Analysis Overview
SHA256
25f749322729c478d192a359dfa2f08e28ad2dafa22ce621168d73ecd4e0264b
Threat Level: Known bad
The file 2024-06-08_6124e7e6fd867031b5097174e23e12bc_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Xmrig family
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:03
Reported
2024-06-08 19:06
Platform
win7-20240220-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bgDzOCs.exe | N/A |
| N/A | N/A | C:\Windows\System\lFNQZAG.exe | N/A |
| N/A | N/A | C:\Windows\System\sjzDQpX.exe | N/A |
| N/A | N/A | C:\Windows\System\ISwNdHy.exe | N/A |
| N/A | N/A | C:\Windows\System\KVPcHNn.exe | N/A |
| N/A | N/A | C:\Windows\System\ZnFpSjG.exe | N/A |
| N/A | N/A | C:\Windows\System\vLchyeq.exe | N/A |
| N/A | N/A | C:\Windows\System\zstzmwK.exe | N/A |
| N/A | N/A | C:\Windows\System\uGAAvfI.exe | N/A |
| N/A | N/A | C:\Windows\System\ocjVErc.exe | N/A |
| N/A | N/A | C:\Windows\System\iWutKPd.exe | N/A |
| N/A | N/A | C:\Windows\System\patEZoA.exe | N/A |
| N/A | N/A | C:\Windows\System\nxqCxly.exe | N/A |
| N/A | N/A | C:\Windows\System\rPvGhhP.exe | N/A |
| N/A | N/A | C:\Windows\System\LXYqjQP.exe | N/A |
| N/A | N/A | C:\Windows\System\PKmbTeZ.exe | N/A |
| N/A | N/A | C:\Windows\System\CnrAkZQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QZyhhfK.exe | N/A |
| N/A | N/A | C:\Windows\System\kksVgPH.exe | N/A |
| N/A | N/A | C:\Windows\System\ZRCURtU.exe | N/A |
| N/A | N/A | C:\Windows\System\mqQBVry.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_6124e7e6fd867031b5097174e23e12bc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_6124e7e6fd867031b5097174e23e12bc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_6124e7e6fd867031b5097174e23e12bc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_6124e7e6fd867031b5097174e23e12bc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bgDzOCs.exe
C:\Windows\System\bgDzOCs.exe
C:\Windows\System\lFNQZAG.exe
C:\Windows\System\lFNQZAG.exe
C:\Windows\System\sjzDQpX.exe
C:\Windows\System\sjzDQpX.exe
C:\Windows\System\ISwNdHy.exe
C:\Windows\System\ISwNdHy.exe
C:\Windows\System\KVPcHNn.exe
C:\Windows\System\KVPcHNn.exe
C:\Windows\System\ZnFpSjG.exe
C:\Windows\System\ZnFpSjG.exe
C:\Windows\System\vLchyeq.exe
C:\Windows\System\vLchyeq.exe
C:\Windows\System\zstzmwK.exe
C:\Windows\System\zstzmwK.exe
C:\Windows\System\uGAAvfI.exe
C:\Windows\System\uGAAvfI.exe
C:\Windows\System\ocjVErc.exe
C:\Windows\System\ocjVErc.exe
C:\Windows\System\iWutKPd.exe
C:\Windows\System\iWutKPd.exe
C:\Windows\System\patEZoA.exe
C:\Windows\System\patEZoA.exe
C:\Windows\System\nxqCxly.exe
C:\Windows\System\nxqCxly.exe
C:\Windows\System\rPvGhhP.exe
C:\Windows\System\rPvGhhP.exe
C:\Windows\System\LXYqjQP.exe
C:\Windows\System\LXYqjQP.exe
C:\Windows\System\PKmbTeZ.exe
C:\Windows\System\PKmbTeZ.exe
C:\Windows\System\CnrAkZQ.exe
C:\Windows\System\CnrAkZQ.exe
C:\Windows\System\QZyhhfK.exe
C:\Windows\System\QZyhhfK.exe
C:\Windows\System\kksVgPH.exe
C:\Windows\System\kksVgPH.exe
C:\Windows\System\ZRCURtU.exe
C:\Windows\System\ZRCURtU.exe
C:\Windows\System\mqQBVry.exe
C:\Windows\System\mqQBVry.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2184-0-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2184-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\bgDzOCs.exe
| MD5 | a08f83a44a71a4582aedeccc4213894e |
| SHA1 | b794f305fb5c7c1a3d4d2f7ed5740439f06bee0e |
| SHA256 | aa17df217ba2bf720b5a9ccf8729d134645ff337a88e93c4724233943f0d38ea |
| SHA512 | f2bcd20e4e9da26cea0aa4874515f63f61f6996d2f03d1f51d8834504fadb56039cdf425625410e6e7c52098349d80671b443032d4b19286a423dfd84d92518a |
\Windows\system\lFNQZAG.exe
| MD5 | 430fba227d39e922a50ca440914126e0 |
| SHA1 | 45cbaa58b3f40418c762adb53ebb5f66d7b83451 |
| SHA256 | b85b2052611acd7f240c513086b290bef19919dfe769e7af84a663bf531fade6 |
| SHA512 | 7942b0aeaaa83ed983880063bfbc8a11e624a9e2558024aafc05a9dd2589e541faa461fabbc4eb3cefc53c3237ac41f6dd11fd394a232beca43e7828b41e96d7 |
memory/2356-20-0x000000013FA20000-0x000000013FD74000-memory.dmp
\Windows\system\ISwNdHy.exe
| MD5 | 7af4b5a192ebf2da811d3a982a8b2aff |
| SHA1 | 99999e0dad92350d9c004bed6146165a48597db4 |
| SHA256 | 6e3b23c5883abc2c95fe21811f98bb9cde4f9e006701d32e164fc94939571317 |
| SHA512 | 60c0edf84108d4013a96bae99b86de98bd11b8b917ec8072c930b26ba701032c28a7c05d5c887b927a0f06cafd5d42f79ab5f5c3f5e9209a4878634637f2668c |
memory/2184-25-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2612-27-0x000000013F200000-0x000000013F554000-memory.dmp
C:\Windows\system\KVPcHNn.exe
| MD5 | 42115e78201aee6540328756434329eb |
| SHA1 | 54aaab68dc87e4e6a04531b02a5b3285ca9f7719 |
| SHA256 | 23cced087f54f7f3abc937801c86cf46932efdf0f94702ccc710b53140b6806e |
| SHA512 | 5a1cdbb21e5f8984026a1eaaa9f3dd5af2a8a62ada1e0f1669de3d23c306b36cbf6688cc4ecfe46a0aa7824fc36fc5417e49f5d37d3d6152a4f205a1345683a1 |
C:\Windows\system\ZnFpSjG.exe
| MD5 | 86d76392fd5fbcc867994f7afe239dae |
| SHA1 | 2314b540f4ad0f83241287d914f6fe8d05a61a03 |
| SHA256 | 5f12b36f101ae2412deb6b3aaa964cafb3cae8e8c85ad476c8ebac5df281fee6 |
| SHA512 | 77608672aa59800edc5e6119445e0cd9f178a85653b68aab394462f112d527d969f1f9e5cb507fc4140fb3f1652f0a951c546976674d4ce463fbf2d20624824e |
C:\Windows\system\patEZoA.exe
| MD5 | 8a38fe5d0fc32e9df42866f1f1879686 |
| SHA1 | 79fc313222a7236bc80ad8503478d6c4d2c706c3 |
| SHA256 | 9d5692c373e4f776c5395b55cc47c2684639f3ff596aedd5e6b671de43303c6c |
| SHA512 | 358785ac1720d6d77dac3fe1630304625cc77754260058398b37e6f8ee229a760af4fba52c9e3043967ec76be7efc3515fd3f1733dcb505edcc2787c443635dc |
C:\Windows\system\CnrAkZQ.exe
| MD5 | 2acbaf4bcb3395056cefb7b572bc9001 |
| SHA1 | e822ecce0a379b7ec8cadd3bf33cebfcf0ffc99f |
| SHA256 | 4cfb93767942d3e7e1d1fbac9af0778437d831b10ea5213068805c89c3e72ee8 |
| SHA512 | c6bc60fb7ab704d12077f18f3c5d754010c280f525fbed1febedcfdbd06a1cf4a106d660de0f580d4e1d0c5429a8ff1fa9c2e40b10f9da9ef976acb58707b441 |
C:\Windows\system\ZRCURtU.exe
| MD5 | 90869df44336fc8828d01d945317f521 |
| SHA1 | 9c3b9f7db8faa894a2a762cc45401969b20ff8e5 |
| SHA256 | 9d4016e8869ec07968cdc07ecfa50362c047edbba6a80fc7bf5fe269baa6734f |
| SHA512 | b61dc11f3199e2793a256992d6380a168f9276397acab7900d4ee43914d511fa7cf169404bb0c9d1e0cfefe7bf03aafbaef18d872aabbdd1317d29e62f3f2b65 |
\Windows\system\mqQBVry.exe
| MD5 | e6eb6606b440822541a5b19657ad47ac |
| SHA1 | 5718b7736e02d112f3d56133d845e8df2ca25f53 |
| SHA256 | 5a2d0e10cebfe086ed856763287bd2bf2a0baee6fd1d481483217c8c29027331 |
| SHA512 | c034770ae95df1d1b35bc3436a2278ec72ffd9b660f92d8ac0da4e055a14fe10ae5469b29e3fa10964350640c7a5674ce5eecf6cdd5089939ef870c3353b39de |
C:\Windows\system\kksVgPH.exe
| MD5 | 35db8982ec70e6a7fd4b64bf1fb3b5e8 |
| SHA1 | 41b00df10e3832d66478d9eff39f99a9ec142379 |
| SHA256 | fec337817ef40ebea9d0e43bb702ae48b4f5c0300aa0d4784467a1fb19f44ca9 |
| SHA512 | 55c51f2bb779e9562b5095e7cf8a29033fa4e431178996ea83b446daaeeb1cee3a88f7c48f05e16be24f5067740ba290a779a8c9b4bbe427183935d26b1acdaa |
C:\Windows\system\QZyhhfK.exe
| MD5 | 11c06d11d4cc4594da80d205452254aa |
| SHA1 | 0ffae59c6e3ab34cc319e27a936e421c99aa6dd7 |
| SHA256 | d7e8ba64699a048084c34754564fc30bbb86ea8428536f65dead6e20b8001c07 |
| SHA512 | 5f376635dff2525fec8f194058e4309a193f9a46648746f6b4db75771c90c50a6bbe010cd8f4fdc8b3ec472e8f1c198beda0d21dc7a88d56c8dcc0c8b166597a |
C:\Windows\system\PKmbTeZ.exe
| MD5 | 4ec2c6a371d0b65eeeab6b6dde79a86a |
| SHA1 | 5252afa1faa80f8b5a34bdf7954a05c3a13d12d1 |
| SHA256 | 1c0a356efd3e8eba9e82e94aa02a8a49e90409abeba5cf1b4770370e085cd7da |
| SHA512 | 4d0d610d32e2234957ae5e2b08e43505fc5964ff92b656af0f349cae98597528b5a6c6d9a8ed2ade9576d83f9f10934cce12c9a94d93ee1563a2d82847445196 |
memory/2632-113-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\LXYqjQP.exe
| MD5 | 139893076a0b01f16456fba4cea8348a |
| SHA1 | 8cf80ef48d204eb109ab78f9d451a1bfd216c932 |
| SHA256 | ae836a265462347d9ccdb7a44cebd274d592ff39e58a37bc90d97219944b6471 |
| SHA512 | e27d23cfb6a1ed2738e61c475afbf1a8d4618c47fd3ad68dce362eec2cb935cbea2ccee7c291fc2106815967aa241549d85a4bbc617fbcc9e2fe748b09ca6feb |
C:\Windows\system\rPvGhhP.exe
| MD5 | 6dca307ad6acee6b962dfe9a234f5a12 |
| SHA1 | cda4bc6e3afffd2a992bee24fe33324f80988ea3 |
| SHA256 | 799d1052ddafaf39e5f44b682e72e3c7c1d9e296266d89cf31cb4536ef89333e |
| SHA512 | 4f3d38713afbbfc6460c5199fa1bfc1fc17babe3bb7cec4707fab448627784d4a99a3ea92ef1d9e77808fe9484039222fbc00dc252c1c582b19d750cc38162a5 |
C:\Windows\system\nxqCxly.exe
| MD5 | c626d116668b8f6af4ba93583e9ccae2 |
| SHA1 | 250eaa7c10aaec6148ac70f93d64d51770b7a356 |
| SHA256 | fb24fc821377b12cf41038c2062a0dd2bba30825847889aa9b82755f9534278f |
| SHA512 | d77ea8feecd19157669757e0499bc171d3971e3897e80905e849c905debae9fc2b9057ea386106abb3ba8cf9ad1b242f26e0e4acd72b446d607bd0de08a39508 |
C:\Windows\system\iWutKPd.exe
| MD5 | 0b129104cb1cd9bbea7d46a2f69af991 |
| SHA1 | 12b7a0428f8a26d4555a643a51de4bce6a0bb4f2 |
| SHA256 | 509be8925bc90b65123f4e80056b53355c670da1f3090f2a49e3a68a68cadca8 |
| SHA512 | 9f3aa0f3e4d45570a9eb363bacd45c6a903610f46c36a5d77cc397d7253b4d29c849df1fa017216334aff2780e02e69b2466322d0332662bc91e70bd7ef70870 |
C:\Windows\system\ocjVErc.exe
| MD5 | e2f89eda95c6886447a8f025ddc28e6f |
| SHA1 | c4ac8ddf1bb0a7a1ba9bed2e6eee362e7131c790 |
| SHA256 | c7565b771aa6c7b78c835702bd7c55378edc0d45d28bbc8482bfce77334941b2 |
| SHA512 | e5e07443d94dd8a321c54b9a9ed0f0134b4d37c79d619592a0bbb0be8bff5e3720ade677bae6af258a39b0d7acd9163c90ea8260882bdacd7b7731958a549f0d |
C:\Windows\system\uGAAvfI.exe
| MD5 | 7d7440578890ecd0d31790a6bcff923a |
| SHA1 | 631392b564a9c7619dee448219904d757693e9eb |
| SHA256 | 33e6037afe23c6f9bb45c2478112267c6ea38a4d0b17b38697febe792750bfc2 |
| SHA512 | 31491486da073fb4b90186c6077bc9e4f27a8917fbb3f9e4a88e8bf2bbf0b5d99750c616c617b732c2692331e309bce8b5ae7791209d9ae5c9752c63fb57b1cd |
C:\Windows\system\zstzmwK.exe
| MD5 | 41ace272817683ea50f4b0576bf52491 |
| SHA1 | 70b79a452919a66e50351afcdc359cc381fab996 |
| SHA256 | bb472f2fa3051c50133f1a9f297755349c53d38ca1d2a6b78235219085b6cd66 |
| SHA512 | 9a873cc573a59ebf9bf267ada7d30deaa741c274860cf5e15c4a308e621a27845ce11565c9d3ceb3d746dee3076b9240219a37fd502c1253881403dae00cb301 |
C:\Windows\system\vLchyeq.exe
| MD5 | 7b831e4980682d011e9808434e5f89c4 |
| SHA1 | 5453a5da01865105c34e66561855a3b6fb700e05 |
| SHA256 | 0b480373ba0878260202eb5ecf8fd79ef28da0bbd2d316d0f3fdb27800f3fed8 |
| SHA512 | b8645e097ecb92533820434bd6f4ba4e06317499feed8ceedae5cf8b05164db885493c1f54ac362232793ed7e23370a451c16020d8f72511eb9922b35a1b1d08 |
memory/2184-24-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2184-116-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2468-119-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2596-121-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2184-128-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2536-129-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2956-127-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2184-126-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/1688-125-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2184-124-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2464-123-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2604-122-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2460-120-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2184-118-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2860-117-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2584-115-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2184-114-0x000000013F630000-0x000000013F984000-memory.dmp
C:\Windows\system\sjzDQpX.exe
| MD5 | 9bd4d3d17961c551a48df3d37b96c28b |
| SHA1 | 838c7d78a25d2984d2286961b5942fde56a6188a |
| SHA256 | 08d0fba2310274621b23b875090502ebe945719bf52e4b0977f7ec6b3d64b11a |
| SHA512 | c80373da6e05b4fdba098ce55e30fa760f2087c6ce9accfd432b4d03b9fe63ff1ecb8372ae85635f898dd7b4183af3b31fb331bcfc058b63c72044c928dd17f2 |
memory/2184-9-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1748-15-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2184-130-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/1748-131-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2356-132-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/1748-133-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2356-134-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2612-135-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2536-136-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2632-137-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2584-138-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2468-139-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2460-140-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2596-141-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2604-143-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2464-144-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1688-145-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2956-146-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2860-142-0x000000013F970000-0x000000013FCC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 19:03
Reported
2024-06-08 19:06
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_6124e7e6fd867031b5097174e23e12bc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_6124e7e6fd867031b5097174e23e12bc_cobalt-strike_cobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
memory/1136-0-0x00007FF7F0B60000-0x00007FF7F0EB4000-memory.dmp