Malware Analysis Report

2024-10-16 03:09

Sample ID 240608-x2eemsfg83
Target 2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike
SHA256 1807a5b482b0d9f38e591ed7c12b6200a0324766c99f35049fa36ce025fcaf63
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1807a5b482b0d9f38e591ed7c12b6200a0324766c99f35049fa36ce025fcaf63

Threat Level: Known bad

The file 2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Detects Reflective DLL injection artifacts

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 19:20

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 19:20

Reported

2024-06-08 19:23

Platform

win7-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lnZLnyR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\qwYHqnI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\lEEDTRh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ewjiPbR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KYdEvZf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rPmGtud.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rvZnFXH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\NgAXjtq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XbFjUIr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IKROUgc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CZQsbhd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FLhQiSE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\mptIbyU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BslAqIE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sXlgERb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\OUUFMCy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\DNOllnH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\KFWEEfk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yvESrlk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\cOJDfJh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PMRlcpm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ewjiPbR.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ewjiPbR.exe
PID 2208 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\ewjiPbR.exe
PID 2208 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKROUgc.exe
PID 2208 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKROUgc.exe
PID 2208 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\IKROUgc.exe
PID 2208 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\DNOllnH.exe
PID 2208 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\DNOllnH.exe
PID 2208 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\DNOllnH.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZQsbhd.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZQsbhd.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\CZQsbhd.exe
PID 2208 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPmGtud.exe
PID 2208 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPmGtud.exe
PID 2208 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rPmGtud.exe
PID 2208 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFWEEfk.exe
PID 2208 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFWEEfk.exe
PID 2208 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\KFWEEfk.exe
PID 2208 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rvZnFXH.exe
PID 2208 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rvZnFXH.exe
PID 2208 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\rvZnFXH.exe
PID 2208 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYdEvZf.exe
PID 2208 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYdEvZf.exe
PID 2208 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\KYdEvZf.exe
PID 2208 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnZLnyR.exe
PID 2208 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnZLnyR.exe
PID 2208 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\lnZLnyR.exe
PID 2208 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLhQiSE.exe
PID 2208 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLhQiSE.exe
PID 2208 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLhQiSE.exe
PID 2208 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOJDfJh.exe
PID 2208 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOJDfJh.exe
PID 2208 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\cOJDfJh.exe
PID 2208 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwYHqnI.exe
PID 2208 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwYHqnI.exe
PID 2208 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\qwYHqnI.exe
PID 2208 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMRlcpm.exe
PID 2208 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMRlcpm.exe
PID 2208 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\PMRlcpm.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\mptIbyU.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\mptIbyU.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\mptIbyU.exe
PID 2208 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\BslAqIE.exe
PID 2208 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\BslAqIE.exe
PID 2208 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\BslAqIE.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\NgAXjtq.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\NgAXjtq.exe
PID 2208 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\NgAXjtq.exe
PID 2208 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\lEEDTRh.exe
PID 2208 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\lEEDTRh.exe
PID 2208 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\lEEDTRh.exe
PID 2208 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXlgERb.exe
PID 2208 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXlgERb.exe
PID 2208 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\sXlgERb.exe
PID 2208 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbFjUIr.exe
PID 2208 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbFjUIr.exe
PID 2208 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\XbFjUIr.exe
PID 2208 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\yvESrlk.exe
PID 2208 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\yvESrlk.exe
PID 2208 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\yvESrlk.exe
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\OUUFMCy.exe
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\OUUFMCy.exe
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe C:\Windows\System\OUUFMCy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\ewjiPbR.exe

C:\Windows\System\ewjiPbR.exe

C:\Windows\System\IKROUgc.exe

C:\Windows\System\IKROUgc.exe

C:\Windows\System\DNOllnH.exe

C:\Windows\System\DNOllnH.exe

C:\Windows\System\CZQsbhd.exe

C:\Windows\System\CZQsbhd.exe

C:\Windows\System\rPmGtud.exe

C:\Windows\System\rPmGtud.exe

C:\Windows\System\KFWEEfk.exe

C:\Windows\System\KFWEEfk.exe

C:\Windows\System\rvZnFXH.exe

C:\Windows\System\rvZnFXH.exe

C:\Windows\System\KYdEvZf.exe

C:\Windows\System\KYdEvZf.exe

C:\Windows\System\lnZLnyR.exe

C:\Windows\System\lnZLnyR.exe

C:\Windows\System\FLhQiSE.exe

C:\Windows\System\FLhQiSE.exe

C:\Windows\System\cOJDfJh.exe

C:\Windows\System\cOJDfJh.exe

C:\Windows\System\qwYHqnI.exe

C:\Windows\System\qwYHqnI.exe

C:\Windows\System\PMRlcpm.exe

C:\Windows\System\PMRlcpm.exe

C:\Windows\System\mptIbyU.exe

C:\Windows\System\mptIbyU.exe

C:\Windows\System\BslAqIE.exe

C:\Windows\System\BslAqIE.exe

C:\Windows\System\NgAXjtq.exe

C:\Windows\System\NgAXjtq.exe

C:\Windows\System\lEEDTRh.exe

C:\Windows\System\lEEDTRh.exe

C:\Windows\System\sXlgERb.exe

C:\Windows\System\sXlgERb.exe

C:\Windows\System\XbFjUIr.exe

C:\Windows\System\XbFjUIr.exe

C:\Windows\System\yvESrlk.exe

C:\Windows\System\yvESrlk.exe

C:\Windows\System\OUUFMCy.exe

C:\Windows\System\OUUFMCy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2208-0-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2208-1-0x000000013F080000-0x000000013F3D4000-memory.dmp

C:\Windows\system\ewjiPbR.exe

MD5 fb06cb649eeec75e5952fafb52919137
SHA1 44c3e375ea1217230b03e985f4251ed8bf1b48ca
SHA256 f149dc589cc6e4375deca4c92d760a478e0de2421064ed5888a4e324ad250019
SHA512 e47f00e26353c10dc4f9b5aca4e48a6da1b7c395e00d9847ad96d6c5aacc58ee5681930871eedbc53dd6576b6d5ea526b0c88c20b00a15f0862348c3c0f18af3

memory/2208-7-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\IKROUgc.exe

MD5 953899462ca1359c37d085f83168233c
SHA1 5a853b4945c7fd923bc4265075c313035373662d
SHA256 92bbdf3947761cfa7a400c19bcb6255dc6b57d65d51104b03696c0057f747e6c
SHA512 2899f99ca01495b693b2364fa23a64586a8838221f23c29966883fdf5fc9fb256acb3d9eea8376c39d2d6a9092c8cca29abdfb16134c25ee3c0ef8f871f89074

memory/2208-13-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2556-15-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2244-11-0x000000013F1E0000-0x000000013F534000-memory.dmp

\Windows\system\DNOllnH.exe

MD5 ba78906b51955520a98739b356feaac6
SHA1 4cc90c9624d0a58456f9c9b2c4e245d89345494a
SHA256 7e8241956ea557e4d38596ed667400a00c093832e393ec7b81cc404e600f3ce3
SHA512 9302baf48d71b4b447badd65714340ee4023c1ee4aa115645960bea3d397586d03e456b551b72001af5aea8bae37baa6d3558d3bea16e2a865b9add92db7c0df

memory/2604-22-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\CZQsbhd.exe

MD5 90a237ad046123d65e4f3f03066eed72
SHA1 587daaed7bb3c158453deabab23319c45c8cf359
SHA256 ffaaa77cb6dbb4864265b1fabbafc8f0d8c59dc9d7c8eb4e9fabf0484a47414e
SHA512 76d16c22de3cb98a1271a2d8d15b141f8f79e16e5170d6b504ab1348db7421492921d8c483fb117907c2d1c31c36001314c9c6b78c973840b427560ef5a1e6e4

memory/2208-29-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2688-30-0x000000013FEA0000-0x00000001401F4000-memory.dmp

\Windows\system\KFWEEfk.exe

MD5 a64fb58f2a5e6515dbb3c4a6d8751692
SHA1 a6bd5ca7321ef14d1640561f1107fbc26d20f4ff
SHA256 b6be3ada2a93097549f850d3b1fabbaa14403027c1c917b92f55486d953c8230
SHA512 fa597dddd3dbdecce6efb5656fb2fabd3cab1f72a215b2236721362c23cd652f9e222a9b532ef08e99a7fafec401d0a774845aa1cc5b2ada9a69f0f327169fdc

memory/2708-44-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\rvZnFXH.exe

MD5 2eace92f59662af995ba1de563a324b8
SHA1 4ddb5cd7cc9438988c4fbb7816d92f20cb645fc8
SHA256 a4e7b187ae2c5e9a87777f583a018699b2fd31134525eaee97edffb6767c6096
SHA512 e070c797da19e0e242d2b40de0138e80c05892d27239ba125377d15374d0f41e4c09076a15c780fd554aabd15f40557fd9b5bdb6332c76eafaf965f617337814

memory/2208-59-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\FLhQiSE.exe

MD5 9bc41f56d44b0165b796a513e8bc3a00
SHA1 132c685752e2d49aa91c9ec3b5b5d24c421813db
SHA256 2c5785b4e6e4d73eca06a9852278a09b7a75e0dab4b6eb2bfc2bd8ab26170178
SHA512 e44ae97a7cab72528a765730d22d122fc58ebaf79d5c900a57aede435d6b582a9e4fda01e535889e789259d2a55da688fedf0126156fbb4f188b48af44e932ae

C:\Windows\system\qwYHqnI.exe

MD5 cd1b6639491c9689b5ef24d45155a319
SHA1 e04bad3ab30592f48c3a40fab9ebb68a2197cd9a
SHA256 598d8f29c13cdd8d5a889828a685105e110e837a0e0e237c2597768d46da2650
SHA512 aa7adcca80467768fe68e0d6fa69d1a3929f627b2dc62b39d38075e4d33f0c338d9394da562dce9afef9c0efe9b06aff09b118bbc1bedb69c06aef47f49facff

memory/1532-90-0x000000013FBE0000-0x000000013FF34000-memory.dmp

C:\Windows\system\PMRlcpm.exe

MD5 89b3647bb8c6198e5e653f02d5d0e168
SHA1 5df0c940e81bef5fb7d92786540e88ba424dc1b4
SHA256 bdc09560d3f611b22617f8913a2f5775723f113c13562a04e7a2f3bbd18d4b9d
SHA512 a322b0dd68c8cdc131b0037be6227f56db03ec1a3ec00aa70d93edda1d238a99a27be0633a76fd9651ae1eebfc092bcbf2b8750b3cafb1ca71f988c929cc20dc

C:\Windows\system\NgAXjtq.exe

MD5 9e4a18611490df9b8fa9a52b16ccb88f
SHA1 d445e7a1ea8d9241723511ecbe45432cc582091f
SHA256 0a9047e014e6a04b257799d3e8bf70f97e8c61968f6cf6e3b4d14c90ff1596e2
SHA512 168ee594ea5d83010a52de6fdbdbc19789fed234f33945b6a1f81465de213eeb78f70f3604d302dac1246ea49319c16db3d073b4afa1a13a4d2a3ee420b1438f

C:\Windows\system\sXlgERb.exe

MD5 5b67504fbf577bdc5ae7b17e04febf36
SHA1 ba1fb86bb182e1f42f0b6718b568248d1f5b1162
SHA256 687ca8acc89540e615aaa6762f3a50f39b1bfbafdffd910ba43232611dc35edd
SHA512 51c97cf1ce7bb7e49333b8a088f74aac0b2417ceedb407acd9039bef47b2c46c68fa579cd546ecf328029a8f651d611dafeb0fccd98c819907e03e5baf44ac20

C:\Windows\system\yvESrlk.exe

MD5 ae7418ed49cf36ac3148cf04b7852ac5
SHA1 9f1952ff7126ca7446de2ae87e995093123220a7
SHA256 343962e1eca6db632d277f6061b9fb50ae563524afeefacf5adfe6ade4be1d81
SHA512 3977aee415bb514a490c6340926cbae40152ed485cd9f8367edc02d25665d78fb2cd6a3391e0197b26be289d4f19234012a0d78a3af95f34ffd7dc12d488f5ab

\Windows\system\OUUFMCy.exe

MD5 d39772f37059e6aa2dde5bb4a3d81ae0
SHA1 882e8d0d0149a92a3166be131ee613e29f47ba0d
SHA256 e719c2532e2ea7ef7c00d9a5c162fed820f24b5a5bcc892164f5e1f129aa4fb2
SHA512 2b3a455047bb04d884bb53f95e414487348ec5740235725c85aa14a23606c56950594f4668dc5a688f5fcfec47caa8f269a058d28787bf8af7c01416710709af

C:\Windows\system\XbFjUIr.exe

MD5 45e6f0202fb7cf5380bce276eb4c1f61
SHA1 6dfe3793069b2433e6937a97883c603a11021a58
SHA256 b178e9a9036a570027e8bb4041f7af46d8614c2b9641ceb0a1204abe04e53030
SHA512 9e0a9c5d0dd700c035948adafb74e5ef2d4bbb508bd91ee7bf1332bd5dd2b96743d1d4a35dae1c7bddba911241344f2b1e6125523e0236027348bb3de582b9de

C:\Windows\system\lEEDTRh.exe

MD5 6559cc006fda8a9660ec6088eefc71ed
SHA1 807a16d4739d4e1f7f7af6ada8a77630a2632fd9
SHA256 b9c9d5d1591caf7ccc3d28534b9283a105f92d60bc19e8b930958a06f045cbf2
SHA512 75bad2baaf355efe4e8d0dfe80996316ac781c647664d636390fe780c5a77bc43df11a1630f3dad7db278dce864b12afcafa46377ef238931338508980b13c23

memory/2208-112-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

C:\Windows\system\BslAqIE.exe

MD5 8c495442db8f2649dd6b35049cd84024
SHA1 9f7faf7d18efd195df80eb230e239682af9268ef
SHA256 e38bf5f86d0d5a22f3da64b38610ef4ccee9bd8cade380272fd8b1f71d7bba19
SHA512 edc6bde6cbcc3566d2f23fe43d2b6516d2624a0ab4f006357f02ec386d0d4a1d2e8ad6759d126bd68ceead070c0b09f3fc67ca7c48bb86962dbdf88a5f8424bb

memory/2452-106-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2208-105-0x000000013F4F0000-0x000000013F844000-memory.dmp

C:\Windows\system\mptIbyU.exe

MD5 4962f18c137846c542437ef588bc0636
SHA1 794de34cb267898ab224b057ddd01cb8d6c5221d
SHA256 3a4f5ed296e917af2e4ccae13789ae176635dc1ee95df04e1e6ed3ca384220c3
SHA512 7f187222c83118e5997ebc17422e37f23118a70114bfa9b405ac9c12fec2b8942ad5bd108058632fd2d1470da5a30d4b56b204c17ed884455c84339dc39f44ac

memory/1456-99-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2208-96-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2472-95-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2208-89-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2208-142-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2164-83-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2208-82-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2604-81-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\cOJDfJh.exe

MD5 b7ae1b629c984650536132994ce42e24
SHA1 892d56111788df99efb2c1e98de1a197ced50115
SHA256 8e43110beadef41205d8d3782cb58079fcfd66619af1fa5a36e26e0e71aa51d8
SHA512 7f1413152956b411e5b53653d31c66ab149fa16a3f42607201da7fc5dfb14e3047cf92d6d4988b277b203d0f84c5965884a859bf12d8ec6dbd63cfecfe4aeb79

memory/660-74-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2208-73-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2556-72-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2528-66-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2208-65-0x000000013FDC0000-0x0000000140114000-memory.dmp

C:\Windows\system\lnZLnyR.exe

MD5 38111af1bf6db89b1f8830e8b51359ca
SHA1 afcb297c329a710ff23080bd37af5732c667aafb
SHA256 955ce979098d48f8452e37abd717bcaee7cfbeeebe70b34a6433cadf41c10563
SHA512 bd579908cdb818b20f0a11d0ed8c07c20c5d14ecb2ea7dce5da99aba8b931cccbf4b537233628e9b582c6a3a8489f59527769c486730d092a5074480609a2dd8

memory/2528-144-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2208-143-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2696-61-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2208-60-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2488-53-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2244-52-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2208-51-0x000000013F080000-0x000000013F3D4000-memory.dmp

C:\Windows\system\KYdEvZf.exe

MD5 23c2091e1246d0e4620e0fb6a7ae45a4
SHA1 7ab04fd1ac18b05f3cbe971bcd8d8ca6c139a899
SHA256 7aebc5010bc6297cae74b95bfce99bf68f53c1e05740e17635481001c32c13f0
SHA512 730e9074817c661db22b914e75ec8f9e1e4a8e5ae3fa87555abc7f402728e3ee0730b71ab20376990f462ee410a3b3d9c222325a7ca99dc069f97b0f013c7964

memory/2208-48-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2208-39-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2472-36-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2208-35-0x000000013F860000-0x000000013FBB4000-memory.dmp

C:\Windows\system\rPmGtud.exe

MD5 6d7cdef3ecbd653f4d553304a97fb9b9
SHA1 5c0ca7a3309947a87bc58898f2fe68d66a51bbe9
SHA256 85e97f7cf3f56b00723144c6618d75626269f43b6587c5bb0e7f7a9615f9629b
SHA512 54e991c2ecc9bd8403d7896b5aff18b5ff031f6735b030a15a9891a4648be08e7d69b1a4fcbabe2141a838d7eb6248321adf0c451407dbaf3481655735bd6df2

memory/2208-20-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/660-146-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2208-145-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2208-147-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2164-148-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2208-149-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/1532-150-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2208-151-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2208-152-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2208-153-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2244-154-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2604-155-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2688-156-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2556-157-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2472-158-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2708-159-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2488-160-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2696-161-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2528-162-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/660-163-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2164-164-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/1532-165-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/1456-166-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2452-167-0x000000013F4F0000-0x000000013F844000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 19:20

Reported

2024-06-08 19:23

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_84b66d5b104f15fe69ee5ed32396e6fe_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2872-0-0x00007FF76C940000-0x00007FF76CC94000-memory.dmp