Analysis Overview
SHA256
b4f24d5d71b4db74df250efb6e0e6f83f9c047a08019d308f20742b7e3456c12
Threat Level: Known bad
The file 2024-06-08_d29e71e672991843183ed5d83d40b844_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike family
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:47
Reported
2024-06-08 19:50
Platform
win7-20240221-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\axbEYCi.exe | N/A |
| N/A | N/A | C:\Windows\System\DXJxBYg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZtrefwT.exe | N/A |
| N/A | N/A | C:\Windows\System\KxZLxzr.exe | N/A |
| N/A | N/A | C:\Windows\System\zkpCaIn.exe | N/A |
| N/A | N/A | C:\Windows\System\scGEciJ.exe | N/A |
| N/A | N/A | C:\Windows\System\fxQKOoj.exe | N/A |
| N/A | N/A | C:\Windows\System\lpcCQqd.exe | N/A |
| N/A | N/A | C:\Windows\System\HGqkRYP.exe | N/A |
| N/A | N/A | C:\Windows\System\kmfQbAG.exe | N/A |
| N/A | N/A | C:\Windows\System\rrSQdez.exe | N/A |
| N/A | N/A | C:\Windows\System\FSMDAMW.exe | N/A |
| N/A | N/A | C:\Windows\System\szOChCy.exe | N/A |
| N/A | N/A | C:\Windows\System\KHwhURa.exe | N/A |
| N/A | N/A | C:\Windows\System\zyCnpVS.exe | N/A |
| N/A | N/A | C:\Windows\System\JloGVUe.exe | N/A |
| N/A | N/A | C:\Windows\System\tAzloUU.exe | N/A |
| N/A | N/A | C:\Windows\System\NmTGxLy.exe | N/A |
| N/A | N/A | C:\Windows\System\pDNuoJt.exe | N/A |
| N/A | N/A | C:\Windows\System\mbfSkLs.exe | N/A |
| N/A | N/A | C:\Windows\System\oEWNcfk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d29e71e672991843183ed5d83d40b844_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_d29e71e672991843183ed5d83d40b844_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_d29e71e672991843183ed5d83d40b844_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d29e71e672991843183ed5d83d40b844_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\axbEYCi.exe
C:\Windows\System\axbEYCi.exe
C:\Windows\System\DXJxBYg.exe
C:\Windows\System\DXJxBYg.exe
C:\Windows\System\ZtrefwT.exe
C:\Windows\System\ZtrefwT.exe
C:\Windows\System\zkpCaIn.exe
C:\Windows\System\zkpCaIn.exe
C:\Windows\System\KxZLxzr.exe
C:\Windows\System\KxZLxzr.exe
C:\Windows\System\scGEciJ.exe
C:\Windows\System\scGEciJ.exe
C:\Windows\System\fxQKOoj.exe
C:\Windows\System\fxQKOoj.exe
C:\Windows\System\lpcCQqd.exe
C:\Windows\System\lpcCQqd.exe
C:\Windows\System\HGqkRYP.exe
C:\Windows\System\HGqkRYP.exe
C:\Windows\System\rrSQdez.exe
C:\Windows\System\rrSQdez.exe
C:\Windows\System\kmfQbAG.exe
C:\Windows\System\kmfQbAG.exe
C:\Windows\System\FSMDAMW.exe
C:\Windows\System\FSMDAMW.exe
C:\Windows\System\KHwhURa.exe
C:\Windows\System\KHwhURa.exe
C:\Windows\System\szOChCy.exe
C:\Windows\System\szOChCy.exe
C:\Windows\System\zyCnpVS.exe
C:\Windows\System\zyCnpVS.exe
C:\Windows\System\JloGVUe.exe
C:\Windows\System\JloGVUe.exe
C:\Windows\System\tAzloUU.exe
C:\Windows\System\tAzloUU.exe
C:\Windows\System\NmTGxLy.exe
C:\Windows\System\NmTGxLy.exe
C:\Windows\System\pDNuoJt.exe
C:\Windows\System\pDNuoJt.exe
C:\Windows\System\mbfSkLs.exe
C:\Windows\System\mbfSkLs.exe
C:\Windows\System\oEWNcfk.exe
C:\Windows\System\oEWNcfk.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1660-0-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/1660-1-0x00000000003F0000-0x0000000000400000-memory.dmp
\Windows\system\axbEYCi.exe
| MD5 | ddc83aa85c03faecd5681aa99fce219d |
| SHA1 | 8d3ce3ca888886e6b6badbcf850e4c535a859b46 |
| SHA256 | 8983ef65cd1a08b4f5c29b52d0af408aec68a4c9c6724699397f0415296649e7 |
| SHA512 | 28293b2bdc4785c45f99faf71173c1a0a76f69d73c9c055336ff89207e94d599804e4d2d1d50d18166894aabae6b8b2f7946a70aaaaaf85fe84e6fd081c6caea |
memory/2556-9-0x000000013F240000-0x000000013F594000-memory.dmp
\Windows\system\DXJxBYg.exe
| MD5 | 5f71fbfcc0a962a60152c84d3041e244 |
| SHA1 | b200080d7c1093a67cebc27afb19f35f46c105f4 |
| SHA256 | 2005019dc236e26079cbcbf29a087dff2c3b95046ca63ecce9a92ab9c03f7064 |
| SHA512 | f031263527f16bb6981152bee8c2de456148e4293492dd61a16c1d09c5ca81187331a01b00435f9c839ed6d109e1bfc107b64e4342a13ac92bd70a3bd2446b53 |
memory/1660-13-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2232-15-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1660-7-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1660-29-0x000000013F250000-0x000000013F5A4000-memory.dmp
\Windows\system\KxZLxzr.exe
| MD5 | bd4e0c7aef7f8b53fa9a4d8231bbd367 |
| SHA1 | abe36aa9816c1985ca12349467bcac338e476c08 |
| SHA256 | ee44b187cd40aadb121b026ab376d8266c814176a9757d55dd656f24d8756278 |
| SHA512 | 9c0839d774024f3223bc41a0efaaeaf47af54fc943e76f36cb939d9e3ac85c534d1b8fea44af7eed3ac3b5dd223029be4b89a4fa2896bb33a755b7d8981a1a79 |
C:\Windows\system\scGEciJ.exe
| MD5 | 234d28af446b66c3a0b6f2a5e2abe84b |
| SHA1 | 8ee3cad2d2aa6fb8ab2256e3a4c4b3f5eb09f072 |
| SHA256 | 13509ddc67452cd8c7d2e1e1ff7e25631b7c9a728d008fca1a55e0700b58218a |
| SHA512 | 61910f56d09d9f2343d0a8da29f5c2613b7e2403e76209b225a4a73cf4e7bee88eb446e0120a0efb933f123599b15b73da6ac7816332e946641946a666fe74e8 |
C:\Windows\system\zkpCaIn.exe
| MD5 | 6bee0efb24f05f3291440210fefe435e |
| SHA1 | 6259f697cbe1020d1bcd63e7c524aa778630d7ec |
| SHA256 | f49f8c104003a33fcf8911d09a7ad6fb2472215ac0c65483d3a5e8577bf063b6 |
| SHA512 | 644bbcf2d83f18d6e33b977f5748b7104d7c92f18324dbc94fb5965280536af56f6a9b6f69474110da1f22dfdb78f4fae0274eba46da4f0dde1c3eb695181a1b |
memory/2520-42-0x000000013F250000-0x000000013F5A4000-memory.dmp
\Windows\system\fxQKOoj.exe
| MD5 | 979e1242b89557817e689299ce0f3060 |
| SHA1 | 909c2bf104d4d1e08d6be07498503bc4ec804a78 |
| SHA256 | 23ceace6939ad8e869c510b1f317043f124498278d8874e3441f13f4b33e0d3e |
| SHA512 | c39520c9c55a8b16151bbb6b6d9e1e2d94b5ba4aa39a24ae579233e80a14d4aeb8809ed7c96ecfea4a92e2f2c92b8f6005d41c580017dba9bdd33c837920459e |
memory/2584-43-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2388-51-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1660-49-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2740-37-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/1660-36-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1660-33-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2640-25-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1660-24-0x0000000002210000-0x0000000002564000-memory.dmp
C:\Windows\system\ZtrefwT.exe
| MD5 | aa9d5e260ed946e6d4b80ea90fc90d41 |
| SHA1 | b7ac724350322d85c7597623f5c7a5714412672a |
| SHA256 | 088a0f5716bb3d4f2fd1bbca3b4da8b6cf77f34fa151a7cc5f44564e68f628fb |
| SHA512 | 9439066a797c679263e8a7032dbdd417ae005cae25b27936e59a6943c37ffe36bfc7a47ee355960a2b76f41a2fbcdda8a8ec3dacba1982049d4c2091b867b85c |
C:\Windows\system\lpcCQqd.exe
| MD5 | ec0bb0ee4c4d846cc48e7909aaf61383 |
| SHA1 | 00c31afa00e6cd0869ca35c725f52fcd81aa60f1 |
| SHA256 | 9be1b479e11268ed86854561c0ecf5222d3807603085475e62f08107246429cb |
| SHA512 | e9b4b801634966f10d5e1867077135d151a800fba1ce10005b8a05abea2be7697ba4de43bfca3dae4b05cedc89294f6088e31613815b2f5d494e83f5cafb4465 |
memory/1660-67-0x000000013F250000-0x000000013F5A4000-memory.dmp
\Windows\system\kmfQbAG.exe
| MD5 | bd3030fa13e437f7067be05ddfa4664c |
| SHA1 | 203c65b48d9d8bc44b00aa07f0e3333b658fe0b2 |
| SHA256 | 7cee101f64adc00ed83e9846b238874a4a5b5b56b17a10e5b15b1e3db01f1706 |
| SHA512 | cdb98aac77cae15a8d9d77b23cb002f38ad4a49d8dde334349af226a04288d3688bb91175a25518ae839fec83da3187388b4e14d0480e4571cb80516c18a698e |
memory/2440-80-0x000000013F660000-0x000000013F9B4000-memory.dmp
\Windows\system\szOChCy.exe
| MD5 | a9d41e551e0ea505a8f2418604f74f4d |
| SHA1 | ab589fb96f507c89a3221c2689120f94c19eb673 |
| SHA256 | 611b5cb14b53268e6fafaeeace4891cb5713be73e0ed9db392d131cd362221b5 |
| SHA512 | c235169e2e13909320d0504e328c1a8f4b3ec57a1ace988c5c58020c2a2af77d482740f2896f5337bbc4470037cddf105d97fef59c85df3edcdbc8d2a1398950 |
memory/1660-83-0x0000000002210000-0x0000000002564000-memory.dmp
memory/1660-93-0x0000000002210000-0x0000000002564000-memory.dmp
memory/1660-91-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1052-106-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/1660-105-0x0000000002210000-0x0000000002564000-memory.dmp
C:\Windows\system\zyCnpVS.exe
| MD5 | 723082361041c371627197873d1854cc |
| SHA1 | 18832c4353d498c9d0eb7221c22dd9b1e4b8a1f0 |
| SHA256 | 92c512240c7d32eaa770c934364c1f68e92aad38f85361a7873e0ce15d76eeb4 |
| SHA512 | 6b30b21dd7f5669c9e07ae703f962693b9d69aff13d7c1b2c4360a4411cd2ac1b5926f8b1802d219f5dc186f1767ac4aeddbabe0286c7873733da320bf1854b3 |
memory/1660-102-0x0000000002210000-0x0000000002564000-memory.dmp
memory/1660-101-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/384-100-0x000000013FF60000-0x00000001402B4000-memory.dmp
C:\Windows\system\KHwhURa.exe
| MD5 | 6c9df3d58fad5f4b225636f02c722e12 |
| SHA1 | 5b881adec312266d7aaf2ce4e2c22c1adfe53295 |
| SHA256 | 7cbed3a240bd00d29e4154bb4377e96b38b71dcac7abe5c758fa5f27cc172448 |
| SHA512 | e1fa713b3e3d4609280b0ad2e20b41bfbd3a1d4832ebf706e8dd959c380323fb68efa6a19213583d328aebc435f42061aded674830ce85aad43cfa1057570e27 |
memory/2232-96-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2824-95-0x000000013F840000-0x000000013FB94000-memory.dmp
C:\Windows\system\JloGVUe.exe
| MD5 | 3bb5ccef39ade185aa62b9c738679ac9 |
| SHA1 | 37bbceff70200d0206b3e963a2d88e7e9e5857f8 |
| SHA256 | 69e4d68e59eae211a845ea8bd006845f035fe83d3360f48b7366ab2af6e1e604 |
| SHA512 | 3d3c3f577d332e90b8568e84a05a510b4f28f4901c3372ea9fc5dfe8676565e37c21d6874b3f4dfc1cd061ca570af265d741970b04458d2a7e3b886f967e3c85 |
C:\Windows\system\NmTGxLy.exe
| MD5 | be3ec9d9574368a0c3d45b36461bf364 |
| SHA1 | 3cc76207eb0c4a139639703f1c13f9d2cd4d816a |
| SHA256 | cb2baed7335617e04f850ba44f3477aa6f5d8b7ba40ce52bb9cd2cad9440dbd9 |
| SHA512 | 1f514f8ca71c8cc2685665ceb7976f95d8a80b92809012e53b8c83a0e01ecef4e520742c6d5645075bc0f3454ae7ff8237deba3bc418cd3b3469a9f699e63dad |
\Windows\system\oEWNcfk.exe
| MD5 | 848e76bee2e3884c2ed1e4150b229428 |
| SHA1 | 76d75e236d374e7817f155f647750280cd680cc8 |
| SHA256 | 56b4c9b4af400d6a35d468b7120fccd41641c3fc1a2b0d3d3882fd7ebcfbd0f0 |
| SHA512 | 8ec6fff7f49528dbffec05615e9d54027ba25512f3fe6288c97f979e14b532e663024d9a97bf5fc1a8b0bbda5e606089be7f7fe9d07ebacee9d352fb3b5d1e84 |
C:\Windows\system\oEWNcfk.exe
| MD5 | 001f51ae4ed476c8654a575a690a4b01 |
| SHA1 | ee154d62a2ec89c607418cfefad2550aa536f304 |
| SHA256 | a2aec3ae2b354a13bd328de022782a0bcecf8c3703c9ad44646eb90f38e30a66 |
| SHA512 | 9b0d0dc30ecb2cff1da0e27ff089b3449a4fbe34c7153d38cd567d5b17df4ef48bb6df42e21a3538d5b6c6d53fa50f992bb563fc00ae896232c610fd73a39e77 |
C:\Windows\system\mbfSkLs.exe
| MD5 | 27c42181357ed3ae0c992930e57f649b |
| SHA1 | d0370ab54a91c3959c3a019048198cb4af084bcc |
| SHA256 | 2f19066c6776f59dd5adf966f2e33b1322c89b96bad95790d377fb9e130a9a2e |
| SHA512 | 1c3a670d67760eb150296954adc2844b3d58e6cfe32eeb278d09fffb0b7729afeb51bddb3a2a3568d35b0c3f663cabb00389e1fa3fff49178cb545780d8d3e6a |
C:\Windows\system\pDNuoJt.exe
| MD5 | 5ac276f96eaf7b4913e097e84f1dc52e |
| SHA1 | dd50b8a7f9a710d544b336ec296dd2c95065e6d0 |
| SHA256 | 5c583089724c962abfa1527c9b47ae51e9e7a348ac204a81a362c5868a56e64b |
| SHA512 | 3ec0b9968810ff388f999b4828edce709f7ed7ca269c3efaf9d89daf1123428082f09910461aa7d73d016a2e72ff39fdc239ec9659c5a9abf2e575cd647e4607 |
C:\Windows\system\tAzloUU.exe
| MD5 | 37c9c97a78bfbe9514cf9b94ab6e41ca |
| SHA1 | 455a62cfea5c8f6ebd3ca26c254908f08604715e |
| SHA256 | b232be96c8523a6b5d97e2f2da047387a1927affd26e7096dcfd25cdbaf518b5 |
| SHA512 | 3ae7b2d6ec483da09a6388a2482da7053ec793a4ea3999c2e2177061a4192755796a555b9c5198edad241d0970b0f9b313bbcd2570a5711fda52761e54a488ef |
memory/2828-81-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2384-79-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2480-71-0x000000013F250000-0x000000013F5A4000-memory.dmp
\Windows\system\FSMDAMW.exe
| MD5 | 304fc5af8f15825ccfe16a82388bd663 |
| SHA1 | 0f7bb0106d230c944bae45637833d43651cb1faf |
| SHA256 | dcf2a54faea4c28a1a7c69c1b3a63170d1bba55f16fd48abf8a3c992464f4cac |
| SHA512 | 6540d1fd4fa1bd2b36f7e40878aa3810cd286cae134a0ba942afcb4623daed453d98eb7fb859a82988324be327584e92714672a92a5786874f045b20e85f5d6b |
\Windows\system\rrSQdez.exe
| MD5 | 15e5aa887cffdd277ad0bb8d257c3721 |
| SHA1 | 0f2fb93c1243d0db31799726fad2e4b9e95a4238 |
| SHA256 | e39960f70869aa51e1f501462b665f6e611bfb6c907f99a380efb6cff2b7614a |
| SHA512 | ab14f7b6ba8f0f6de6f34266d1ec003efe94dc6e71cec4560aa6cbeabe681543b68594e3b8f96af6ce652a2f76a6c617dac355b98d92dc158463c73e1b3e6a9e |
C:\Windows\system\HGqkRYP.exe
| MD5 | 243ff911f3d937c3b1e10d5c855d6ad0 |
| SHA1 | e66853a4a9c81a4fff3985bac4ca4be2c007a652 |
| SHA256 | 44cdc38d78f659295fe52803eaa527a0aad1bba1e2e94feb97fbddbbd92948ac |
| SHA512 | 9ac64c9a396d7864196a53799ab40c448457d1f625e18208d2c4dec88dd517d4ec4fd377a56220e47b8d6c52b57c8199224d53769705699e07bf07c5b03c7167 |
memory/1660-136-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2584-137-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1660-138-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/384-140-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1660-139-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2556-141-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2640-142-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2740-143-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2520-145-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2232-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2388-146-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2584-147-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2480-148-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2384-149-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2440-151-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2828-150-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2824-152-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/384-153-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1052-154-0x000000013F880000-0x000000013FBD4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 19:47
Reported
2024-06-08 19:50
Platform
win10v2004-20240426-en
Max time kernel
91s
Max time network
139s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_d29e71e672991843183ed5d83d40b844_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_d29e71e672991843183ed5d83d40b844_cobalt-strike_cobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2104-0-0x00007FF7E0470000-0x00007FF7E07C4000-memory.dmp