Analysis Overview
SHA256
b00ea1c099fc08e40f2aad6b11d5222dfdea5b3313f4cf93525285fd45a6fea7
Threat Level: Known bad
The file 2024-06-01_fa94904e4e4856ed24dcea6e2147d242_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike family
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:53
Reported
2024-06-01 15:55
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GesCPzL.exe | N/A |
| N/A | N/A | C:\Windows\System\IBAddnp.exe | N/A |
| N/A | N/A | C:\Windows\System\cWCvWmF.exe | N/A |
| N/A | N/A | C:\Windows\System\swImJBL.exe | N/A |
| N/A | N/A | C:\Windows\System\vtCmlql.exe | N/A |
| N/A | N/A | C:\Windows\System\GgKfWBx.exe | N/A |
| N/A | N/A | C:\Windows\System\qOmQxFA.exe | N/A |
| N/A | N/A | C:\Windows\System\sLsFBdu.exe | N/A |
| N/A | N/A | C:\Windows\System\uJRWgec.exe | N/A |
| N/A | N/A | C:\Windows\System\PPrNtwm.exe | N/A |
| N/A | N/A | C:\Windows\System\fJmWLfL.exe | N/A |
| N/A | N/A | C:\Windows\System\rNgHJRk.exe | N/A |
| N/A | N/A | C:\Windows\System\zLUFDmy.exe | N/A |
| N/A | N/A | C:\Windows\System\wOaoLNn.exe | N/A |
| N/A | N/A | C:\Windows\System\KFYTaWP.exe | N/A |
| N/A | N/A | C:\Windows\System\vrPXPfm.exe | N/A |
| N/A | N/A | C:\Windows\System\kCyrYpC.exe | N/A |
| N/A | N/A | C:\Windows\System\AwdbhWV.exe | N/A |
| N/A | N/A | C:\Windows\System\cGhydnw.exe | N/A |
| N/A | N/A | C:\Windows\System\bBgUoqs.exe | N/A |
| N/A | N/A | C:\Windows\System\PBepbFw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fa94904e4e4856ed24dcea6e2147d242_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fa94904e4e4856ed24dcea6e2147d242_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_fa94904e4e4856ed24dcea6e2147d242_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fa94904e4e4856ed24dcea6e2147d242_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\GesCPzL.exe
C:\Windows\System\GesCPzL.exe
C:\Windows\System\IBAddnp.exe
C:\Windows\System\IBAddnp.exe
C:\Windows\System\cWCvWmF.exe
C:\Windows\System\cWCvWmF.exe
C:\Windows\System\swImJBL.exe
C:\Windows\System\swImJBL.exe
C:\Windows\System\vtCmlql.exe
C:\Windows\System\vtCmlql.exe
C:\Windows\System\GgKfWBx.exe
C:\Windows\System\GgKfWBx.exe
C:\Windows\System\qOmQxFA.exe
C:\Windows\System\qOmQxFA.exe
C:\Windows\System\sLsFBdu.exe
C:\Windows\System\sLsFBdu.exe
C:\Windows\System\uJRWgec.exe
C:\Windows\System\uJRWgec.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
C:\Windows\System\PPrNtwm.exe
C:\Windows\System\PPrNtwm.exe
C:\Windows\System\fJmWLfL.exe
C:\Windows\System\fJmWLfL.exe
C:\Windows\System\rNgHJRk.exe
C:\Windows\System\rNgHJRk.exe
C:\Windows\System\zLUFDmy.exe
C:\Windows\System\zLUFDmy.exe
C:\Windows\System\wOaoLNn.exe
C:\Windows\System\wOaoLNn.exe
C:\Windows\System\KFYTaWP.exe
C:\Windows\System\KFYTaWP.exe
C:\Windows\System\vrPXPfm.exe
C:\Windows\System\vrPXPfm.exe
C:\Windows\System\kCyrYpC.exe
C:\Windows\System\kCyrYpC.exe
C:\Windows\System\AwdbhWV.exe
C:\Windows\System\AwdbhWV.exe
C:\Windows\System\cGhydnw.exe
C:\Windows\System\cGhydnw.exe
C:\Windows\System\bBgUoqs.exe
C:\Windows\System\bBgUoqs.exe
C:\Windows\System\PBepbFw.exe
C:\Windows\System\PBepbFw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 10.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4576-0-0x00007FF6C4750000-0x00007FF6C4AA4000-memory.dmp
memory/4576-1-0x0000021BBCEC0000-0x0000021BBCED0000-memory.dmp
C:\Windows\System\GesCPzL.exe
| MD5 | cd48719a05025c25dcea65642e95148b |
| SHA1 | dbf8d369ce0f22c7202144bbca99e200938c0282 |
| SHA256 | 4bd9d894d724efaf212adcc10241f72915f4f98cc98da96156599fa2bb4441fd |
| SHA512 | b98718b2398b981a7e76d8c51f4a4ac96dcaf8aca36a5b7a6a1e5be2ff30e857e6c30db3e3dbc81104a937a6eb2ac8b230f52ab700e6f7ec1ae5dc508a0b15dc |
memory/1288-8-0x00007FF6BF7D0000-0x00007FF6BFB24000-memory.dmp
C:\Windows\System\cWCvWmF.exe
| MD5 | 549b5801ce8517b75dd9133c87f7b823 |
| SHA1 | c06d355de9df8f93534b7ee9cb24a27ec88e4164 |
| SHA256 | 80c631b8bb432a707c13eb6b39ba769999e5aeb85d225cfd9f925f04774ab90d |
| SHA512 | 502e3caeb7bf3191dc37bc0d0981e6f7b659fddbdd3a417b4ec602db3f32da63de6bc64af0ed329ac086a33a3f1a20f9b4c3c4262f3efcb41fa75c00aa549d6c |
memory/768-14-0x00007FF7C7720000-0x00007FF7C7A74000-memory.dmp
C:\Windows\System\IBAddnp.exe
| MD5 | 4a69bf0dfd87839bbb24c378cac096b3 |
| SHA1 | c655c371b21f3fbf8dd38e0022652ecf26eb6bb5 |
| SHA256 | 8266c122b40387bb873661d244b4fd8d9da7062b6499f4bec7f2a5baf370726c |
| SHA512 | 5d783ca8f89ab262e6576eac31be3ae9491ef7a29bbcf42527ee60b9b419afb50c642115dbd7bcc73596b8ae0f332df0df5979b2b71fb161554dcd744490564a |
memory/2816-18-0x00007FF7B0670000-0x00007FF7B09C4000-memory.dmp
C:\Windows\System\swImJBL.exe
| MD5 | 3dd530bca16079bbaf67dca31e2d4667 |
| SHA1 | d4023e58a601bdb3e6e4e17b9331e66b53e527cd |
| SHA256 | b46757f4256bb2c6b8f161b05de4dff60817e3f8e46c934eed7008ea12d6bfbc |
| SHA512 | 52022dd0dfc1af2feda9e1e20c2853e32c632e4ced0bf382867216c5961517ff514cc53bad7872b9f9d11de283633cf5a1c96057a6f41a5be62b467e7d6b4484 |
memory/2256-26-0x00007FF65E9A0000-0x00007FF65ECF4000-memory.dmp
C:\Windows\System\vtCmlql.exe
| MD5 | 2449bc3a3ff1f07617199e9f3d6f4be0 |
| SHA1 | c75933a687f84fd13a8015ab15fbe7990f34480c |
| SHA256 | 66ddee453a58cd9c82962b147cee432c9ac6ee8cca816dcdd76bd0076521c49f |
| SHA512 | 6eb6f6dc3df05f139c4b0e1a6543ff93c87bae84bb2bedbf4c30121b17a65f5f93c6621c5c0f9dee515ba93bca5ba3317d3ae4700c0457585427fcbe92db8aa5 |
C:\Windows\System\GgKfWBx.exe
| MD5 | 6ac8a79808d410eacdd942059e43deb4 |
| SHA1 | e6debecf148630d3af6b4ce3a2df667a6f17f1bc |
| SHA256 | 7d4e3db6286eef4635d7fb5ba8d582da977898ddc717e0113a9e1a0063100cdb |
| SHA512 | b092b32a59b689efd31fa0fb206b73c5a02f6a3f7afda521b75787a74105b0c302cc7f145d6c5d1f0fcb258fee92b2f5f284cbad26d050a5cf986559df236d17 |
memory/3976-31-0x00007FF7ED690000-0x00007FF7ED9E4000-memory.dmp
memory/3096-38-0x00007FF7E19F0000-0x00007FF7E1D44000-memory.dmp
C:\Windows\System\qOmQxFA.exe
| MD5 | 98f625b09aefc4a58707c51eee36f9ba |
| SHA1 | 4c33d10cbdb29c486148dd79b578c87dbf4e2f98 |
| SHA256 | aee6646eda39ffb61f94cfd0cca4b4a7c09d8337a2b3ffeba4434655561ec9b5 |
| SHA512 | 2dbc007d74de142eba6a656f5d86b96616f4d876327641b45d1b59f6797354b254a84cbec8accc68bc2264eeedcd98d943485a5acb2fed0f2c94699c29350b14 |
memory/3944-44-0x00007FF630F10000-0x00007FF631264000-memory.dmp
C:\Windows\System\sLsFBdu.exe
| MD5 | 88d40b0b9e16f4b3ab58a13294850fe4 |
| SHA1 | c5b9cf49e61f8fbf3313362637bde63cf8c1f3ed |
| SHA256 | d7a06a6d1bae2b984c6acea32a208e0a32fd6a598154d5913dcd2962025116be |
| SHA512 | 543e39cd92f0de09d118638ac30c1582d03b7f68d20fa331406e8d2bac3fb1b1489adbd205ff323fdbaf34e9828ab55c38250a3c77a6b178f05987e0a98b766b |
C:\Windows\System\uJRWgec.exe
| MD5 | f80075af6c13f9524b975a6c71a00167 |
| SHA1 | 17036a65039836554c7bbb64059d0b4ae945c349 |
| SHA256 | 61d53f0706123595d01784bfc260fc8a63d2e5705fa7696287a62c583f45b6ce |
| SHA512 | d08da73e63c8800ea400dcb3fa2dbe1e947eaeae152b7bebec9a6048f2a81f09dc47d44b5a80ff5356c87e03eddb0cf00c120101bce4db91cd63b1b6197beb9e |
C:\Windows\System\PPrNtwm.exe
| MD5 | d03f02153c2497aeecf23724db668c6c |
| SHA1 | 436461eb67144211aa011752406a7b5a0b60bb14 |
| SHA256 | d03c21053797f81ff7d15081f49c40153cff4b1a8e6841569d34f9a1b0ffcd47 |
| SHA512 | b5bef196de95423eb3596b0e5e68979b50af8989d9572cced60b44066f97e9c360a2f2d08ee1b352d519be4c6c00e3f4ca78206e5895414014baf1d6c6325dd5 |
memory/4576-62-0x00007FF6C4750000-0x00007FF6C4AA4000-memory.dmp
C:\Windows\System\fJmWLfL.exe
| MD5 | 75cb8237aaaf99ee60f0bfa7dd317f95 |
| SHA1 | aa46ba5a7f5b3bb5aa3426afafb8479fa9005b20 |
| SHA256 | d136a2c5781c43d3c251dcf83a402fae5ae709c446e9ffb91cbdb2c7d5dbfe23 |
| SHA512 | 4d4663892052476d3245d53da4df24a76179a1374c8b62ede646f67ae3b529a9e9fe301ee33d1dc877728d8a655ebed7e37146e90c034fd3833d022d97aef455 |
C:\Windows\System\rNgHJRk.exe
| MD5 | 07d7b03f6c74630d66814341a783b1d7 |
| SHA1 | 57a79a8335240974ebe2f43681f0eee9b53b5132 |
| SHA256 | 9759db29e12778112b3b4f238493f93410ad89aa6feb159fdefd64c7dcd4fb98 |
| SHA512 | d25662cc75c794bfc23477705eb4ed711830da4db920959ae601a20268f3bb8fb6d0ed44861e5a4f9cd018df31fc1ffcf316d65c25892136cac42b83a8857a75 |
memory/4548-72-0x00007FF73DB90000-0x00007FF73DEE4000-memory.dmp
memory/3604-73-0x00007FF671190000-0x00007FF6714E4000-memory.dmp
memory/544-63-0x00007FF71C9C0000-0x00007FF71CD14000-memory.dmp
memory/3420-54-0x00007FF6575D0000-0x00007FF657924000-memory.dmp
memory/4828-48-0x00007FF72CDF0000-0x00007FF72D144000-memory.dmp
C:\Windows\System\zLUFDmy.exe
| MD5 | 13ee58b5e5c4371e5c720c464cb6f9d9 |
| SHA1 | e841b50c0a8ecc8a12cad4176de67b8d27067267 |
| SHA256 | 5300920055720d1cc5af43c0596af168cf77cfafd1f9ecd57e66547945ab3935 |
| SHA512 | 01be21837281e0210155af5f31f4c7c8966b88d7bf8153a0de774259b32dd886359b9bdfc3e8b20ada7dee3f3632b83eef63a34690939cc2a83e4f75f3daa6d3 |
C:\Windows\System\wOaoLNn.exe
| MD5 | d4dee654f41dd9faafcc63625d7e1c28 |
| SHA1 | 81fad5fb3f12ed132ebbbc47caeaf02919e40cd5 |
| SHA256 | b04bbcc6e2e1596dfe62177c571e13df0b24ec3794ad8eb028d22aed5dcfba5e |
| SHA512 | 698b517c57fe48dfee7d7d1235414350db441cdf57fee4ffadb9c123a76b34e7cc5d72fa8296d7a816f24134752fc5355f9f86e3addf22873808be7c1ee85a45 |
memory/2816-85-0x00007FF7B0670000-0x00007FF7B09C4000-memory.dmp
C:\Windows\System\KFYTaWP.exe
| MD5 | 8bc2368b860641529784eacbe96efd33 |
| SHA1 | 695ddc891d0163df9f35d135eccf6f4f8180fe9f |
| SHA256 | d8767e2ffc81d6b84b9766866dadbb1a166f1d4f3c0c12479b37cc8c95a9d5fc |
| SHA512 | bfe234bb563834836764ff828be93c01651950c9fe42614db9e6ae91ef4345eeed8d3e09bf26d227c54bfc3173ce3d9f7339ed3718a240f6293e6d1b41f6f845 |
memory/1504-86-0x00007FF645550000-0x00007FF6458A4000-memory.dmp
memory/3092-80-0x00007FF616F40000-0x00007FF617294000-memory.dmp
memory/768-79-0x00007FF7C7720000-0x00007FF7C7A74000-memory.dmp
memory/1188-97-0x00007FF7FCAA0000-0x00007FF7FCDF4000-memory.dmp
C:\Windows\System\vrPXPfm.exe
| MD5 | eebe415c0bdf39f6cc92ca977fdd1de8 |
| SHA1 | a9e928b5b5fddcc63a1327c0b5e3267875c2b0b0 |
| SHA256 | f675f02af019641576acc82b122771b067d103dd083417cd89762c73cc2ff4ca |
| SHA512 | fa1adcf5f04f4ee6bd5ff8b90132572b185ddd7ba4c0914eecc2e44fe853fab2ec357cc99b1c99cbe2b745429b59bf8980f7767d01130119f6a3529614ba3803 |
memory/3084-106-0x00007FF601840000-0x00007FF601B94000-memory.dmp
memory/3976-102-0x00007FF7ED690000-0x00007FF7ED9E4000-memory.dmp
C:\Windows\System\AwdbhWV.exe
| MD5 | 9ff0763cb6111aa6ce9826830803ad83 |
| SHA1 | 32fc7563c12eceabb709bc6153b1ba9f8e7106f4 |
| SHA256 | 7bb8d41766804dfd7b959f904b391de55eea44d2c4924f09189b21c11d5ffe7c |
| SHA512 | fab15f418730bba2bcde37917401b3b7909f72274cecbbd409e1ed7277858b07a3b594d177846f59871dbaa122f625e7ef764896784be6e31493e82dfe86bcfa |
C:\Windows\System\kCyrYpC.exe
| MD5 | 23d8c5f67c3ab282bd7d88aa49289f7d |
| SHA1 | 5449ec0a2e62d02f91bb6e1808333a642679b4e3 |
| SHA256 | 5b01808b854909bf3ae327c3fda6971201f9c1c8c138c54a19cde40ed0d252ce |
| SHA512 | c499fbaf0c0c65492d320ca9e2722b00d706a589bf5ab3f704a69ce89f83863df65bfca7f4391d910c11943a1484a3c8b248ac46e42b5a2fdff64ac59f4988c1 |
C:\Windows\System\cGhydnw.exe
| MD5 | 8280d8ef7575a506112b5b11b4d1ca20 |
| SHA1 | 889679a47a9577d81a1c267947607be369e360a3 |
| SHA256 | b615478fa3db5fc98914177c5d66ba678dec62d45d59ac5b41f8e503398783c8 |
| SHA512 | 209e8de18c4dc08eb3eee596c0fb61d2c593d876fc5d76317deabfd451e9678c928dd6db5513e71041dfbcf6428d1da64aadf1ff497f96e2c864047704ee7ade |
C:\Windows\System\PBepbFw.exe
| MD5 | 36ef2c789219509fbdb1be4f551ddad5 |
| SHA1 | 895d889cc68efdfe8cffadb539ee206485d7e1f2 |
| SHA256 | 7eee2d662e85b07deb6c0dc8ace5faeb2a803f8e623f0d67f5a4b3b8d10e4947 |
| SHA512 | a055432ecb9a4bebcee2a3b15f05a3099d5fca2e5ba9fa5ffcca05ee78539f5a72790941e54484cc4235af014edb7cb31851c405e24178e0a2e68d29b14b1cf8 |
C:\Windows\System\bBgUoqs.exe
| MD5 | 62a00451cf4342c929d5fa5e9ea400ba |
| SHA1 | 8d2fb8e708b4ac37a5e8af0ebac8a5cba3abbeb0 |
| SHA256 | 9a9504f1ea24987ab7823ea08715e0544108aa60ddc9d9382aa3706ee1081353 |
| SHA512 | 804f5db1c1ed779efb0c5dd1cf8c0374f101bdda1ea28cd9e222ed89c25c9a469fe66fe521985856bd72581f44780bddd33eacae728352309f0a585e4586c53c |
memory/1988-107-0x00007FF7B5450000-0x00007FF7B57A4000-memory.dmp
memory/2256-95-0x00007FF65E9A0000-0x00007FF65ECF4000-memory.dmp
memory/3944-129-0x00007FF630F10000-0x00007FF631264000-memory.dmp
memory/3876-130-0x00007FF655920000-0x00007FF655C74000-memory.dmp
memory/4472-131-0x00007FF74FD40000-0x00007FF750094000-memory.dmp
memory/3628-132-0x00007FF6FECC0000-0x00007FF6FF014000-memory.dmp
memory/868-133-0x00007FF6F9980000-0x00007FF6F9CD4000-memory.dmp
memory/4828-134-0x00007FF72CDF0000-0x00007FF72D144000-memory.dmp
memory/3420-135-0x00007FF6575D0000-0x00007FF657924000-memory.dmp
memory/3604-136-0x00007FF671190000-0x00007FF6714E4000-memory.dmp
memory/3092-137-0x00007FF616F40000-0x00007FF617294000-memory.dmp
memory/1504-138-0x00007FF645550000-0x00007FF6458A4000-memory.dmp
memory/1988-139-0x00007FF7B5450000-0x00007FF7B57A4000-memory.dmp
memory/1288-140-0x00007FF6BF7D0000-0x00007FF6BFB24000-memory.dmp
memory/768-141-0x00007FF7C7720000-0x00007FF7C7A74000-memory.dmp
memory/2816-142-0x00007FF7B0670000-0x00007FF7B09C4000-memory.dmp
memory/2256-143-0x00007FF65E9A0000-0x00007FF65ECF4000-memory.dmp
memory/3976-144-0x00007FF7ED690000-0x00007FF7ED9E4000-memory.dmp
memory/3096-145-0x00007FF7E19F0000-0x00007FF7E1D44000-memory.dmp
memory/3944-146-0x00007FF630F10000-0x00007FF631264000-memory.dmp
memory/4828-147-0x00007FF72CDF0000-0x00007FF72D144000-memory.dmp
memory/3420-148-0x00007FF6575D0000-0x00007FF657924000-memory.dmp
memory/544-149-0x00007FF71C9C0000-0x00007FF71CD14000-memory.dmp
memory/4548-150-0x00007FF73DB90000-0x00007FF73DEE4000-memory.dmp
memory/3604-151-0x00007FF671190000-0x00007FF6714E4000-memory.dmp
memory/1504-152-0x00007FF645550000-0x00007FF6458A4000-memory.dmp
memory/1188-153-0x00007FF7FCAA0000-0x00007FF7FCDF4000-memory.dmp
memory/3092-154-0x00007FF616F40000-0x00007FF617294000-memory.dmp
memory/3084-155-0x00007FF601840000-0x00007FF601B94000-memory.dmp
memory/1988-156-0x00007FF7B5450000-0x00007FF7B57A4000-memory.dmp
memory/3876-157-0x00007FF655920000-0x00007FF655C74000-memory.dmp
memory/4472-158-0x00007FF74FD40000-0x00007FF750094000-memory.dmp
memory/868-159-0x00007FF6F9980000-0x00007FF6F9CD4000-memory.dmp
memory/3628-160-0x00007FF6FECC0000-0x00007FF6FF014000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:53
Reported
2024-06-01 15:55
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DBQXwZT.exe | N/A |
| N/A | N/A | C:\Windows\System\wSHdbEA.exe | N/A |
| N/A | N/A | C:\Windows\System\BeTQFbB.exe | N/A |
| N/A | N/A | C:\Windows\System\SwWboZZ.exe | N/A |
| N/A | N/A | C:\Windows\System\fKNrYRr.exe | N/A |
| N/A | N/A | C:\Windows\System\EWfsIUl.exe | N/A |
| N/A | N/A | C:\Windows\System\glpoFPr.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwHBEbZ.exe | N/A |
| N/A | N/A | C:\Windows\System\AhSHsMa.exe | N/A |
| N/A | N/A | C:\Windows\System\vhawksR.exe | N/A |
| N/A | N/A | C:\Windows\System\JpGxYsQ.exe | N/A |
| N/A | N/A | C:\Windows\System\rnlRdrB.exe | N/A |
| N/A | N/A | C:\Windows\System\tDEtjgE.exe | N/A |
| N/A | N/A | C:\Windows\System\UIUJxiR.exe | N/A |
| N/A | N/A | C:\Windows\System\LhnVfHg.exe | N/A |
| N/A | N/A | C:\Windows\System\mMbSIwr.exe | N/A |
| N/A | N/A | C:\Windows\System\TBsACUW.exe | N/A |
| N/A | N/A | C:\Windows\System\DzycYxP.exe | N/A |
| N/A | N/A | C:\Windows\System\rghlnUf.exe | N/A |
| N/A | N/A | C:\Windows\System\TIyqrtn.exe | N/A |
| N/A | N/A | C:\Windows\System\EHeSUuf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fa94904e4e4856ed24dcea6e2147d242_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_fa94904e4e4856ed24dcea6e2147d242_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_fa94904e4e4856ed24dcea6e2147d242_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_fa94904e4e4856ed24dcea6e2147d242_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DBQXwZT.exe
C:\Windows\System\DBQXwZT.exe
C:\Windows\System\wSHdbEA.exe
C:\Windows\System\wSHdbEA.exe
C:\Windows\System\BeTQFbB.exe
C:\Windows\System\BeTQFbB.exe
C:\Windows\System\SwWboZZ.exe
C:\Windows\System\SwWboZZ.exe
C:\Windows\System\fKNrYRr.exe
C:\Windows\System\fKNrYRr.exe
C:\Windows\System\EWfsIUl.exe
C:\Windows\System\EWfsIUl.exe
C:\Windows\System\glpoFPr.exe
C:\Windows\System\glpoFPr.exe
C:\Windows\System\ZwHBEbZ.exe
C:\Windows\System\ZwHBEbZ.exe
C:\Windows\System\AhSHsMa.exe
C:\Windows\System\AhSHsMa.exe
C:\Windows\System\vhawksR.exe
C:\Windows\System\vhawksR.exe
C:\Windows\System\JpGxYsQ.exe
C:\Windows\System\JpGxYsQ.exe
C:\Windows\System\rnlRdrB.exe
C:\Windows\System\rnlRdrB.exe
C:\Windows\System\tDEtjgE.exe
C:\Windows\System\tDEtjgE.exe
C:\Windows\System\UIUJxiR.exe
C:\Windows\System\UIUJxiR.exe
C:\Windows\System\LhnVfHg.exe
C:\Windows\System\LhnVfHg.exe
C:\Windows\System\mMbSIwr.exe
C:\Windows\System\mMbSIwr.exe
C:\Windows\System\TBsACUW.exe
C:\Windows\System\TBsACUW.exe
C:\Windows\System\DzycYxP.exe
C:\Windows\System\DzycYxP.exe
C:\Windows\System\rghlnUf.exe
C:\Windows\System\rghlnUf.exe
C:\Windows\System\TIyqrtn.exe
C:\Windows\System\TIyqrtn.exe
C:\Windows\System\EHeSUuf.exe
C:\Windows\System\EHeSUuf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2212-0-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2212-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\DBQXwZT.exe
| MD5 | ba8dcd3611aaae5d2a55dfdad04ecdb0 |
| SHA1 | 0ca9248bc60a0ec57034c2ea7318af0780f15cb1 |
| SHA256 | 217051d5df7be4382e10138b8c4d7c81f8be701345900bedcc33492b504c2139 |
| SHA512 | 28655358fb9830678ab61b9c99c333afff50ae4405ae595c30d69dec0f7d64d60be447ca5218da5d7cf21706b1b898b3ad06c15d44e8dec84667f7d3ee3d2361 |
memory/3044-8-0x000000013F0B0000-0x000000013F404000-memory.dmp
\Windows\system\wSHdbEA.exe
| MD5 | a8b53d62c0c2b228d91fe6b09f0c8ccf |
| SHA1 | 5ac646cd881f99fbece52b4504519221762e12ee |
| SHA256 | 878e8d48a39e36421c19074560f979a45ea4c898acbf39173934397aa613f1dd |
| SHA512 | 53324e20f47712b6aabcb9b89fde38482888992056588626d2218d3b2eb92a6d53c6c0058f76e3c23dd2574cfb461fc8155516be37376eabac3ce44787ef270b |
memory/3052-14-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
\Windows\system\BeTQFbB.exe
| MD5 | c6754836b4d060a51d481a1487e0011f |
| SHA1 | 0d70b954946c02468432e58a113085312c6bf178 |
| SHA256 | 0d1e82192d2d2b29f60ff5d51542100d194026547678ac9ef0320f4f7000cb05 |
| SHA512 | 90550f833acd9d5f0eec4c05976b5740c93f8266819c998f1aa6268d6904c75f27dd545799da2f0f47a61de495d5cc1947aefc99b938f1c37f5f6e566498712c |
memory/2172-21-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2212-19-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2212-13-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\SwWboZZ.exe
| MD5 | ef5377e7333e9f737de67a6ef385d874 |
| SHA1 | a758db44b0e6eab65eb776268075cdcb0f6f07db |
| SHA256 | a01fdbdc21bb3cf28a490925033ac967155e15912b6ad8730b36e1aedc835db4 |
| SHA512 | 1492419d170dcb28b4070280c12716c5a4d03b745f126c2abad512cd0b27dfb40e59fce1de4123d7148eab7fbc6f45568b2a65e3f2f2fda5ac4a1a59a89e5f07 |
memory/2652-27-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2212-26-0x000000013F570000-0x000000013F8C4000-memory.dmp
\Windows\system\fKNrYRr.exe
| MD5 | c3a500b05a0a9173e71e7ccfd31a3fb1 |
| SHA1 | fab72d96bbd77cedb19caecfe1c7867ab16998a1 |
| SHA256 | 5c76ddd210b4f1c39711a7df119cd5020c6ecd6d627f3843af01a2640d23df8c |
| SHA512 | 58779081f34fbe78810198d00df2a30b23fb6f104ab9c0760061fd0be75cd66944e0fb28006c1f141f465516bca28826a6e4a954251cb813135adfc7ecb11df5 |
C:\Windows\system\EWfsIUl.exe
| MD5 | 065f944580fe798534c15e7a43ee315a |
| SHA1 | 9a9533d1facb510322b3570ad39ef7360c127aed |
| SHA256 | 1f7e2da8e794b8b298a08965f5fc2fdef702ea35ef79c4ef9f1fe31eef9a08b4 |
| SHA512 | 5996d58838e7a1bfe61bc8b07dafb679114cf8b2aba5f77e75b9351115061dd8911427dc5c4088d3500f354c6b329c0dab4c82202e2b274e81bed8d4de16773e |
memory/2212-39-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2628-40-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2212-55-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2884-56-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2212-70-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2652-84-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\UIUJxiR.exe
| MD5 | 08425a5a6b9147e7c5450d9c5d94fdd8 |
| SHA1 | c0e50c74c88c7163e9a6c76c95ff626e1a36c526 |
| SHA256 | 8b19d398b13ea66ca49432fc6e22253a829b33ffe88e93af7d5502cec72df4cc |
| SHA512 | df9f83cb0326979cc86ed15f9c9a8743acf5302730f2b2ba67527b9d9f8a0b4f4c55a48203cd1701b8fc03312d318df63eb5c7f91cd0f9ba823a44f1b2794f81 |
C:\Windows\system\DzycYxP.exe
| MD5 | 0b07bb20c62baf67ac9d00571933263b |
| SHA1 | dd5c22cbf7f774bb9aff9e071c47d7082523e79e |
| SHA256 | 63501ed8cb5f76737b9806d5f62602eac5dbbf9b33329ee53eb86e671db2e7d1 |
| SHA512 | db59ed76f5adaae8e1787e8e29d94c5cd5a1015bf668dfafb2bb95bef2c290c0ed1b2205a3afc7f3cba538c6cfe45756271bce3722e63339d667fc54289e8740 |
\Windows\system\EHeSUuf.exe
| MD5 | 564e86612360f29446435b4007e48140 |
| SHA1 | 1ca39e545b58886f1c9c245d13c77b7345324c18 |
| SHA256 | e626263aeac1dcc9cb10508c40e35aee13e43d38335c4000855516c78909f586 |
| SHA512 | 89918d1156dcb242c0f6a694cc912a9854067ba7b6d71626a856b9f365b13e1e0ad262f40bfd3db55061f2c6a3be2e78934ee3a732fc7c1d7f5393fdf8bb9012 |
C:\Windows\system\rghlnUf.exe
| MD5 | 438519bfc23637ef8f96cb4eaa0dd638 |
| SHA1 | 4dc33944dda3407c67dfa1f9e65fecbe64dab63d |
| SHA256 | 1927acc805521ab3d99d8edb96ac4136dd2587d8eec8d7764a70635bee66fc2a |
| SHA512 | e4ef35d80610584538c2a11325e1bc31be6336e23954e1be52fbaee97cd1b0f79a1d1fd8469cf623551e6dc1fe7761b4bf2c9fd6d3536785b19089d59a393567 |
C:\Windows\system\TBsACUW.exe
| MD5 | ddb7fc66b23dd5a2701f44c64c6e5bef |
| SHA1 | 56255a016646590233f186babfd3ed494d505c08 |
| SHA256 | 26b3e93a25d3e2e088916812be449c958718e36b487cec93fdbc9830478c0e40 |
| SHA512 | 0aaf86fc750969d352e36c2a83f99be49205e2e5dc0a10d819149fe40caec542953c2cc74919958c52f34de371de7cf63394a90db58d1718edfd1fe700c0e8d2 |
C:\Windows\system\TIyqrtn.exe
| MD5 | ec2c2c4bc65bae0840a40d55e535a405 |
| SHA1 | c2d0634f783c4b0574c4d8fe69ccc022be6ce14a |
| SHA256 | 6fa86e3a88dc121ea8624ed41158e5c85961fce5cce1e3b39290031d39b3c4a9 |
| SHA512 | 8962414ea40354383ff159ae778d9a6c6b9e4e0ff18b55a816b8e0ced709b850de1185e131de896a6ff3a26f230c8f02757710a62c9181579f22e9a491f2543b |
C:\Windows\system\mMbSIwr.exe
| MD5 | 0dbdefc213c561370edaa76a45c14ec1 |
| SHA1 | 1129bbccd2dd1ac86070b3f4585ab5edadd42632 |
| SHA256 | f39c7fc9b9acf77d2ee8072affb3da39c3cadf89d451a4ecdf44d0cd253bfcd3 |
| SHA512 | d68c0fd32e4a8fd5fce8a15424a442fafd1018abb4df3b6956e022f9bc743c4c162e488595fcade197649065aa73c2345f92cd50fa64ac7e701c75a41c6e5fc4 |
memory/2212-108-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2628-107-0x000000013F030000-0x000000013F384000-memory.dmp
C:\Windows\system\LhnVfHg.exe
| MD5 | b27d0a2daac3bf570a81e18c48cbd17d |
| SHA1 | 76ba4aa9682c193df9f79c62fd1a9094c582efda |
| SHA256 | de8b9f23df7355c3dee7f257884cfa5616b84b5afbb569d2a133ad6dc50c2f1d |
| SHA512 | e03e8da2c6e87d89510ecc26a168a04cdfa1579fdcf7f7740d5f80f97a054619c72152ddef0408ef84c51fb377266011e3a23f6dadc011791fbaf1899dc21366 |
memory/2856-101-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2212-100-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2836-94-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2212-93-0x000000013F2B0000-0x000000013F604000-memory.dmp
C:\Windows\system\tDEtjgE.exe
| MD5 | 8fcf864e3c1dbd4b7d35fccd7151b92d |
| SHA1 | cb073ab7592781480568575c4ce0ae10c5661f0e |
| SHA256 | 9c4744ecde8b28f9712297a0af359544f8e692e033ddc3574b23498ffbc446de |
| SHA512 | 25c8ec722ea6236507289dc103b6d2b48ab70e2fe80490dd4339d5ec0e9137848f7174ace2130931108e826887ed600ccd1659ab2f4d54635fe4f8dbc8616031 |
memory/2772-139-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/3064-86-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2212-85-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/3024-80-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2212-79-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2172-78-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\JpGxYsQ.exe
| MD5 | 9813f7738c66a77240a41aa15a3b1a92 |
| SHA1 | aa72e4814cbedaefc1e4fc464793ff33250585db |
| SHA256 | 539b7a47eb50ec58d291c89869fbdd5e1015a873f5dd768adbe7f5eeeb2a9af9 |
| SHA512 | 603b2dd7104ec450281105ec30050b14b6b5b232dc66260f412c9ab5964e5f1be06c906a4e25f5b8bb46c7abe5bed5a4a793bfb37b473e15c071c2596a0d87ce |
C:\Windows\system\rnlRdrB.exe
| MD5 | a680fe19a682317bf146da1d40c88d08 |
| SHA1 | 2fea7751e48100b44e619b5d0f157dc3a81828cb |
| SHA256 | ff8e1196ab7856ae07f4a28b08eeb222686869632fdd16203554d5748b618563 |
| SHA512 | 8ac53d33242d8cdc3c712c5899ce73a2ecc418678aad0427c6187567faff841e231779e21a412385b5e67dba367dc630156186c6c8c3478111fce49d70aaa759 |
memory/2552-71-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2636-63-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\vhawksR.exe
| MD5 | 3306e3d87e72ac7f2a94f31b957accba |
| SHA1 | f4c8c7d1c8a6caa1bee37ea539c935e46391a8a4 |
| SHA256 | 1839f87915db5bc4bec4fee02c013ee1e31318f46a7edf57c013332f3ac86bae |
| SHA512 | 0b0dac7f67d4a93d89f73d25cf65344b19e17793e0a7f3d3462260309db93fccebebd6e596347076aba7455211ac926b6a9162978afc23ef24f6a12c964e6276 |
memory/2212-62-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/3052-61-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2212-60-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\AhSHsMa.exe
| MD5 | 9a7bc33ad9401c8ab17a0e7a54ee6d0f |
| SHA1 | 8a8aab1e6758502a6f5f8ba82d69efcf91c1b04d |
| SHA256 | bc999a89b31e714ce0b116cb7d5c820fa62473e5414eb959950071197bf7e698 |
| SHA512 | 8a56f807ba0d145d82e072dbc349c8485d3ac98ab00e3dde45fe205e1c25ff5cc1c3fe6989b39cfac2e9adf56ad8304325a2d48061b3e9c212850c945aee6e70 |
memory/3044-54-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2772-47-0x000000013FE70000-0x00000001401C4000-memory.dmp
C:\Windows\system\glpoFPr.exe
| MD5 | d2f40191f9453c0db3f22803499679aa |
| SHA1 | 6771228f5495d57f540a4501fd9d867a8a9c55d8 |
| SHA256 | 3411fd3a03760f0a28001be19b377f5af7bdc671d4f7738bc2651acd5e9cbfed |
| SHA512 | ad51be07ad5c4155047a659acd70983f4b90cb69fdb08030840d2eb68a4f87c6f643ba7e9b3d1b48d27534aef9ca2ea880ac643ca5908d9826bef5f5d54eeec2 |
memory/2212-43-0x000000013F990000-0x000000013FCE4000-memory.dmp
C:\Windows\system\ZwHBEbZ.exe
| MD5 | a0ccc78f2ba3505a37dca02bfd0a2340 |
| SHA1 | 1ed231a703f841e715788b8933327c8af0a6444e |
| SHA256 | 184cd84f9ac87962c1bc34066a9cd690c6eb3b622222c9666eee5f17b14e8639 |
| SHA512 | 5feca028c564248dadd3a2524192d3f34f447cce94a0de64fb885f84053a4dcc173ae25674653733075505fe72267fcdf99b9fb11767333a0f84ef3688fd05e5 |
memory/2748-34-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2636-142-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2212-141-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2212-143-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2552-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2212-145-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2212-146-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/3064-147-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2212-148-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2836-149-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2212-150-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2856-151-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2212-152-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/3044-153-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/3052-154-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2652-155-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2172-156-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2628-157-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2772-158-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2884-159-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2636-160-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2552-161-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/3024-162-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/3064-163-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2836-164-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2856-165-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2748-166-0x000000013F610000-0x000000013F964000-memory.dmp