Analysis Overview
SHA256
9d9bebef53e23af5dbd251c31a53e7a5beda04d4baec31bb1c5d81dab29985c8
Threat Level: Known bad
The file 2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 00:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 00:47
Reported
2024-06-07 00:50
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OsqGpgj.exe | N/A |
| N/A | N/A | C:\Windows\System\SXsqyCu.exe | N/A |
| N/A | N/A | C:\Windows\System\HsVIZVO.exe | N/A |
| N/A | N/A | C:\Windows\System\yPtBYWc.exe | N/A |
| N/A | N/A | C:\Windows\System\rEIhKod.exe | N/A |
| N/A | N/A | C:\Windows\System\KofWoVZ.exe | N/A |
| N/A | N/A | C:\Windows\System\JYLpnqS.exe | N/A |
| N/A | N/A | C:\Windows\System\nyKEpQc.exe | N/A |
| N/A | N/A | C:\Windows\System\PSetYrP.exe | N/A |
| N/A | N/A | C:\Windows\System\QNyYuEj.exe | N/A |
| N/A | N/A | C:\Windows\System\yVflcIX.exe | N/A |
| N/A | N/A | C:\Windows\System\MuvEfYm.exe | N/A |
| N/A | N/A | C:\Windows\System\HBFRtvj.exe | N/A |
| N/A | N/A | C:\Windows\System\bLFGMfL.exe | N/A |
| N/A | N/A | C:\Windows\System\SXgMiCv.exe | N/A |
| N/A | N/A | C:\Windows\System\jAgzgIX.exe | N/A |
| N/A | N/A | C:\Windows\System\LUxanxe.exe | N/A |
| N/A | N/A | C:\Windows\System\eUIahGc.exe | N/A |
| N/A | N/A | C:\Windows\System\umtEkgm.exe | N/A |
| N/A | N/A | C:\Windows\System\vFwSNPy.exe | N/A |
| N/A | N/A | C:\Windows\System\jzsWxpF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\OsqGpgj.exe
C:\Windows\System\OsqGpgj.exe
C:\Windows\System\SXsqyCu.exe
C:\Windows\System\SXsqyCu.exe
C:\Windows\System\HsVIZVO.exe
C:\Windows\System\HsVIZVO.exe
C:\Windows\System\yPtBYWc.exe
C:\Windows\System\yPtBYWc.exe
C:\Windows\System\rEIhKod.exe
C:\Windows\System\rEIhKod.exe
C:\Windows\System\KofWoVZ.exe
C:\Windows\System\KofWoVZ.exe
C:\Windows\System\JYLpnqS.exe
C:\Windows\System\JYLpnqS.exe
C:\Windows\System\nyKEpQc.exe
C:\Windows\System\nyKEpQc.exe
C:\Windows\System\PSetYrP.exe
C:\Windows\System\PSetYrP.exe
C:\Windows\System\QNyYuEj.exe
C:\Windows\System\QNyYuEj.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8
C:\Windows\System\yVflcIX.exe
C:\Windows\System\yVflcIX.exe
C:\Windows\System\MuvEfYm.exe
C:\Windows\System\MuvEfYm.exe
C:\Windows\System\HBFRtvj.exe
C:\Windows\System\HBFRtvj.exe
C:\Windows\System\bLFGMfL.exe
C:\Windows\System\bLFGMfL.exe
C:\Windows\System\SXgMiCv.exe
C:\Windows\System\SXgMiCv.exe
C:\Windows\System\jAgzgIX.exe
C:\Windows\System\jAgzgIX.exe
C:\Windows\System\LUxanxe.exe
C:\Windows\System\LUxanxe.exe
C:\Windows\System\eUIahGc.exe
C:\Windows\System\eUIahGc.exe
C:\Windows\System\umtEkgm.exe
C:\Windows\System\umtEkgm.exe
C:\Windows\System\vFwSNPy.exe
C:\Windows\System\vFwSNPy.exe
C:\Windows\System\jzsWxpF.exe
C:\Windows\System\jzsWxpF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| BE | 2.17.196.177:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 177.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3584-0-0x00007FF7BC7C0000-0x00007FF7BCB14000-memory.dmp
memory/3584-1-0x000002102C370000-0x000002102C380000-memory.dmp
C:\Windows\System\OsqGpgj.exe
| MD5 | 20dda93a22448d83bfbd24c788407352 |
| SHA1 | 090bb20a8771eab0736fe731f3441cc0e6e20bf8 |
| SHA256 | 4f0850c79b5c5ea243a72c32c1160bac5b3d5bac382ceb9796919bcb6dc424d6 |
| SHA512 | 3b7e2d6c463192c5860bc0f6a13a5c1409113396b4eff0c7a6e7ca07c5cf46dc245f3079f7308e5aace8d027e40c483c3f463dd21fb240538f84b83d517bd240 |
memory/3024-8-0x00007FF7C8210000-0x00007FF7C8564000-memory.dmp
C:\Windows\System\SXsqyCu.exe
| MD5 | ff2c7ce5fb2dcfccc93e9e5c5aeb7996 |
| SHA1 | 1cf2d04a1b92f8acfabe6adbfa5d20454970406c |
| SHA256 | 15808b5447334ba4aca55211cdae0daae256ac04c89d9f148eb91d5b09cdd62a |
| SHA512 | 2c50d644f8bf9c86f2cdd4cc33a4c7a34432f091511a17de9ee98a84779dcb30412b64112de86530a7abdd5308e1320717aeb7d6e185b0e9978c5414a2a8a1a4 |
C:\Windows\System\HsVIZVO.exe
| MD5 | 0a239391a1b6e2ca83c647eae2f75c67 |
| SHA1 | a824b2ee3c6f3accbb30810250c8bf5be5ff7187 |
| SHA256 | 7a8ec44d2d36f65069af0b6ffb8c3ef6a81e059b97818cbd8f640fd83a5ee205 |
| SHA512 | 363cd345ef4ac9a85e87b7e776aa629443d5d6f5230df13f1442bc4dc74b689804ab76ae9fd4976a6c9f71491835f55271804ac17e4cc33b036c3e6107522e77 |
memory/208-14-0x00007FF726280000-0x00007FF7265D4000-memory.dmp
memory/1692-18-0x00007FF62B290000-0x00007FF62B5E4000-memory.dmp
C:\Windows\System\yPtBYWc.exe
| MD5 | b60ed1f305d8dcb0c57b93a40209c4cb |
| SHA1 | 2eeb58c83b97d34576fa739fce7598147d3ad248 |
| SHA256 | 2c7ac8020cbd4dfdae8207d69431f55d8fab063082c1612a7002849b83efcbb8 |
| SHA512 | c09c3a1a60e4b950768953464312052426cedd5defc694ee8b4834780bf668b70e5f91da1eb6fe8d3a45596eb9e6c54e7e899229dabd8ceab1891d74fc8b3c0d |
memory/2232-26-0x00007FF79A910000-0x00007FF79AC64000-memory.dmp
C:\Windows\System\rEIhKod.exe
| MD5 | 230276141accb4b50016562f073aec9b |
| SHA1 | c7cd1ac7eba78dbf67d83f0502d466705838b96f |
| SHA256 | e0a345610b267c5d24043211addf8ef242f5e72605f31af3b4e11fcc065db723 |
| SHA512 | a72696a3c8d488cad7cb3750606ce6c8b844d634ae8affdff45ec03b534f2cda526c5a3a0955875e81cd48ba4fa506515e4357f6c7aa6ff570b41fcef8cf4221 |
memory/3416-32-0x00007FF763960000-0x00007FF763CB4000-memory.dmp
C:\Windows\System\KofWoVZ.exe
| MD5 | 31dc10b199b26b1a0456e44862ebdd01 |
| SHA1 | b7f6dc88d1ab475ac6dafba445440bab8a595ac0 |
| SHA256 | 8e59be3c56d89c1499799c82910271b994c1045815b2241e33370db0269dc104 |
| SHA512 | 650354baae3f610a7a792e6f77f18d9a140c05257d1260e072f51ad6b339ce2cf9222ad4ca5273ea4fe6387fb1789e95fd53029af1133cf9d1abd17beebccff5 |
memory/2172-38-0x00007FF6856A0000-0x00007FF6859F4000-memory.dmp
memory/2720-42-0x00007FF68FBF0000-0x00007FF68FF44000-memory.dmp
C:\Windows\System\nyKEpQc.exe
| MD5 | 09f3ba12a6721fd74409fdb2b3c9213b |
| SHA1 | 08de95296a9d2477bba5484dd4b2f807bea8efce |
| SHA256 | d7bf3820b3c46bb99c15f3ef6a014ff22f2e28e03fc6ededc50e477e0a94461e |
| SHA512 | 224326cab022202c5a202b99fba87ee5cab250a614e8d8018b427cf8810ec05a02224e22e672ce0ed19d6f94c79ec12abc5de979d932edf4764173bfe88ff2d4 |
C:\Windows\System\PSetYrP.exe
| MD5 | 4d6c99977a6b38963fc3a5c414464333 |
| SHA1 | cdd0e8a3e3a6e3ab3b80d219402a67364ef3a818 |
| SHA256 | 94218806e5e6dd4bf74389cf9e5f9a3a4f5bb902c129aa19f78f4f93fc5d0fb9 |
| SHA512 | 57934e0b60d12c0d7ce24864cafc488785523b2c45fe39f8fcd948145afce7d9d3f90a3b7e3bc7df2e921bc3a0ac474b24444257edb5551f0c21e6fb3ae138a2 |
memory/3908-49-0x00007FF7D8DC0000-0x00007FF7D9114000-memory.dmp
C:\Windows\System\JYLpnqS.exe
| MD5 | dd136e5838b8ad25b9841ebde5e8a6a6 |
| SHA1 | c4706dd40c520c4552907ca3f608b13fa78fdfcd |
| SHA256 | 9590cfb68e30337db006f16d56a2974bb5654c47a6e0ce4cd78090aac8039ddb |
| SHA512 | f40509c00466c4849a830ddc25dc85edcadc9fd187143bc5ab4d67520b50115b5bb883f7c882b3482ae65013d706b7ae39b45ef47729e4d69db92186e369aba9 |
memory/3584-60-0x00007FF7BC7C0000-0x00007FF7BCB14000-memory.dmp
C:\Windows\System\QNyYuEj.exe
| MD5 | c9a0330562a5059a1c5d580a1decca71 |
| SHA1 | 47e2acb9fcf826e9494ed95a14e63f08de68eb85 |
| SHA256 | d787b99946bc23323b19ae8f519b1b6c5634ca6c520bdd093ca61f275b782106 |
| SHA512 | 77cc8e500d34ee588dc3548150ea527e2a20e38137d057b42c1593f8e0e9cf0cfe40db9fa7118b3b55eda2667b9a71fe08ecc2b014b43290f2368ef442a3dc45 |
C:\Windows\System\yVflcIX.exe
| MD5 | c6840b1117677214b78f3e2f75bc3ba9 |
| SHA1 | b8d10a4429ca5504c52f9db4a682695fe4620e73 |
| SHA256 | d7d1491151325a399cb7167fbc9a4457a4ea8a2e37749a6f4cad942e5dec1180 |
| SHA512 | ae37a2d58c2443fe6dc2e02642fa8c6b90665c888a06f0b93487e2c404b57caceb3968325efa6a5f2d523d278c4b16cd1477db00819db5b1f6c5066d8316cb46 |
memory/5100-63-0x00007FF7A6310000-0x00007FF7A6664000-memory.dmp
memory/5056-58-0x00007FF746940000-0x00007FF746C94000-memory.dmp
C:\Windows\System\MuvEfYm.exe
| MD5 | 3ddd6345fec51bf2515f9b22f710933d |
| SHA1 | fef80061c90d79f4e680cd2bec5d970e80916ecd |
| SHA256 | d57a604719c8cddbc6ae67385e0f6fb5724d8ec2fc9f926b59ab535a5e2f1eb3 |
| SHA512 | 866de44b4349e1614494665c10d4760544406eb6f994393194b22e408df438f54856f9829d0f364f4c934074a67c3c88e211c2498f72d48686cfa5e4ac0819f0 |
C:\Windows\System\HBFRtvj.exe
| MD5 | 071c176e8d71bcd6d40ccac971c66e4a |
| SHA1 | ca7e084e8084f40bb9a0473d5936bd5cd2dabcf7 |
| SHA256 | 866a2a10dbc01b323e7c6b15140f36d26a0cee3d1c556bca4e7b074e9a603d9e |
| SHA512 | 303c7c9a7aff715a5b06d8716484405df811962b0aabdd76bb8ce407e0a58e544b1277dc8aadcc9cf5b7fcca2b1f97f2f2d2d21a21e895ae7bf2f79343b555cb |
memory/1692-79-0x00007FF62B290000-0x00007FF62B5E4000-memory.dmp
memory/2900-81-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp
C:\Windows\System\bLFGMfL.exe
| MD5 | 885f95d509cfeb380675bf79317320a2 |
| SHA1 | 45ab3d28b17ef223810001c4653d40e3446634fb |
| SHA256 | 1cfb63512823741ca5f07050819279436fcf2246f525a26c5e20e5ab7f241f66 |
| SHA512 | 42533ce7b93c750491c991472592172e25c0941e9e26b385dfa72b1c8e827db7cfae3c4e3fccb404a4bf9e98f6be047d808900274b031cd1cee9435d30120525 |
C:\Windows\System\SXgMiCv.exe
| MD5 | 6bb5b56727e791dee9f332f665f89f12 |
| SHA1 | e2d7c7a9a85b0d5f4374ba01a710ca8212c66dc7 |
| SHA256 | 4a06558906d3d8dee3959f191cb922d3b349398fff5c01d3c664cb305c0d7271 |
| SHA512 | 873d28067791f9739920f52b2d2218d09d446fb39ad219772d2deaa29848f86674b4e19f77c2b659155a3d7d0397d8710fa8db9b84208522d5e901267687fa0e |
memory/4940-95-0x00007FF797B80000-0x00007FF797ED4000-memory.dmp
memory/1128-97-0x00007FF6A3A60000-0x00007FF6A3DB4000-memory.dmp
C:\Windows\System\jAgzgIX.exe
| MD5 | 6a58e1d39f0aa6f7ba5edb2990d32596 |
| SHA1 | b26ed65fe8eb18768d2d2becf0318d85cb8e07e3 |
| SHA256 | 8b4e224daa1c09974aa99b6bef1d4b5af3d9fca9d296d00f1448077e4c7f1a58 |
| SHA512 | e92a8f22fd3fe621f27c78498b7eca4fd9d4005337fa0e52243a6f1760f7cca3a796afb11e97320d80adc75d7f5036bfac5da988b77059379ef83eb218103987 |
memory/2260-98-0x00007FF6C75A0000-0x00007FF6C78F4000-memory.dmp
memory/4828-74-0x00007FF75C8B0000-0x00007FF75CC04000-memory.dmp
memory/3780-70-0x00007FF714430000-0x00007FF714784000-memory.dmp
C:\Windows\System\LUxanxe.exe
| MD5 | 23f8d3b2f31382962b0d12ad1cc129ee |
| SHA1 | 72aa263fca4190d85c063845962b015217959712 |
| SHA256 | 98b26573452f611b45f82e4bfd140b7b09c4b10a7731bd3cd14b8b25ff3ef303 |
| SHA512 | 2ba79156d6bfb71c3a44ead55e3976aeb063b397a87f9b987b07377dd5ed7ff9272e040909db74d33078e3a8005f58ba847cec8d81592a2511a63b056313b40e |
memory/4428-106-0x00007FF67CAF0000-0x00007FF67CE44000-memory.dmp
C:\Windows\System\eUIahGc.exe
| MD5 | 0a315cb8824997a804c2208e23fda5fe |
| SHA1 | d41d332d46c4d8c2db4d1816b973c495a6a84479 |
| SHA256 | 46cdbfc66de8275ca4ec91057d7d0069bac89e16048f1c6bf78631f358bb515b |
| SHA512 | 111cb51520ba79081955ba0e63fb6746d0418fa50eb6af4dca27ab52c95d0933733770dbccc4354628ada97611ce9490b0e556606ebf1311e119e5a17acff6bb |
C:\Windows\System\umtEkgm.exe
| MD5 | 7a086580c5ed6c7c88d8d8f37fb2ed32 |
| SHA1 | a0774fe966b197bf3cfa7803f57e0805deb10b14 |
| SHA256 | 8b483238607d0638b9de3c189b983e78adf3dd1611c4d3aa63d32348a1ef3fdf |
| SHA512 | a3e552e96b6901a90da423dc08d55999bad73e4e023a20abf1e69f42cf99461a400edc036d64d076e55ca7d106f00977806269fcb20f0bd14a515013f7028e87 |
memory/3048-111-0x00007FF6011D0000-0x00007FF601524000-memory.dmp
memory/2720-110-0x00007FF68FBF0000-0x00007FF68FF44000-memory.dmp
memory/3908-119-0x00007FF7D8DC0000-0x00007FF7D9114000-memory.dmp
memory/2620-120-0x00007FF63BBD0000-0x00007FF63BF24000-memory.dmp
C:\Windows\System\jzsWxpF.exe
| MD5 | 8d1e891ccab1999369c4110b28dea216 |
| SHA1 | af256f0a2897dfaf71e372d11c5f04998cbc6a86 |
| SHA256 | afc851ffeeaaef53cdb86944b9eb1f1680299d2c5fbc9cbc0e894f3bddd9c98d |
| SHA512 | e3ee69b4268c704f38d9a16e9c53eaf8f301004b8644fe9dacb7bb6586d812f1c4e19a7e3f390ce615b436a01108f16e8443f5e3f6f1f76bd0a466c6988b09f7 |
memory/2264-127-0x00007FF725B30000-0x00007FF725E84000-memory.dmp
C:\Windows\System\vFwSNPy.exe
| MD5 | 5ac449747060d6ea1d4d1e88788b314e |
| SHA1 | 3955850af1c8f6a62684ab5fd9dc7f46c646a879 |
| SHA256 | 09a2571078d16045302bb905f7bb5821cecc3bd5c67efbd616bcc00749ec4962 |
| SHA512 | a02313f1390045239ff79ebeacbb8267e7551fa646f2149991d079c15f3ff3dd6fd7ec828951697ffa7753bff82907ea5738b6bea284f9f9bc9bde6dc2abff90 |
memory/5100-131-0x00007FF7A6310000-0x00007FF7A6664000-memory.dmp
memory/2372-132-0x00007FF784CE0000-0x00007FF785034000-memory.dmp
memory/2900-134-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp
memory/4828-133-0x00007FF75C8B0000-0x00007FF75CC04000-memory.dmp
memory/2260-135-0x00007FF6C75A0000-0x00007FF6C78F4000-memory.dmp
memory/3048-136-0x00007FF6011D0000-0x00007FF601524000-memory.dmp
memory/3024-137-0x00007FF7C8210000-0x00007FF7C8564000-memory.dmp
memory/208-138-0x00007FF726280000-0x00007FF7265D4000-memory.dmp
memory/1692-139-0x00007FF62B290000-0x00007FF62B5E4000-memory.dmp
memory/2232-140-0x00007FF79A910000-0x00007FF79AC64000-memory.dmp
memory/3416-141-0x00007FF763960000-0x00007FF763CB4000-memory.dmp
memory/2172-142-0x00007FF6856A0000-0x00007FF6859F4000-memory.dmp
memory/2720-143-0x00007FF68FBF0000-0x00007FF68FF44000-memory.dmp
memory/3908-145-0x00007FF7D8DC0000-0x00007FF7D9114000-memory.dmp
memory/5056-144-0x00007FF746940000-0x00007FF746C94000-memory.dmp
memory/5100-146-0x00007FF7A6310000-0x00007FF7A6664000-memory.dmp
memory/3780-147-0x00007FF714430000-0x00007FF714784000-memory.dmp
memory/4828-148-0x00007FF75C8B0000-0x00007FF75CC04000-memory.dmp
memory/2900-150-0x00007FF7A5CD0000-0x00007FF7A6024000-memory.dmp
memory/1128-149-0x00007FF6A3A60000-0x00007FF6A3DB4000-memory.dmp
memory/4940-151-0x00007FF797B80000-0x00007FF797ED4000-memory.dmp
memory/2260-152-0x00007FF6C75A0000-0x00007FF6C78F4000-memory.dmp
memory/4428-153-0x00007FF67CAF0000-0x00007FF67CE44000-memory.dmp
memory/3048-154-0x00007FF6011D0000-0x00007FF601524000-memory.dmp
memory/2620-155-0x00007FF63BBD0000-0x00007FF63BF24000-memory.dmp
memory/2264-156-0x00007FF725B30000-0x00007FF725E84000-memory.dmp
memory/2372-157-0x00007FF784CE0000-0x00007FF785034000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 00:47
Reported
2024-06-07 00:50
Platform
win7-20240221-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yozivTF.exe | N/A |
| N/A | N/A | C:\Windows\System\LIOaWFr.exe | N/A |
| N/A | N/A | C:\Windows\System\gBudILL.exe | N/A |
| N/A | N/A | C:\Windows\System\YIHqDur.exe | N/A |
| N/A | N/A | C:\Windows\System\bdTmpHj.exe | N/A |
| N/A | N/A | C:\Windows\System\AfAjanN.exe | N/A |
| N/A | N/A | C:\Windows\System\znOEvIJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UjRIsOH.exe | N/A |
| N/A | N/A | C:\Windows\System\NindsaN.exe | N/A |
| N/A | N/A | C:\Windows\System\EmgQtAG.exe | N/A |
| N/A | N/A | C:\Windows\System\cBzMpVc.exe | N/A |
| N/A | N/A | C:\Windows\System\MUzOzqD.exe | N/A |
| N/A | N/A | C:\Windows\System\BthFRqy.exe | N/A |
| N/A | N/A | C:\Windows\System\yGAcGAx.exe | N/A |
| N/A | N/A | C:\Windows\System\bzwOfwL.exe | N/A |
| N/A | N/A | C:\Windows\System\aUAvRZU.exe | N/A |
| N/A | N/A | C:\Windows\System\uUrrRcq.exe | N/A |
| N/A | N/A | C:\Windows\System\hXlbZhW.exe | N/A |
| N/A | N/A | C:\Windows\System\BFtzmFV.exe | N/A |
| N/A | N/A | C:\Windows\System\fUOoQTt.exe | N/A |
| N/A | N/A | C:\Windows\System\YGkzpep.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_03ae526cd0c361b166c0d3cf36b24cee_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LIOaWFr.exe
C:\Windows\System\LIOaWFr.exe
C:\Windows\System\yozivTF.exe
C:\Windows\System\yozivTF.exe
C:\Windows\System\gBudILL.exe
C:\Windows\System\gBudILL.exe
C:\Windows\System\YIHqDur.exe
C:\Windows\System\YIHqDur.exe
C:\Windows\System\bdTmpHj.exe
C:\Windows\System\bdTmpHj.exe
C:\Windows\System\AfAjanN.exe
C:\Windows\System\AfAjanN.exe
C:\Windows\System\znOEvIJ.exe
C:\Windows\System\znOEvIJ.exe
C:\Windows\System\UjRIsOH.exe
C:\Windows\System\UjRIsOH.exe
C:\Windows\System\NindsaN.exe
C:\Windows\System\NindsaN.exe
C:\Windows\System\EmgQtAG.exe
C:\Windows\System\EmgQtAG.exe
C:\Windows\System\cBzMpVc.exe
C:\Windows\System\cBzMpVc.exe
C:\Windows\System\MUzOzqD.exe
C:\Windows\System\MUzOzqD.exe
C:\Windows\System\BthFRqy.exe
C:\Windows\System\BthFRqy.exe
C:\Windows\System\yGAcGAx.exe
C:\Windows\System\yGAcGAx.exe
C:\Windows\System\bzwOfwL.exe
C:\Windows\System\bzwOfwL.exe
C:\Windows\System\aUAvRZU.exe
C:\Windows\System\aUAvRZU.exe
C:\Windows\System\uUrrRcq.exe
C:\Windows\System\uUrrRcq.exe
C:\Windows\System\hXlbZhW.exe
C:\Windows\System\hXlbZhW.exe
C:\Windows\System\BFtzmFV.exe
C:\Windows\System\BFtzmFV.exe
C:\Windows\System\fUOoQTt.exe
C:\Windows\System\fUOoQTt.exe
C:\Windows\System\YGkzpep.exe
C:\Windows\System\YGkzpep.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2664-0-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2664-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\LIOaWFr.exe
| MD5 | 36668e21035d512493ba1b5197dd15f6 |
| SHA1 | 9bb07ad67858dab228efa9d30d379ae0f3e554e7 |
| SHA256 | 03f9c144d63628e5e3fbf386a8bd83f2a423faf922c175ac5028b5c6ba5958aa |
| SHA512 | e4c2f7fc6c48907ab38cd3626d2a8de15bb7b5ce577535c59541ae300d0699c2a6eaaa5f28b0837bc2c8d63393914f447748d9f0d2cd481e05a9bd17bbcea481 |
memory/2664-6-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\yozivTF.exe
| MD5 | 77c527d10feb863a3286c471e864c573 |
| SHA1 | 39c2e2350df474f1bc8879daa939ef5cd68514b4 |
| SHA256 | 582805e84c60c55f81af52b417e94f551ac4f19853382957839c03676c5aa69c |
| SHA512 | 8c88718b31534a46f3e6198393063fecc03533cce1eb6deb83e37009ebe2ffe35a8f229bb9322cf099d776ad010d5b68bad79552543f833df9c010b4cabf5ea3 |
memory/2924-14-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2444-11-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2556-21-0x000000013FF80000-0x00000001402D4000-memory.dmp
\Windows\system\YIHqDur.exe
| MD5 | 620fa4c5fb93aa32d18bbf01838dd5a1 |
| SHA1 | 99f3d221324a344edd4621e40531ae7a7620ab48 |
| SHA256 | 6b33d3210f768b24d714cb3cddb4f7b8e2cc939ad98fc5ef089def799ea671ed |
| SHA512 | 563191e766be08e73c8d5753e03d5dcfeb6e5f0d5e5a176737856136bf8c3149f5103ded97cb6dbd0a98257c0b944f2ece75751c8a85afe4a1ec946bf5f4c5c1 |
memory/2664-24-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2664-20-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\gBudILL.exe
| MD5 | 22e36bfb89d46e2fee30b484a34d92a4 |
| SHA1 | ec22863b8745c5013064cf6ca59c776572676681 |
| SHA256 | af7540acfafa922791a0781dc5e067426cec180344ecfb6b7101102b62fcbec7 |
| SHA512 | 336d962a9cdead20854ac0aa26b5f36b1c8a1695989eb5a5236fdbe34bd2d5b09d118eedb5a8ba3723886f69517a3ab4099a1bcbbcfe542adeec5a55c92abb8c |
memory/2752-138-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2664-137-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2384-136-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2664-139-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2336-135-0x000000013F630000-0x000000013F984000-memory.dmp
C:\Windows\system\YGkzpep.exe
| MD5 | f30803b70b4005cb249cec1406257ef4 |
| SHA1 | 71246859cf78769a1df1d1f1c324ebb4978963df |
| SHA256 | f6549543f5cb1311b8588d97cf7c19c5688e561232fe9a684224400b3b442517 |
| SHA512 | d4482bb783756bdf985506d6d56ec8a51c1d06968358a61c6b61f6e8ea794275e758da10c6d8f2a0314bb6472969f6dbc152249be1b873bf1bb8c75a267561fd |
C:\Windows\system\fUOoQTt.exe
| MD5 | 8ae9edbe977de8b85c0f59061d363e16 |
| SHA1 | 9f41db2cb8a69ea261e922dd7640b93bc6309013 |
| SHA256 | f1f496fbb1d5153f3211aed26fafa9fa8ab004e21e7bb7044dd43107e03c1943 |
| SHA512 | ea9cafe22ea31988383a0a91789779d8a24788af8c12fc89358947c8aeecc5c253a5d0e092526fc78bcfc339819a21f8b1eb7f8ae5f9108a589853598fa29937 |
C:\Windows\system\BFtzmFV.exe
| MD5 | 1597aaf72a42a8f833525a6dc8e6c94e |
| SHA1 | 31ac0b11f3b46e3e1a27eac7503c4a06470c3b79 |
| SHA256 | fc789decc84f0f454112b3824dee96f7e9067be6a0594f6e4287e6bdec32c90a |
| SHA512 | 8b1fb1b6453bb45696474eb4a1491c6fb72ef27ab33e8b928bca226566958f30e5ab0ff593222ede7794d476a920fc5b046e5ce3cb59cedd2289f51def1e7cc4 |
C:\Windows\system\hXlbZhW.exe
| MD5 | 93a14013a6d462785738488fb457b34b |
| SHA1 | 66c3c6d9caf8e26c0746577920ca903fffdb0fef |
| SHA256 | 02aa51fb80e1ab143aa0161a418dd7d244bf324b842b5e385b4583565a124c25 |
| SHA512 | 4eff9a28fa435e369b61ab421ba63e975b154cd62f31bd1abef133a47ec73d6286f873353867b40c04dee288f739b173080cb94b5e773be55c51fa4cfe29f42d |
C:\Windows\system\uUrrRcq.exe
| MD5 | 3e3be67c96f735ed154acd84291611d9 |
| SHA1 | 0a41da1b4119b9946b1753c82c8e666290fb007a |
| SHA256 | 66df8155b157a332fa01d30ff73409996db4431ec6fcd58da10294713a4ab7a8 |
| SHA512 | afedbf266dc95f3aba30f3e16462958aba65a7aae7df34e58190b707db73e8c3f16f52ac8af54cbb0b57edd4aec465ccaf54f574f8e0a50f10a704cc6a42d86e |
C:\Windows\system\aUAvRZU.exe
| MD5 | 52def6e6a5d3d0af8d2aff84549beba3 |
| SHA1 | 42a6c4a51e12667468d23c4fd0d61e3be160939f |
| SHA256 | 63f0e2d8bc4ed07a420f4aa8ae1e90ffefa2b38d53132923ce0d8c4a065e4f6d |
| SHA512 | 41ba5cfffeac26a0157ddb6a83d790469cc579c5a60cf24d51eb8e838b362c7813cfb9ddc34c9ec91a6d9f788f73ea9dabdd3e17cf7fefdaded1436a1eb66daa |
memory/2340-88-0x000000013F320000-0x000000013F674000-memory.dmp
C:\Windows\system\bzwOfwL.exe
| MD5 | aa57e6da36b3b9a95b1dcc91ad55aeb0 |
| SHA1 | 3332d8c9835a1a85686ceb8f6267bcb6181b05e0 |
| SHA256 | e725ea549193d9f98eb98648be05c109532ca7f2a1d8c65957b551476f4038f6 |
| SHA512 | 8529bfb0466f9280b775165a3efced6512eb329d849d2cc690b4b954cbff847e3da186a326ab5dd2acb73f7a70729acdc6250e44d9e6360c48346db6bd8e3672 |
memory/2664-91-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2068-90-0x000000013FCB0000-0x0000000140004000-memory.dmp
C:\Windows\system\yGAcGAx.exe
| MD5 | 87d37f6f049691dca3dc911b98610d62 |
| SHA1 | 5c821a553b6ee4c86ac6d10c365469034f36f70a |
| SHA256 | 74eab57e77efa046db844d994091d3ec9a6fc0f526be921ae923a7184a02f8c1 |
| SHA512 | b8f2fc105c96442033faef2f66f9785bec4a659f63e1f2e0787184e67314e01abfd8e29e1fa618886249730eeba1b7161105840402bb12c9077678929093a16e |
C:\Windows\system\BthFRqy.exe
| MD5 | e3af737c690ef0ec84e02e814f3fb6c9 |
| SHA1 | 5c064d82068623f40eb2cadeae30a603989038d2 |
| SHA256 | 2a3bf1b96564873a98e8a4cad89e74b101ad97265015c5c842ce8e6936ebf8e7 |
| SHA512 | 535808e7054089ba06d8af3c290287e43209088e8d04fc6e1c4691194775c0fd0713fb51bdf7e2012c9ee62cc1565ffe5e1761df28a1254b616d13f508a98d36 |
memory/1964-79-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2664-78-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2556-77-0x000000013FF80000-0x00000001402D4000-memory.dmp
C:\Windows\system\MUzOzqD.exe
| MD5 | e5ba3b287db9aec1cbbc9cac4a817a35 |
| SHA1 | 1ed5f51cffa32f437e2cfb7450f959b9302ce843 |
| SHA256 | d23e53c7c00226fa6e973b9b7c499f6fc783e85f877cf0c71a4219610873be03 |
| SHA512 | 20017a3ed973acf2b791cb972455ae8556ae37269d5e10abcebff46bbbe3815ce55097bce66bdf652e273a980da04b9946d91a2ff15e1eae2ac698da4fd42d1a |
memory/2756-72-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2664-71-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2924-70-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\cBzMpVc.exe
| MD5 | 2aef90561fa2ffa2a31d9fef5a5bd87c |
| SHA1 | 9761c0035821b7d2c9cb08471e195f8bb6738559 |
| SHA256 | 663c650e2920c80ba978d9863957e4c5f6ba4207fe375b8002cc049f38e5eab2 |
| SHA512 | b3cd7db0b909572586840d8412c16ca4b8fb737ea5bc60e427dd4faf6de0559fbc1a41d70cb425595baccf7c4e4646f57b400c7b9cb6fe77ba6ddfd6214a4097 |
memory/2752-65-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2664-64-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2444-63-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\EmgQtAG.exe
| MD5 | 7f779bfbc949cc455ae96a3106aa26f5 |
| SHA1 | a4c20aaa7e9786e63b5d4eaacd75ee3a6d7f51f9 |
| SHA256 | 78cfdeee936a48a334325966ed4b8cb5d19d7d10e8bb440e4833d6e49d421691 |
| SHA512 | c013059e740211b5c70d8b78cd2870bbb77aeeb9a0b1628012726beebf12a495555acac6bc1c875604751c7af9585afefa78ff90866be0292e6fabe409e8da41 |
memory/2384-58-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2664-57-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\NindsaN.exe
| MD5 | dc1d1c99d917c5f36dd450970fb8c1ba |
| SHA1 | ac1c30d949938bbc01dee1f041042124d91ce71c |
| SHA256 | 9323720a43dcb2aec5ea0ad8dac0bf1375f44a54ad670cc9b55241b709e0552b |
| SHA512 | 4c4a3001add3dbb7f288f14da3c416cd00c2208e98ed37e87d3ef1d851a7e9887c3f705f22de98d4d4e74ea2af4811a02043f3b2d52e1f3ede3b0d4413400d11 |
memory/2336-52-0x000000013F630000-0x000000013F984000-memory.dmp
C:\Windows\system\UjRIsOH.exe
| MD5 | 73a595c52915abbf0eba9b47da0ad520 |
| SHA1 | 033e3c46bf74f5fe4e848fc7927433acba102e5e |
| SHA256 | fe924948d2e3c37dc1f3702814443c2b212ee19d0ac15e98c2876ca85bf3dd3a |
| SHA512 | 5ae174447911d5d2994258dc8d490e44d86dfae1cdce195a85d2e3ead2d5474ffbdd103c4605c0224244f293907632c774d37ed34621665bc9422c5b32860fd5 |
memory/2568-47-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2664-46-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\znOEvIJ.exe
| MD5 | 702c206e7a1559435cfc7a184c20256b |
| SHA1 | 8b8ec06404590607d328cfa1195ea4f6ba11ecf9 |
| SHA256 | 305dcf5470a18cfaf2622f5f8e64da7421665311b34c36af9702c2aaad07b8b5 |
| SHA512 | a53ce0eaefc8735b0709662e4f23f1136cfbef44553e47fd11a52a045eb394e1e7baa63670e0b2f750b5c6acc56a1915103105198cc74889aba69166d131c53e |
memory/2356-40-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2664-39-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\AfAjanN.exe
| MD5 | 276048a23a47edaa9c6c65268b9b3b6f |
| SHA1 | 588a4d80e9e23affc8c084d852fba162e39069a7 |
| SHA256 | 2ed764bdbe53a2ad4470ce29665df4df9f4f6d1394a2ea3eab01cbc897074e25 |
| SHA512 | e0b001f1d92b0211d9f313f2a657eecfb7aba2bc88cf6dd49fdb57d2a7ac1c2dcc9942c469f1d787fc92c7c0c65862c701ba0e8693b31aab6d37c17cd2db8355 |
memory/2608-35-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2664-34-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2340-28-0x000000013F320000-0x000000013F674000-memory.dmp
C:\Windows\system\bdTmpHj.exe
| MD5 | 1e3ebab2909eb3594f84be7a817c684c |
| SHA1 | de4555322f30bd45042484b82970d34e39bf4bef |
| SHA256 | 87c4275c9372494646242cee8c3c68a9051d9b4c16888f4aa0149667f4cb6763 |
| SHA512 | f873518b192c47cf1e2629d70320b1264fcf7ea17775695b1b54129d1fb5a1ecdfa67319c01b7405a593eccf74cb5490272874545a4eb5fb964390d5e0fb0a5c |
memory/2756-140-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2664-141-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1964-142-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2664-143-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1524-144-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2664-145-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2068-146-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2664-147-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2444-148-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2924-149-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2556-150-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2608-151-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1524-155-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2568-154-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2756-153-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2384-152-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2336-160-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2356-161-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2752-159-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1964-158-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2068-157-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2340-156-0x000000013F320000-0x000000013F674000-memory.dmp