Analysis Overview
SHA256
d8fa2b01e1fdf64b7a4cdcec64dd49c7583cc6fcecf465e65df3464f0e7c0605
Threat Level: Known bad
The file 2024-06-08_c029cd24ba1d7e512e476b22c0c897a7_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:41
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:41
Reported
2024-06-08 19:44
Platform
win7-20240221-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LjREjxp.exe | N/A |
| N/A | N/A | C:\Windows\System\XmBkWhR.exe | N/A |
| N/A | N/A | C:\Windows\System\CvuyQMG.exe | N/A |
| N/A | N/A | C:\Windows\System\QGSTXyX.exe | N/A |
| N/A | N/A | C:\Windows\System\tzEawgB.exe | N/A |
| N/A | N/A | C:\Windows\System\kXYOckB.exe | N/A |
| N/A | N/A | C:\Windows\System\eubyxgA.exe | N/A |
| N/A | N/A | C:\Windows\System\zFUHSJx.exe | N/A |
| N/A | N/A | C:\Windows\System\XYqITLp.exe | N/A |
| N/A | N/A | C:\Windows\System\qbmKxDp.exe | N/A |
| N/A | N/A | C:\Windows\System\qwGlwjH.exe | N/A |
| N/A | N/A | C:\Windows\System\eMUUEuv.exe | N/A |
| N/A | N/A | C:\Windows\System\IVLZmSZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PoXgXpq.exe | N/A |
| N/A | N/A | C:\Windows\System\msnFDuS.exe | N/A |
| N/A | N/A | C:\Windows\System\CRPNIJp.exe | N/A |
| N/A | N/A | C:\Windows\System\EPaJtag.exe | N/A |
| N/A | N/A | C:\Windows\System\cdNuBjB.exe | N/A |
| N/A | N/A | C:\Windows\System\vsWaAPl.exe | N/A |
| N/A | N/A | C:\Windows\System\CTqdzJV.exe | N/A |
| N/A | N/A | C:\Windows\System\EWdPFjo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_c029cd24ba1d7e512e476b22c0c897a7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_c029cd24ba1d7e512e476b22c0c897a7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_c029cd24ba1d7e512e476b22c0c897a7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c029cd24ba1d7e512e476b22c0c897a7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LjREjxp.exe
C:\Windows\System\LjREjxp.exe
C:\Windows\System\XmBkWhR.exe
C:\Windows\System\XmBkWhR.exe
C:\Windows\System\CvuyQMG.exe
C:\Windows\System\CvuyQMG.exe
C:\Windows\System\QGSTXyX.exe
C:\Windows\System\QGSTXyX.exe
C:\Windows\System\tzEawgB.exe
C:\Windows\System\tzEawgB.exe
C:\Windows\System\kXYOckB.exe
C:\Windows\System\kXYOckB.exe
C:\Windows\System\eubyxgA.exe
C:\Windows\System\eubyxgA.exe
C:\Windows\System\zFUHSJx.exe
C:\Windows\System\zFUHSJx.exe
C:\Windows\System\XYqITLp.exe
C:\Windows\System\XYqITLp.exe
C:\Windows\System\qbmKxDp.exe
C:\Windows\System\qbmKxDp.exe
C:\Windows\System\qwGlwjH.exe
C:\Windows\System\qwGlwjH.exe
C:\Windows\System\eMUUEuv.exe
C:\Windows\System\eMUUEuv.exe
C:\Windows\System\IVLZmSZ.exe
C:\Windows\System\IVLZmSZ.exe
C:\Windows\System\PoXgXpq.exe
C:\Windows\System\PoXgXpq.exe
C:\Windows\System\msnFDuS.exe
C:\Windows\System\msnFDuS.exe
C:\Windows\System\CRPNIJp.exe
C:\Windows\System\CRPNIJp.exe
C:\Windows\System\EPaJtag.exe
C:\Windows\System\EPaJtag.exe
C:\Windows\System\cdNuBjB.exe
C:\Windows\System\cdNuBjB.exe
C:\Windows\System\vsWaAPl.exe
C:\Windows\System\vsWaAPl.exe
C:\Windows\System\CTqdzJV.exe
C:\Windows\System\CTqdzJV.exe
C:\Windows\System\EWdPFjo.exe
C:\Windows\System\EWdPFjo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1784-0-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1784-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\LjREjxp.exe
| MD5 | 795e4e67cf8cf7fb33b1a036b0eea096 |
| SHA1 | 715074a92a82a245d73368f2d4934c183500dcf2 |
| SHA256 | 658af1747c09ba4459270481dedc21fe9eea649be4c48675614958cf644806d6 |
| SHA512 | b7fe57dc9e81c83aaf899f6cc52df2229dc92e24a2e809b214af159fdc2be9a798510076c53e19ab29249c81bb3db503063109d7736b054251ae7ad2826448ae |
\Windows\system\XmBkWhR.exe
| MD5 | a24227cbd0df189220449733176e0474 |
| SHA1 | 953fbfb9f06e04375aded9299ca1c174b7b89e5c |
| SHA256 | 13a794491a2b1f3ff89959da0f9f8a4acc660a6b08847406753013dc88ace08c |
| SHA512 | b5e9edfc7feb502109b3fea6c76ac43016eadb4afec7c6098be45eccc0044e3fa40cb7eca56054f90b55b6bdefd508caf8fa6b0103e62fd690f0704efcf8b8b2 |
memory/2936-14-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1784-12-0x000000013FFB0000-0x0000000140304000-memory.dmp
C:\Windows\system\CvuyQMG.exe
| MD5 | 15efa0210a29c1fb2ee7164ddfbb6a0a |
| SHA1 | 49f9f5094aaaabe7684303ac33fdad8d4e2cb5fb |
| SHA256 | ee2082bd4c251ccfddfb3ee28e21cb564b4ee54d6cb4a524c8e8e9afa9100018 |
| SHA512 | e94e28b6506a52d7976bc1a26547156bb4d1df909387cfcfd3fe7e132cdf982404db79977671ad11d2816deacdfcd39f04f2ba240457bfc7d45aa6acd02071ba |
\Windows\system\QGSTXyX.exe
| MD5 | dd89336390748c089c419610275b7307 |
| SHA1 | 70c62a53367be812a77f3e5b63b7bd33b6006847 |
| SHA256 | ca5f2361f860b42d6534e025645fd388dedf6e8b72eb892c3de3d146729da700 |
| SHA512 | a34f9a843ba073514e76771f0e07f9c54fd6cf0a348172d1f0e5a96804a2f63c0918b653efece564ad2679ceee9184e9c4d530445739b65096517e9f057a8d3e |
memory/2724-15-0x000000013FFB0000-0x0000000140304000-memory.dmp
\Windows\system\tzEawgB.exe
| MD5 | 956481ea5ebda73fa9dfb65c52d38571 |
| SHA1 | a267b586463f3128b045109fc54631be240b4d65 |
| SHA256 | 984c4cbed186949647c0574682b881d9701d844a690851f5aedb4d3c8ba135ea |
| SHA512 | 405256ca284e97784055afa731a4fca030add22970bb3c608a58fa5a1cd7bc6f9fea55ff32d1faba155bcf5aea0b5869c6473dab44a548512ee13dbe8d9947c9 |
\Windows\system\eubyxgA.exe
| MD5 | 6a4d493a5075d6051d03b6b118b84c47 |
| SHA1 | 6f609b6491772a9ef3d17b0de8bf9802367a6b2f |
| SHA256 | 47e9b486b02d0def0290e376e492da96f3dc74ae99eadd1e0e917f65ccf253fa |
| SHA512 | 41dc6835098d5523cae278bf9f8fd74eaa7ebf018191fcc7f878bec0c6ee729a69bac752e3a90ea17b52546f3f81aeff5e3864b0b17cd0f9e52da2dd69ded518 |
C:\Windows\system\XYqITLp.exe
| MD5 | 34c78a5e422a22dad7e7ba5a057d0057 |
| SHA1 | 0cb35be9b9cfbad83cde3b4b0632b84988087cc6 |
| SHA256 | bee692c05e5a759c3a311dbddd6b66afa55b1638909cdb1b0fb9ab0e7af27317 |
| SHA512 | e6b23b8f58ceabed04505c9030ee90782320a27f816a969bd901122104e33e787bd3a8a3dec2d58c439e7fd8f158c14b6844e5d4b8595d5b992b8922ca28062f |
C:\Windows\system\qbmKxDp.exe
| MD5 | 29f90c889a11c060c36b012e396cb2e5 |
| SHA1 | 3efd2f0ef628b2d871e84afc4804dbfe6677ae21 |
| SHA256 | 20ec008e867aac5de6e9a775cd333f0a85f65fafbb3e51562203bb29dc3d1371 |
| SHA512 | d0be6db5da727d478759aed6e1e8ee57491b5e3599740b733e80487ab641212f67a4f87627b1880fcd96831496b2d189145c741ec378e28dc1d05711fa29eb8a |
C:\Windows\system\PoXgXpq.exe
| MD5 | dd56ff8a1d87c76449b9b49282b93a31 |
| SHA1 | ef272fdf47bd8396baf180370b7b0a39b628fe94 |
| SHA256 | 0e8fafa0ce037b513592d2e1d87ab1ca92360f56e2371c0fd9a8a3e31a2c928c |
| SHA512 | 916aa036da2d14b73be8762e87edc52b0394cfb6f696878f33908dbb5ce161d149742a68cbf7a06c38c6d6c3e99ba60fe0661efb7f03c22c066fe44de937ee80 |
C:\Windows\system\cdNuBjB.exe
| MD5 | 38214ea15130bc1d14878c9fb27bac1f |
| SHA1 | c9dd295ab543730de31f4d812469dcf288e86177 |
| SHA256 | 836a8b83dd1e2dea3210d4da02fe7638f980e5d56fb563c7201d43a2735dece5 |
| SHA512 | 1248c73b24f530fc327587195691fe0d553bb10ad9aca5d734ede2bb6a1d324fe41d2f7683dda43ad9bc2689c0cfdf1007862f3076582101e8fdd02cedc10801 |
C:\Windows\system\EWdPFjo.exe
| MD5 | be535031bc54fd68e5293d57121421ad |
| SHA1 | 93c66898a1e0ddef4e10ad63e0f19a6e2d9b867e |
| SHA256 | 578b4f94e5be255c570a97cc22c5b3a12ad9fcd47e511751fbc100040bacddae |
| SHA512 | 6fecfd2d6e39edb38d1ae0ea2d844f3c2d0b3d6b50af579e9f85d45044207447f8b34c010b06d4366448c9fed76508fb397c21b9eeba1b8a6d94d45d37a55da8 |
C:\Windows\system\CTqdzJV.exe
| MD5 | f9b3e66a1b3c79fe148f2ac86dedf580 |
| SHA1 | 668606599f8e72ecb7e8cda5b637c1f87a88cd70 |
| SHA256 | e41670659793e1df053f3c12eb6208803a60719be53f33e5465d50085037a07c |
| SHA512 | e5d1f1aaa7fa2e1258812fa42489fbb34e2ba93faf85dd04b6b9494031cc9cced9a9f35319ef9e37e7db142eb66aaea3594b049697b878ac61593e450326b04a |
C:\Windows\system\CRPNIJp.exe
| MD5 | 445c60f4c4e6f38497907953f87374a5 |
| SHA1 | 9cd1b5e1a1bd7cf30e3a06dc852a34886668432e |
| SHA256 | b08f57b93a43664c992ad7566e804e3fdde9b7b6ce302497dbe5fc5f5181ac94 |
| SHA512 | 2186f247392a37a98c8d233bf0ce4c67af77390667739e44e35ade21219e6ddbdb02bf21c415e1935dc1c2b3340e80f25bfe2463910e90b17073ad9ae67b0fd7 |
C:\Windows\system\vsWaAPl.exe
| MD5 | a1ab05fc3dd684ea8b7a3eb86d6f2fe4 |
| SHA1 | e60b558d0825e460a0c41083643216ce1bf0d08f |
| SHA256 | 6915cd56069757fe7f94e53006d87db1cf23257e676fb7189155eff4f6199f4d |
| SHA512 | 7c9f20812d870c26f99551ff5f0172df45f34220e7a13fccabfc66bae2cf33105fba72ae70dab9f670bfdce2f5344051ffa907e4a0e7646d8ae40cec92f76098 |
C:\Windows\system\EPaJtag.exe
| MD5 | 25007a6ec9b82d712e04f03707749065 |
| SHA1 | 5cd372e786ba5a8b1623284c64e36169a53007c1 |
| SHA256 | 688a42491562cae1707fc2fda0f89875eef6943d81be102129a2e57a31959339 |
| SHA512 | e27e93f4fb7b69607094453ed39081c6bce69f6cf57f1ab94eadd9301c92e26c584fb696b183dedd8cb5ef6406128d7f4a432d86417a117296ffa599241cda4f |
C:\Windows\system\msnFDuS.exe
| MD5 | 9ef0f69f1a331684ef7d17c5e45c24e1 |
| SHA1 | e99c276b1030b40757066109791cc67ff3071ae6 |
| SHA256 | e62d5b839334321129847dee10c81f5c7414ba0b866094e846724eced816ec2f |
| SHA512 | 8e078fe091d7c93a551bea76183678eaf844f1e11cd7f66bb0747bb82bc0083dd4563e5470214ef1a7aa84ecfce242d0a3a2aec33731a73d0edb749d18ec1927 |
C:\Windows\system\eMUUEuv.exe
| MD5 | 543276133d57b1ffd0482ae7d93f0c96 |
| SHA1 | 6fd951c7ab1aa16d8250fc2722310d4d3d3a15f2 |
| SHA256 | 82fbb5f9ad27e6cd065f767ef8251b7c0ec2947d21b02ce9f7ddecf6093f352e |
| SHA512 | 6405c741b0c28f7e4a0835a5900208c67a4527dd5702edc840f5ecfae7b2c6db52946d94f93f222869687930b8d463a495209cccd5cea0379a3351211b4d2a63 |
C:\Windows\system\IVLZmSZ.exe
| MD5 | e4ce0868fa0fc055463f941bbb762128 |
| SHA1 | ed136760a198cc8f375d7e9f429df2c4ee403e6a |
| SHA256 | f5eb05c245231b40cf4722cdaeb9b630d5a93a68eca0ceb237be006243b174c3 |
| SHA512 | 3cf1d6ef0da4697e60b670c34e9c28711343c0b634c01f904f7e3a2346f733f49011687fba740f28a795744d46d14d1860dff0f58825d9c0355dc36244614bc5 |
C:\Windows\system\qwGlwjH.exe
| MD5 | 869f9c48363cf02c07b0d2c52471ce2d |
| SHA1 | 5ca8f2e5ba6544c7cd99ca57497ee635897b75df |
| SHA256 | 6f8abccab01125bc233bc9ab831f3c725e63fb7ded13f91d726edbab0082c8f6 |
| SHA512 | 99eb7577a2bec9f7ee18493b31d5ad8c4c109be053ce88fa3ce41309681b1b2b58701aed2ff081cfbfa06f9c54c2a5f53b26cc2c03b2c7d47cba754c9b473fec |
C:\Windows\system\zFUHSJx.exe
| MD5 | c786b13c5a201d17e55920613c0b3e8d |
| SHA1 | 7549e37d6a0fcd4dc116d3aed1c64b87d80983d3 |
| SHA256 | 82f95be836ac513d99b58e06f7862e743ee22bca55fc653fd970e8a4c8cc654b |
| SHA512 | a3df5a8ac98eb84d60305e6b7cb390d08cbf13856a401e61fc0767957b3429e623a0f03ada44f95ae5d36a9722e20b0668f056030ffb9a1d5e893e86a5254de0 |
C:\Windows\system\kXYOckB.exe
| MD5 | fe5401c07bb16c783e7d03cd817b2a61 |
| SHA1 | e773005c427ea41895b73961ba8bcc1f283b60d3 |
| SHA256 | c3e6c75d4c9b9107fad6c9637459ea8503da2d3e7d52ce80b5dc7ff14a7891cd |
| SHA512 | 34c3e5295a71e0b430cccd40d693374a5575a8166a4947ff21d516b4c107f064fbdf0d34e4fb1661071ca132b9173533f003e6e5ec25002508e5eb84d79bafef |
memory/1784-29-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2704-111-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2504-112-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1784-113-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2112-114-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2744-115-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/1784-116-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1916-117-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1804-118-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/1784-119-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2412-120-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1784-121-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2336-122-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1276-123-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2380-124-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1784-125-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/656-126-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/1784-127-0x0000000002450000-0x00000000027A4000-memory.dmp
memory/2712-129-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/1784-128-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1784-130-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2724-131-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2936-132-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2704-133-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2504-134-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2744-137-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/1804-136-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2712-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/1916-138-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2412-139-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2112-141-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2380-142-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1276-143-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/656-144-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2336-140-0x000000013F0D0000-0x000000013F424000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 19:41
Reported
2024-06-08 19:44
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
160s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_c029cd24ba1d7e512e476b22c0c897a7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_c029cd24ba1d7e512e476b22c0c897a7_cobalt-strike_cobaltstrike.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 216.58.213.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/3404-0-0x00007FF7E1F10000-0x00007FF7E2264000-memory.dmp