfGg.exe | N/A |
| N/A | N/A | C:\Windows\System\XIxTJeh.exe | N/A |
| N/A | N/A | C:\Windows\System\mIndfIL.exe | N/A |
| N/A | N/A | C:\Windows\System\UAiBRQC.exe | N/A |
| N/A | N/A | C:\Windows\System\tTGaUQX.exe | N/A |
| N/A | N/A | C:\Windows\System\CFnNnEW.exe | N/A |
| N/A | N/A | C:\Windows\System\DDUAZfj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZFgUeJq.exe | N/A |
| N/A | N/A | C:\Windows\System\KKRrBqn.exe | N/A |
| N/A | N/A | C:\Windows\System\EnrLQXM.exe | N/A |
| N/A | N/A | C:\Windows\System\MupaMXk.exe | N/A |
| N/A | N/A | C:\Windows\System\uMzKODm.exe | N/A |
| N/A | N/A | C:\Windows\System\CMNLDPp.exe | N/A |
| N/A | N/A | C:\Windows\System\hAPjkWo.exe | N/A |
| N/A | N/A | C:\Windows\System\VdgKqAZ.exe | N/A |
| N/A | N/A | C:\Windows\System\nIWOJQm.exe | N/A |
| N/A | N/A | C:\Windows\System\BwrOVyo.exe | N/A |
| N/A | N/A | C:\Windows\System\nkSDGuA.exe | N/A |
| N/A | N/A | C:\Windows\System\QeZelYS.exe | N/A |
| N/A | N/A | C:\Windows\System\gqRjdSV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZAkXitB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fda155143673621098f40cfd8d422f73_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DZsGfGg.exe
C:\Windows\System\DZsGfGg.exe
C:\Windows\System\XIxTJeh.exe
C:\Windows\System\XIxTJeh.exe
C:\Windows\System\mIndfIL.exe
C:\Windows\System\mIndfIL.exe
C:\Windows\System\UAiBRQC.exe
C:\Windows\System\UAiBRQC.exe
C:\Windows\System\tTGaUQX.exe
C:\Windows\System\tTGaUQX.exe
C:\Windows\System\CFnNnEW.exe
C:\Windows\System\CFnNnEW.exe
C:\Windows\System\DDUAZfj.exe
C:\Windows\System\DDUAZfj.exe
C:\Windows\System\ZFgUeJq.exe
C:\Windows\System\ZFgUeJq.exe
C:\Windows\System\KKRrBqn.exe
C:\Windows\System\KKRrBqn.exe
C:\Windows\System\EnrLQXM.exe
C:\Windows\System\EnrLQXM.exe
C:\Windows\System\MupaMXk.exe
C:\Windows\System\MupaMXk.exe
C:\Windows\System\uMzKODm.exe
C:\Windows\System\uMzKODm.exe
C:\Windows\System\CMNLDPp.exe
C:\Windows\System\CMNLDPp.exe
C:\Windows\System\hAPjkWo.exe
C:\Windows\System\hAPjkWo.exe
C:\Windows\System\VdgKqAZ.exe
C:\Windows\System\VdgKqAZ.exe
C:\Windows\System\nIWOJQm.exe
C:\Windows\System\nIWOJQm.exe
C:\Windows\System\BwrOVyo.exe
C:\Windows\System\BwrOVyo.exe
C:\Windows\System\nkSDGuA.exe
C:\Windows\System\nkSDGuA.exe
C:\Windows\System\QeZelYS.exe
C:\Windows\System\QeZelYS.exe
C:\Windows\System\gqRjdSV.exe
C:\Windows\System\gqRjdSV.exe
C:\Windows\System\ZAkXitB.exe
C:\Windows\System\ZAkXitB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4560-0-0x00007FF701CF0000-0x00007FF702044000-memory.dmp
memory/4560-1-0x000001C025E00000-0x000001C025E10000-memory.dmp
C:\Windows\System\DZsGfGg.exe
| MD5 | 32b5113b15f95f647f04046ab637431a |
| SHA1 | 97d1717f21ad21b72202d34ff7a15c37015d6ebc |
| SHA256 | 80f9e3910cf9bf05eec73801158b52f03ea9ce45e21eab6c983e4b3cfee6ee4a |
| SHA512 | a344560bdf248973cfc7af6f8ee32b626c71e3a7703616e53ed5362339abeb116ebc4cc3c96c558101aa5e6715cd3e73c0a315e339777c3b62ca19bc27981b64 |
memory/4172-8-0x00007FF7DE0F0000-0x00007FF7DE444000-memory.dmp
C:\Windows\System\XIxTJeh.exe
| MD5 | 93eddbb8afd5b2d30f18f722baeea61e |
| SHA1 | 6efba84e244627a7375317a0744a40d0b39a3608 |
| SHA256 | c0bc5da2a918191fffa790970e73ede07262f1f3c329c54aa50531018283c9c1 |
| SHA512 | 787d29cb6ee1d397a59bf5efa67d2b813902b5dedd207c7165f01a41ee8ecf1966082fcf8d3f2f1e90d50ba304979f02a002e2f8b05541ca13f914e6dab8ae99 |
C:\Windows\System\mIndfIL.exe
| MD5 | 1cadf1e7fa8109c815277085fa72fe66 |
| SHA1 | 7e44f2d1da52857a8ce6ac21367c77745f0b02b4 |
| SHA256 | 5247d9c412d5a268b2fc4c58618dcd3707af7522e8f84543e97319fe9ee07170 |
| SHA512 | 910dddcfd42dda3015be8b470a75409687d83b169f0fa28fa9f69b7b9d6a1f5c90f469ff38fb919f2a3d54c718c9a3d136bddee6205341ee645b4099ee620916 |
memory/1284-19-0x00007FF7113E0000-0x00007FF711734000-memory.dmp
memory/4124-20-0x00007FF6E1BF0000-0x00007FF6E1F44000-memory.dmp
C:\Windows\System\UAiBRQC.exe
| MD5 | 48ab39ba3826b139b41abd2dfa856e05 |
| SHA1 | a586ea072ef3303582f86fab14cf1acf9d7bf03b |
| SHA256 | 2eb14a1c6c45934cbfec6cd77887e231b5104f4d2cad96d1b587e96b61428252 |
| SHA512 | cab97cabb8cd75075304393f35da3e18fb3aa329f38d4b7f8a7826e98c2b0af1fcf5203896b8cbb425aabacd178d1bb27787331314a6a7c2e79c1cb77a182dd2 |
C:\Windows\System\tTGaUQX.exe
| MD5 | ebd1ef5248c84063b86657fc3ab68f03 |
| SHA1 | 3986d7b39c545d7485b36ee8f8e27f161c6861a2 |
| SHA256 | c3d26dd1f7cdc12ced6b2ee50ee9ce8881b8885eb7a5c1f470b9d338098b43e8 |
| SHA512 | 253264dbd19d11dfa0042cbc560f948f3037a0a80bfe68671934fa3d872ae129fb6818f6f14d09f7dbb9ba44296e9c78398d66a82e396f17627476b714a9c658 |
C:\Windows\System\CFnNnEW.exe
| MD5 | 48a25f0f99d8853087e76c39e229c052 |
| SHA1 | 4fa29834192f07b0951d0bda25d602bbcc1c6800 |
| SHA256 | a4f89a5793c4b950dd2e620d8017796fd38f33e61b0afc92af486558b26f85df |
| SHA512 | 8230a41ce63d23e74172fee58d135bbefe13ae11443e1944ed6b32b5fa7a48d383bfe0249f1285d3e6d4cda06d5054186503ded63cf5544f3635a92337a712cf |
C:\Windows\System\ZFgUeJq.exe
| MD5 | 305ac6b39ea040beb3c5dc9508900fcb |
| SHA1 | 35a0c2f77ca3bc049e10958fc518cc2d89b6ab07 |
| SHA256 | baad52179c55f8646749accfe72df9c0aed3cf093320f428ddee49cc764cfd3b |
| SHA512 | 55395fb02f7e7b9ad256a23e7763330c9899bb61607d6bd1b7f2ff4d303e6f6c9c3f2a6b39ab4e39b0d4ae9859c6bb2f3be9b3ef715863e91d11e9b86f9a019a |
C:\Windows\System\KKRrBqn.exe
| MD5 | b8d75034929bb417440b967a2d0102e8 |
| SHA1 | 8e6e27bf949c848b8c68356449b9f139505bcfac |
| SHA256 | 9579d323c078fd0184e741080b67e66579b3f6910a0810f68f3998f77e7d6136 |
| SHA512 | 61cee9b53617449e7357eb138998c6fa4b8b33cffaf93a5579e2e0703e78ef663241b051723f5d459de48b5e6c9798509636b6d401273c2499721b8920c0a888 |
C:\Windows\System\MupaMXk.exe
| MD5 | caddf713f3e6621cede22cc2b8e75421 |
| SHA1 | 59e470c198cca573690078d15b90b29ffc316f6e |
| SHA256 | fa79d8b8bbcef6abaaf09da265cbd42efca8afcb0f708f2973588a5a03822b29 |
| SHA512 | d4c5c6457aff7aaf6c6965788925778a99461ad8607a3b4616054dbccd5402f79b3b757011041963962cbcb1250347b93cbcb5563050e7d2c07ba13fbeb4550e |
C:\Windows\System\CMNLDPp.exe
| MD5 | 41be9fb8030bd037c387c2ee7ac168d1 |
| SHA1 | b009a85b5188463933b58206d148fa62cc1cc428 |
| SHA256 | cb2379244a9f714cb14c354c43b311f5f45deee2719e9612c05af5a10bf20d97 |
| SHA512 | ef40bc9fa911365fe057721902ec52a4b4a15ac2661ec2bbeb99350ef109d9082ab147004017fdc06985c148e70845fa44d92c25b31ab39339897bc6e34116c6 |
C:\Windows\System\hAPjkWo.exe
| MD5 | 658425dbcdae7557b7704cff0b915398 |
| SHA1 | c32a4b03855a06618b8172c64bff552291318ab9 |
| SHA256 | 1482c0b815d1ba76f187df8bdba80677f29b1decca39e8c85f51bd997d99bb85 |
| SHA512 | 1f8c1fad611dceab04be7b6db3352131b5ed141566675561b254cd94b9fabce799dcb65d4b5379a9bca3cb683653fef199914283c7bb33121ce3a8c8112cb4ca |
C:\Windows\System\nIWOJQm.exe
| MD5 | 36b52cd70231ae3ed8ce67bc54bdc73b |
| SHA1 | f66ca41358fa5797af8d07413afab708579a0690 |
| SHA256 | 30673eeb7cce963f0fd6e350e070f7e210c5ede0743c932baf2ac572f3f6d061 |
| SHA512 | 24a66133cd3ed8528df09a887d7ae87239b0a778bf184d712ce4ed01bb0c5881e77d2552a853b45f9f33a082e3796ce2d8418459f5442c348270e9cdead19b7d |
C:\Windows\System\BwrOVyo.exe
| MD5 | 2b359112dc6de128c14dd1f6c9a47317 |
| SHA1 | bc719e37be7bbedafe882cf09b9713bdc5fb8c46 |
| SHA256 | 363b0ffac095bedcc5b26c447367f1efc98f43f95a7c20bba83d79d560fa5766 |
| SHA512 | d7bf4ce9724f7403d60280580f718b0f17806a0be38990a2774e44b204637ea9c09e0a3ecaf9347a0b2618c96b2b6d40b612496c7adb003ad237ff38d348a760 |
C:\Windows\System\QeZelYS.exe
| MD5 | d3d2409cf320045d64cd35a5b51b39f9 |
| SHA1 | 612a81bf54ccc4aec5012aa0ae3197f85b4da1ca |
| SHA256 | b12045dd1ce7a2220ed317db355c89d6b1a3cfce5307f0c94bd3cf57ddfc7d48 |
| SHA512 | 4e573cb71f06e324a97dead1be17152edb34423963e1cadb36ea1d826a3784c562e6270658f365658f7c878665a2f68bc6d2d99d98278ac667d5d101b97d0c69 |
C:\Windows\System\ZAkXitB.exe
| MD5 | 33195fd6a46cb9b296ad1827ae88c2a5 |
| SHA1 | a0cc33db50572129c8036e0f7b79276ab01fc3a3 |
| SHA256 | a78ad82622260b4271697a8904d17974a0e7a479c2b50bc8c1d899144cd834be |
| SHA512 | 2d221df5e4b63e995110847c9799cca9340ff67d25b7c3ae2f81782a23ca406aafee676ea2f57c1ec8b370356505b3783509e7f4df139c46802924e669acb79a |
C:\Windows\System\gqRjdSV.exe
| MD5 | 5aea31c7a80263a44d641813f14d16ca |
| SHA1 | ac6982542ddda95be9c78f29d66c969e0e46a727 |
| SHA256 | 8a3ef1b9104597229a7be79861021f3edf56e7b49f0b6571bf1e203d1bab282a |
| SHA512 | 724bf3dacaef7f1c70bd5b16a8c78aae337534dca94a78e63166576ed0308f95331e9056e9c3fbbbecaf25198df4a79292874b74d0f09eacfc9bb59f48c0c927 |
C:\Windows\System\nkSDGuA.exe
| MD5 | 612205fac662f8fc131062c44c97a9be |
| SHA1 | 07945d30e7e7fd7b0cd1727163f0da4f508672ff |
| SHA256 | 79f545ea799e6d3280e310aaba29e85ccd6fb838dfc0e8356be128d510b46f04 |
| SHA512 | 7e8a9d60ff7e1cee8fd1e61a5f2a62d2cb90a39d2c107f0408c366d1de4f9d53c34d53eb70e3e8621fbe0ac65c777a08759cbf02c550e984ed2ada36ca317e90 |
C:\Windows\System\VdgKqAZ.exe
| MD5 | 9b4873c347664e01e66a77337b82a8a6 |
| SHA1 | cdca0b2012f601700b790d7b2b16e3f54be77f43 |
| SHA256 | 175503f1e7d88dbe1a2f72bc9b5db3dc730d9ecd8cff2076e8204571480e6da3 |
| SHA512 | 864d8cac9159083453b581d0adaf396a308210c2aec07731893d603fd4d634d33b219ce1e68cd2e2b0d152be90d3cd57b85ba9c8f67087a98dd1bcf8e236c53e |
C:\Windows\System\uMzKODm.exe
| MD5 | fa1e7903b813926f3978e27caac59ef2 |
| SHA1 | 7eb26b8f30c3004620991404d1d75e917da411f8 |
| SHA256 | bd4faf4b6f2141cff39881bb5a8ee3c671a96cc398c1bb8f2c1c3f04cbaa7400 |
| SHA512 | 6c1364b6ef7fb35f4521a487d3bc349a435972415b90dea5d363533ee358da384b4ef395d3d3626c9af3a30703ae20696c9654bc86e94d1aa335d988488ebf1b |
C:\Windows\System\EnrLQXM.exe
| MD5 | 6b0c73d684fe5c40da3a219bdca00ede |
| SHA1 | 32d85117874252313083720dba51b1bb0a548dc4 |
| SHA256 | 46f4e2dc9a5f80461f1f6c3ad3b64f67f615bb8ed1ae9f9d0e6780e9576eba6d |
| SHA512 | f8e2d39a76864460e1f0df38c5cbd7b40b8f7ab561f4e65d510e685f15ccf0b57950a5835ea5b96d56e55dc33bc18576a68c2445b8070eb06cfbed79249b2f80 |
C:\Windows\System\DDUAZfj.exe
| MD5 | 1373bfcbcb3b135b921da69f420fab5f |
| SHA1 | 009a5b098059bf15317f8e3f2789d1ff429b3108 |
| SHA256 | 2556c460d4b775c820319ce041d389f1d8f8e39c30674178aa801d4aceca6c75 |
| SHA512 | dd10f28e9415ae0e82d6149f6eca349fade71c2763cdb1a0a7cc1ab42d588150653f8c3738f29468e016689446467167f464408e47a6043acea501b899896f4b |
memory/3524-34-0x00007FF64FC00000-0x00007FF64FF54000-memory.dmp
memory/3428-26-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp
memory/4648-112-0x00007FF7FACC0000-0x00007FF7FB014000-memory.dmp
memory/3456-113-0x00007FF78B2D0000-0x00007FF78B624000-memory.dmp
memory/1444-114-0x00007FF6AD540000-0x00007FF6AD894000-memory.dmp
memory/1500-115-0x00007FF655E10000-0x00007FF656164000-memory.dmp
memory/2136-116-0x00007FF748860000-0x00007FF748BB4000-memory.dmp
memory/3504-117-0x00007FF627170000-0x00007FF6274C4000-memory.dmp
memory/3616-118-0x00007FF7024A0000-0x00007FF7027F4000-memory.dmp
memory/2980-119-0x00007FF680C20000-0x00007FF680F74000-memory.dmp
memory/2340-121-0x00007FF7D0810000-0x00007FF7D0B64000-memory.dmp
memory/3412-122-0x00007FF70CD30000-0x00007FF70D084000-memory.dmp
memory/1804-124-0x00007FF750EA0000-0x00007FF7511F4000-memory.dmp
memory/5032-126-0x00007FF61D000000-0x00007FF61D354000-memory.dmp
memory/4580-127-0x00007FF6EAE10000-0x00007FF6EB164000-memory.dmp
memory/1060-125-0x00007FF6B5A80000-0x00007FF6B5DD4000-memory.dmp
memory/468-123-0x00007FF6EE3A0000-0x00007FF6EE6F4000-memory.dmp
memory/3328-120-0x00007FF6CB1D0000-0x00007FF6CB524000-memory.dmp
memory/4560-128-0x00007FF701CF0000-0x00007FF702044000-memory.dmp
memory/1284-129-0x00007FF7113E0000-0x00007FF711734000-memory.dmp
memory/4172-130-0x00007FF7DE0F0000-0x00007FF7DE444000-memory.dmp
memory/1284-131-0x00007FF7113E0000-0x00007FF711734000-memory.dmp
memory/4124-132-0x00007FF6E1BF0000-0x00007FF6E1F44000-memory.dmp
memory/3428-133-0x00007FF7F8710000-0x00007FF7F8A64000-memory.dmp
memory/3524-134-0x00007FF64FC00000-0x00007FF64FF54000-memory.dmp
memory/4648-135-0x00007FF7FACC0000-0x00007FF7FB014000-memory.dmp
memory/3456-136-0x00007FF78B2D0000-0x00007FF78B624000-memory.dmp
memory/1444-137-0x00007FF6AD540000-0x00007FF6AD894000-memory.dmp
memory/1500-138-0x00007FF655E10000-0x00007FF656164000-memory.dmp
memory/2136-139-0x00007FF748860000-0x00007FF748BB4000-memory.dmp
memory/3504-140-0x00007FF627170000-0x00007FF6274C4000-memory.dmp
memory/3328-143-0x00007FF6CB1D0000-0x00007FF6CB524000-memory.dmp
memory/2980-146-0x00007FF680C20000-0x00007FF680F74000-memory.dmp
memory/2340-145-0x00007FF7D0810000-0x00007FF7D0B64000-memory.dmp
memory/468-144-0x00007FF6EE3A0000-0x00007FF6EE6F4000-memory.dmp
memory/3412-142-0x00007FF70CD30000-0x00007FF70D084000-memory.dmp
memory/3616-141-0x00007FF7024A0000-0x00007FF7027F4000-memory.dmp
memory/4580-148-0x00007FF6EAE10000-0x00007FF6EB164000-memory.dmp
memory/1060-149-0x00007FF6B5A80000-0x00007FF6B5DD4000-memory.dmp
memory/1804-147-0x00007FF750EA0000-0x00007FF7511F4000-memory.dmp
memory/5032-150-0x00007FF61D000000-0x00007FF61D354000-memory.dmp