Analysis Overview
SHA256
1807a5b482b0d9f38e591ed7c12b6200a0324766c99f35049fa36ce025fcaf63
Threat Level: Known bad
The file 2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:20
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:20
Reported
2024-06-08 19:23
Platform
win7-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ewjiPbR.exe | N/A |
| N/A | N/A | C:\Windows\System\IKROUgc.exe | N/A |
| N/A | N/A | C:\Windows\System\DNOllnH.exe | N/A |
| N/A | N/A | C:\Windows\System\CZQsbhd.exe | N/A |
| N/A | N/A | C:\Windows\System\rPmGtud.exe | N/A |
| N/A | N/A | C:\Windows\System\KFWEEfk.exe | N/A |
| N/A | N/A | C:\Windows\System\rvZnFXH.exe | N/A |
| N/A | N/A | C:\Windows\System\KYdEvZf.exe | N/A |
| N/A | N/A | C:\Windows\System\lnZLnyR.exe | N/A |
| N/A | N/A | C:\Windows\System\FLhQiSE.exe | N/A |
| N/A | N/A | C:\Windows\System\cOJDfJh.exe | N/A |
| N/A | N/A | C:\Windows\System\qwYHqnI.exe | N/A |
| N/A | N/A | C:\Windows\System\PMRlcpm.exe | N/A |
| N/A | N/A | C:\Windows\System\mptIbyU.exe | N/A |
| N/A | N/A | C:\Windows\System\BslAqIE.exe | N/A |
| N/A | N/A | C:\Windows\System\NgAXjtq.exe | N/A |
| N/A | N/A | C:\Windows\System\lEEDTRh.exe | N/A |
| N/A | N/A | C:\Windows\System\sXlgERb.exe | N/A |
| N/A | N/A | C:\Windows\System\XbFjUIr.exe | N/A |
| N/A | N/A | C:\Windows\System\yvESrlk.exe | N/A |
| N/A | N/A | C:\Windows\System\OUUFMCy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ewjiPbR.exe
C:\Windows\System\ewjiPbR.exe
C:\Windows\System\IKROUgc.exe
C:\Windows\System\IKROUgc.exe
C:\Windows\System\DNOllnH.exe
C:\Windows\System\DNOllnH.exe
C:\Windows\System\CZQsbhd.exe
C:\Windows\System\CZQsbhd.exe
C:\Windows\System\rPmGtud.exe
C:\Windows\System\rPmGtud.exe
C:\Windows\System\KFWEEfk.exe
C:\Windows\System\KFWEEfk.exe
C:\Windows\System\rvZnFXH.exe
C:\Windows\System\rvZnFXH.exe
C:\Windows\System\KYdEvZf.exe
C:\Windows\System\KYdEvZf.exe
C:\Windows\System\lnZLnyR.exe
C:\Windows\System\lnZLnyR.exe
C:\Windows\System\FLhQiSE.exe
C:\Windows\System\FLhQiSE.exe
C:\Windows\System\cOJDfJh.exe
C:\Windows\System\cOJDfJh.exe
C:\Windows\System\qwYHqnI.exe
C:\Windows\System\qwYHqnI.exe
C:\Windows\System\PMRlcpm.exe
C:\Windows\System\PMRlcpm.exe
C:\Windows\System\mptIbyU.exe
C:\Windows\System\mptIbyU.exe
C:\Windows\System\BslAqIE.exe
C:\Windows\System\BslAqIE.exe
C:\Windows\System\NgAXjtq.exe
C:\Windows\System\NgAXjtq.exe
C:\Windows\System\lEEDTRh.exe
C:\Windows\System\lEEDTRh.exe
C:\Windows\System\sXlgERb.exe
C:\Windows\System\sXlgERb.exe
C:\Windows\System\XbFjUIr.exe
C:\Windows\System\XbFjUIr.exe
C:\Windows\System\yvESrlk.exe
C:\Windows\System\yvESrlk.exe
C:\Windows\System\OUUFMCy.exe
C:\Windows\System\OUUFMCy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2208-0-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/2208-1-0x000000013F080000-0x000000013F3D4000-memory.dmp
C:\Windows\system\ewjiPbR.exe
| MD5 | fb06cb649eeec75e5952fafb52919137 |
| SHA1 | 44c3e375ea1217230b03e985f4251ed8bf1b48ca |
| SHA256 | f149dc589cc6e4375deca4c92d760a478e0de2421064ed5888a4e324ad250019 |
| SHA512 | e47f00e26353c10dc4f9b5aca4e48a6da1b7c395e00d9847ad96d6c5aacc58ee5681930871eedbc53dd6576b6d5ea526b0c88c20b00a15f0862348c3c0f18af3 |
memory/2208-7-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\IKROUgc.exe
| MD5 | 953899462ca1359c37d085f83168233c |
| SHA1 | 5a853b4945c7fd923bc4265075c313035373662d |
| SHA256 | 92bbdf3947761cfa7a400c19bcb6255dc6b57d65d51104b03696c0057f747e6c |
| SHA512 | 2899f99ca01495b693b2364fa23a64586a8838221f23c29966883fdf5fc9fb256acb3d9eea8376c39d2d6a9092c8cca29abdfb16134c25ee3c0ef8f871f89074 |
memory/2208-13-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2556-15-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2244-11-0x000000013F1E0000-0x000000013F534000-memory.dmp
\Windows\system\DNOllnH.exe
| MD5 | ba78906b51955520a98739b356feaac6 |
| SHA1 | 4cc90c9624d0a58456f9c9b2c4e245d89345494a |
| SHA256 | 7e8241956ea557e4d38596ed667400a00c093832e393ec7b81cc404e600f3ce3 |
| SHA512 | 9302baf48d71b4b447badd65714340ee4023c1ee4aa115645960bea3d397586d03e456b551b72001af5aea8bae37baa6d3558d3bea16e2a865b9add92db7c0df |
memory/2604-22-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\CZQsbhd.exe
| MD5 | 90a237ad046123d65e4f3f03066eed72 |
| SHA1 | 587daaed7bb3c158453deabab23319c45c8cf359 |
| SHA256 | ffaaa77cb6dbb4864265b1fabbafc8f0d8c59dc9d7c8eb4e9fabf0484a47414e |
| SHA512 | 76d16c22de3cb98a1271a2d8d15b141f8f79e16e5170d6b504ab1348db7421492921d8c483fb117907c2d1c31c36001314c9c6b78c973840b427560ef5a1e6e4 |
memory/2208-29-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2688-30-0x000000013FEA0000-0x00000001401F4000-memory.dmp
\Windows\system\KFWEEfk.exe
| MD5 | a64fb58f2a5e6515dbb3c4a6d8751692 |
| SHA1 | a6bd5ca7321ef14d1640561f1107fbc26d20f4ff |
| SHA256 | b6be3ada2a93097549f850d3b1fabbaa14403027c1c917b92f55486d953c8230 |
| SHA512 | fa597dddd3dbdecce6efb5656fb2fabd3cab1f72a215b2236721362c23cd652f9e222a9b532ef08e99a7fafec401d0a774845aa1cc5b2ada9a69f0f327169fdc |
memory/2708-44-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\rvZnFXH.exe
| MD5 | 2eace92f59662af995ba1de563a324b8 |
| SHA1 | 4ddb5cd7cc9438988c4fbb7816d92f20cb645fc8 |
| SHA256 | a4e7b187ae2c5e9a87777f583a018699b2fd31134525eaee97edffb6767c6096 |
| SHA512 | e070c797da19e0e242d2b40de0138e80c05892d27239ba125377d15374d0f41e4c09076a15c780fd554aabd15f40557fd9b5bdb6332c76eafaf965f617337814 |
memory/2208-59-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\FLhQiSE.exe
| MD5 | 9bc41f56d44b0165b796a513e8bc3a00 |
| SHA1 | 132c685752e2d49aa91c9ec3b5b5d24c421813db |
| SHA256 | 2c5785b4e6e4d73eca06a9852278a09b7a75e0dab4b6eb2bfc2bd8ab26170178 |
| SHA512 | e44ae97a7cab72528a765730d22d122fc58ebaf79d5c900a57aede435d6b582a9e4fda01e535889e789259d2a55da688fedf0126156fbb4f188b48af44e932ae |
C:\Windows\system\qwYHqnI.exe
| MD5 | cd1b6639491c9689b5ef24d45155a319 |
| SHA1 | e04bad3ab30592f48c3a40fab9ebb68a2197cd9a |
| SHA256 | 598d8f29c13cdd8d5a889828a685105e110e837a0e0e237c2597768d46da2650 |
| SHA512 | aa7adcca80467768fe68e0d6fa69d1a3929f627b2dc62b39d38075e4d33f0c338d9394da562dce9afef9c0efe9b06aff09b118bbc1bedb69c06aef47f49facff |
memory/1532-90-0x000000013FBE0000-0x000000013FF34000-memory.dmp
C:\Windows\system\PMRlcpm.exe
| MD5 | 89b3647bb8c6198e5e653f02d5d0e168 |
| SHA1 | 5df0c940e81bef5fb7d92786540e88ba424dc1b4 |
| SHA256 | bdc09560d3f611b22617f8913a2f5775723f113c13562a04e7a2f3bbd18d4b9d |
| SHA512 | a322b0dd68c8cdc131b0037be6227f56db03ec1a3ec00aa70d93edda1d238a99a27be0633a76fd9651ae1eebfc092bcbf2b8750b3cafb1ca71f988c929cc20dc |
C:\Windows\system\NgAXjtq.exe
| MD5 | 9e4a18611490df9b8fa9a52b16ccb88f |
| SHA1 | d445e7a1ea8d9241723511ecbe45432cc582091f |
| SHA256 | 0a9047e014e6a04b257799d3e8bf70f97e8c61968f6cf6e3b4d14c90ff1596e2 |
| SHA512 | 168ee594ea5d83010a52de6fdbdbc19789fed234f33945b6a1f81465de213eeb78f70f3604d302dac1246ea49319c16db3d073b4afa1a13a4d2a3ee420b1438f |
C:\Windows\system\sXlgERb.exe
| MD5 | 5b67504fbf577bdc5ae7b17e04febf36 |
| SHA1 | ba1fb86bb182e1f42f0b6718b568248d1f5b1162 |
| SHA256 | 687ca8acc89540e615aaa6762f3a50f39b1bfbafdffd910ba43232611dc35edd |
| SHA512 | 51c97cf1ce7bb7e49333b8a088f74aac0b2417ceedb407acd9039bef47b2c46c68fa579cd546ecf328029a8f651d611dafeb0fccd98c819907e03e5baf44ac20 |
C:\Windows\system\yvESrlk.exe
| MD5 | ae7418ed49cf36ac3148cf04b7852ac5 |
| SHA1 | 9f1952ff7126ca7446de2ae87e995093123220a7 |
| SHA256 | 343962e1eca6db632d277f6061b9fb50ae563524afeefacf5adfe6ade4be1d81 |
| SHA512 | 3977aee415bb514a490c6340926cbae40152ed485cd9f8367edc02d25665d78fb2cd6a3391e0197b26be289d4f19234012a0d78a3af95f34ffd7dc12d488f5ab |
\Windows\system\OUUFMCy.exe
| MD5 | d39772f37059e6aa2dde5bb4a3d81ae0 |
| SHA1 | 882e8d0d0149a92a3166be131ee613e29f47ba0d |
| SHA256 | e719c2532e2ea7ef7c00d9a5c162fed820f24b5a5bcc892164f5e1f129aa4fb2 |
| SHA512 | 2b3a455047bb04d884bb53f95e414487348ec5740235725c85aa14a23606c56950594f4668dc5a688f5fcfec47caa8f269a058d28787bf8af7c01416710709af |
C:\Windows\system\XbFjUIr.exe
| MD5 | 45e6f0202fb7cf5380bce276eb4c1f61 |
| SHA1 | 6dfe3793069b2433e6937a97883c603a11021a58 |
| SHA256 | b178e9a9036a570027e8bb4041f7af46d8614c2b9641ceb0a1204abe04e53030 |
| SHA512 | 9e0a9c5d0dd700c035948adafb74e5ef2d4bbb508bd91ee7bf1332bd5dd2b96743d1d4a35dae1c7bddba911241344f2b1e6125523e0236027348bb3de582b9de |
C:\Windows\system\lEEDTRh.exe
| MD5 | 6559cc006fda8a9660ec6088eefc71ed |
| SHA1 | 807a16d4739d4e1f7f7af6ada8a77630a2632fd9 |
| SHA256 | b9c9d5d1591caf7ccc3d28534b9283a105f92d60bc19e8b930958a06f045cbf2 |
| SHA512 | 75bad2baaf355efe4e8d0dfe80996316ac781c647664d636390fe780c5a77bc43df11a1630f3dad7db278dce864b12afcafa46377ef238931338508980b13c23 |
memory/2208-112-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\BslAqIE.exe
| MD5 | 8c495442db8f2649dd6b35049cd84024 |
| SHA1 | 9f7faf7d18efd195df80eb230e239682af9268ef |
| SHA256 | e38bf5f86d0d5a22f3da64b38610ef4ccee9bd8cade380272fd8b1f71d7bba19 |
| SHA512 | edc6bde6cbcc3566d2f23fe43d2b6516d2624a0ab4f006357f02ec386d0d4a1d2e8ad6759d126bd68ceead070c0b09f3fc67ca7c48bb86962dbdf88a5f8424bb |
memory/2452-106-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2208-105-0x000000013F4F0000-0x000000013F844000-memory.dmp
C:\Windows\system\mptIbyU.exe
| MD5 | 4962f18c137846c542437ef588bc0636 |
| SHA1 | 794de34cb267898ab224b057ddd01cb8d6c5221d |
| SHA256 | 3a4f5ed296e917af2e4ccae13789ae176635dc1ee95df04e1e6ed3ca384220c3 |
| SHA512 | 7f187222c83118e5997ebc17422e37f23118a70114bfa9b405ac9c12fec2b8942ad5bd108058632fd2d1470da5a30d4b56b204c17ed884455c84339dc39f44ac |
memory/1456-99-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2208-96-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2472-95-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2208-89-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2208-142-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2164-83-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2208-82-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2604-81-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\cOJDfJh.exe
| MD5 | b7ae1b629c984650536132994ce42e24 |
| SHA1 | 892d56111788df99efb2c1e98de1a197ced50115 |
| SHA256 | 8e43110beadef41205d8d3782cb58079fcfd66619af1fa5a36e26e0e71aa51d8 |
| SHA512 | 7f1413152956b411e5b53653d31c66ab149fa16a3f42607201da7fc5dfb14e3047cf92d6d4988b277b203d0f84c5965884a859bf12d8ec6dbd63cfecfe4aeb79 |
memory/660-74-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2208-73-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2556-72-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2528-66-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2208-65-0x000000013FDC0000-0x0000000140114000-memory.dmp
C:\Windows\system\lnZLnyR.exe
| MD5 | 38111af1bf6db89b1f8830e8b51359ca |
| SHA1 | afcb297c329a710ff23080bd37af5732c667aafb |
| SHA256 | 955ce979098d48f8452e37abd717bcaee7cfbeeebe70b34a6433cadf41c10563 |
| SHA512 | bd579908cdb818b20f0a11d0ed8c07c20c5d14ecb2ea7dce5da99aba8b931cccbf4b537233628e9b582c6a3a8489f59527769c486730d092a5074480609a2dd8 |
memory/2528-144-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2208-143-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2696-61-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2208-60-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2488-53-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2244-52-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2208-51-0x000000013F080000-0x000000013F3D4000-memory.dmp
C:\Windows\system\KYdEvZf.exe
| MD5 | 23c2091e1246d0e4620e0fb6a7ae45a4 |
| SHA1 | 7ab04fd1ac18b05f3cbe971bcd8d8ca6c139a899 |
| SHA256 | 7aebc5010bc6297cae74b95bfce99bf68f53c1e05740e17635481001c32c13f0 |
| SHA512 | 730e9074817c661db22b914e75ec8f9e1e4a8e5ae3fa87555abc7f402728e3ee0730b71ab20376990f462ee410a3b3d9c222325a7ca99dc069f97b0f013c7964 |
memory/2208-48-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2208-39-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2472-36-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2208-35-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\rPmGtud.exe
| MD5 | 6d7cdef3ecbd653f4d553304a97fb9b9 |
| SHA1 | 5c0ca7a3309947a87bc58898f2fe68d66a51bbe9 |
| SHA256 | 85e97f7cf3f56b00723144c6618d75626269f43b6587c5bb0e7f7a9615f9629b |
| SHA512 | 54e991c2ecc9bd8403d7896b5aff18b5ff031f6735b030a15a9891a4648be08e7d69b1a4fcbabe2141a838d7eb6248321adf0c451407dbaf3481655735bd6df2 |
memory/2208-20-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/660-146-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2208-145-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2208-147-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2164-148-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2208-149-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/1532-150-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2208-151-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2208-152-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2208-153-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2244-154-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2604-155-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2688-156-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2556-157-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2472-158-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2708-159-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2488-160-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2696-161-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2528-162-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/660-163-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2164-164-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1532-165-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/1456-166-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2452-167-0x000000013F4F0000-0x000000013F844000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 19:20
Reported
2024-06-08 19:23
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
101s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2872-0-0x00007FF76C940000-0x00007FF76CC94000-memory.dmp