Analysis Overview
SHA256
fcf4420b6fabeeaa1d9e8961dc65cdbc90166507c11e30e45b33b83fe8ecbdeb
Threat Level: Known bad
The file 2024-06-08_e5d63f545064d78d0d26354d50991b81_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:54
Reported
2024-06-08 19:57
Platform
win7-20231129-en
Max time kernel
135s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KUahfeJ.exe | N/A |
| N/A | N/A | C:\Windows\System\bbkuJpN.exe | N/A |
| N/A | N/A | C:\Windows\System\KNNRycs.exe | N/A |
| N/A | N/A | C:\Windows\System\ChTGLjw.exe | N/A |
| N/A | N/A | C:\Windows\System\lZVEYKN.exe | N/A |
| N/A | N/A | C:\Windows\System\oHWOBVb.exe | N/A |
| N/A | N/A | C:\Windows\System\qreIavv.exe | N/A |
| N/A | N/A | C:\Windows\System\bTsbZSS.exe | N/A |
| N/A | N/A | C:\Windows\System\WyJkQPp.exe | N/A |
| N/A | N/A | C:\Windows\System\bsHVmpN.exe | N/A |
| N/A | N/A | C:\Windows\System\LVkBoYm.exe | N/A |
| N/A | N/A | C:\Windows\System\tqTnaLv.exe | N/A |
| N/A | N/A | C:\Windows\System\RYhVvIW.exe | N/A |
| N/A | N/A | C:\Windows\System\cEpkXpm.exe | N/A |
| N/A | N/A | C:\Windows\System\cKyzYSY.exe | N/A |
| N/A | N/A | C:\Windows\System\uZzkAUN.exe | N/A |
| N/A | N/A | C:\Windows\System\uTbPIQb.exe | N/A |
| N/A | N/A | C:\Windows\System\hTKEWPy.exe | N/A |
| N/A | N/A | C:\Windows\System\WFYONhN.exe | N/A |
| N/A | N/A | C:\Windows\System\TchcWuV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCwQAjX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e5d63f545064d78d0d26354d50991b81_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e5d63f545064d78d0d26354d50991b81_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_e5d63f545064d78d0d26354d50991b81_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e5d63f545064d78d0d26354d50991b81_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KUahfeJ.exe
C:\Windows\System\KUahfeJ.exe
C:\Windows\System\bbkuJpN.exe
C:\Windows\System\bbkuJpN.exe
C:\Windows\System\KNNRycs.exe
C:\Windows\System\KNNRycs.exe
C:\Windows\System\ChTGLjw.exe
C:\Windows\System\ChTGLjw.exe
C:\Windows\System\lZVEYKN.exe
C:\Windows\System\lZVEYKN.exe
C:\Windows\System\oHWOBVb.exe
C:\Windows\System\oHWOBVb.exe
C:\Windows\System\qreIavv.exe
C:\Windows\System\qreIavv.exe
C:\Windows\System\bTsbZSS.exe
C:\Windows\System\bTsbZSS.exe
C:\Windows\System\WyJkQPp.exe
C:\Windows\System\WyJkQPp.exe
C:\Windows\System\bsHVmpN.exe
C:\Windows\System\bsHVmpN.exe
C:\Windows\System\LVkBoYm.exe
C:\Windows\System\LVkBoYm.exe
C:\Windows\System\tqTnaLv.exe
C:\Windows\System\tqTnaLv.exe
C:\Windows\System\RYhVvIW.exe
C:\Windows\System\RYhVvIW.exe
C:\Windows\System\cEpkXpm.exe
C:\Windows\System\cEpkXpm.exe
C:\Windows\System\cKyzYSY.exe
C:\Windows\System\cKyzYSY.exe
C:\Windows\System\uZzkAUN.exe
C:\Windows\System\uZzkAUN.exe
C:\Windows\System\WFYONhN.exe
C:\Windows\System\WFYONhN.exe
C:\Windows\System\uTbPIQb.exe
C:\Windows\System\uTbPIQb.exe
C:\Windows\System\TchcWuV.exe
C:\Windows\System\TchcWuV.exe
C:\Windows\System\hTKEWPy.exe
C:\Windows\System\hTKEWPy.exe
C:\Windows\System\ZCwQAjX.exe
C:\Windows\System\ZCwQAjX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2884-0-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2884-1-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2884-7-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\bbkuJpN.exe
| MD5 | 9503294948a4808935fe05cac72cc54b |
| SHA1 | c273388e9e5e35621d502ee384d3ea277eaf7b06 |
| SHA256 | 502a277a6580e5e527e5cdb5d1e3df37db58897f191c94d94428c550231aa6bd |
| SHA512 | 9d18ad0fa4d22d29ac37ac6c3422a15312534374ed7e174e1babe2d126051bfb234963ec6eee46bfd98f0c6d8669b2482dfa3bd9747972ea553da2d24996f314 |
C:\Windows\system\KNNRycs.exe
| MD5 | 3b7a25573bc4579acd384e544d0c4468 |
| SHA1 | 4ae6d7828ad16b1d2b8a5dbcd2924b7842d024fa |
| SHA256 | e2088248ab9818b77e3e180dd623f2cefcce067cca6d7c8641506083027f3844 |
| SHA512 | 23eebd28e6b344176cdd7ffb55ff67d5fdc82eb9a467c55bbaeae58e01bbea24debd0c12fae825e8caaa60a0002c8c3694e13f9aef6293825a527e71f0e5e702 |
memory/2884-22-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\ChTGLjw.exe
| MD5 | 57ef37e76b62915ab5f24d8a3c58b951 |
| SHA1 | 7668aa0eb942027079733f8b4c8515701c939cc0 |
| SHA256 | 0777e57ae5dc9cb396b5ae4ffb9eb043584418d2ab41fd4c220ae84376da45bb |
| SHA512 | 047f3eab4f514d5ca6523fb9a2270f2454b0d32921e3f3e744d79523663ababcc95ad0917e9cfd8971d3ba71a433723585debfb0cf754f1ae64ec179fa67d3c0 |
memory/2148-33-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2884-44-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2884-49-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2700-53-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2884-55-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2508-57-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2884-56-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2720-54-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2568-51-0x000000013F900000-0x000000013FC54000-memory.dmp
C:\Windows\system\bTsbZSS.exe
| MD5 | 9391e6d1046c27ce992abf85212b765c |
| SHA1 | b7d2256679f8e8e1f06ca16838daab05238f5fad |
| SHA256 | dc81ee03bddaa8397223fed3fc9d3f65d70d6c0963754eb7ca574de285674e4a |
| SHA512 | 0662d71fbf8aceea358978b1fe63cca1dfd30aca8e2681eaa77012cdf494b03478dfebdba2928c4ee9e74ca0fdee8597de1c72f3f30875c469b9f213472a6a94 |
memory/2104-48-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\WyJkQPp.exe
| MD5 | 1e797d671c28417b460a4f86c4cad36e |
| SHA1 | 8b715336d7c7bfbaa71357a6f1b53602bde5dec4 |
| SHA256 | bdc78a728ec0572efc646869698df3cb175087d42e48009a3563cb99134ae536 |
| SHA512 | 882d263e7a6a94144bb79a5caf669823689242c5cc76abb82963d8cbf66c65dafb120d5dcbe46ba8d66d494267c975068702cf6048bbd29ea1ad0ab0cb57d50e |
memory/1624-68-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2472-71-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2884-70-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\bsHVmpN.exe
| MD5 | f17deade44ca2bf34df4cb80ed15772e |
| SHA1 | 395a8dd288e59d7eff239fc65eb18d39d0075d54 |
| SHA256 | 7b12ddc844e0a7cc98baca4ca26ee99b5a48a330aece49bb584f760602a4cb7a |
| SHA512 | 590862c85d9311a9affe9623e3d6910a441bdd869300f5a6d124e2afd27c25c6240b02702558257550d5c06b2960b143b3749393cfd8a6751da81d1b3169e5e5 |
memory/2884-65-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\LVkBoYm.exe
| MD5 | 96574f5fcd2c536d08964f07bd66e144 |
| SHA1 | 31ec889c718c7d713c293187075fbd20f531a408 |
| SHA256 | 7393f59457fd85e3aa182739ec221fec17136c3f27a9337c827638f5b2b50968 |
| SHA512 | ffb0a8d593b6789541d62b086404eee1253c973f09000ead2d58309ea66b7c9616e0fb28a5e2f1f5962c9927fc64c2799c59003c18f454e4e447787b16c1ef54 |
memory/2164-78-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2884-77-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
C:\Windows\system\tqTnaLv.exe
| MD5 | 01cf6839c0ce7d8eaa0801e1b93e31e0 |
| SHA1 | 6cc2c72ed4f169ab66773c86f2ffaea4eac6f216 |
| SHA256 | 95f00f9cc41fe0e725b54ce9f84131394b2b924ec83b3a073f2ea03811df27b1 |
| SHA512 | 6d11630ef0af75da732a0c3af0184e3a6d11c0799d72807c5d92ad5b49f630ba88f10a5f6d1cb18ad04d51c0705a61ba5a0ef591a32b1557cc9dd5bc3207ab3e |
memory/2344-85-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2884-84-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\RYhVvIW.exe
| MD5 | aeaca433f1e2aadec11259f57decb6ce |
| SHA1 | 05284cc1d46891f597f8d68960b03ab3e59264fd |
| SHA256 | d57da083cdbb6a81eaf8e28511db34237ec2011a136bd5b759fa9caed5767643 |
| SHA512 | a3dac20088f5ad4f722b5051d6ff10e05489ad6ceaa173ba205b81112b799715cb2a1c16b89501db2b3aac0de13ae6bf4b394d9241692c9f93557cca4baa3a70 |
memory/2884-92-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2884-97-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2884-105-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\hTKEWPy.exe
| MD5 | 2d22366f95bb750a54f0180c83d3daa0 |
| SHA1 | 75388d2ee6a21fb34ad1c4a7d43037273f18094d |
| SHA256 | 04321c58b32a916a1e53d5e77f425c74079ebddaa07094df9703a2c14777a825 |
| SHA512 | 66459aecf93e6374131035190b78e752795ac9ab7802e97f5d64b5894ded8239b2280fb9a29fd92039317c7ef3a6a3b57f859b76e84981618cfaf0b0bfd6ca0a |
C:\Windows\system\ZCwQAjX.exe
| MD5 | 0dd0ddce71bd35e570203c9b838abe5c |
| SHA1 | 6fdd2d32153a2717b39bd6bfc2783a5850bf6969 |
| SHA256 | 070a44228048a0b3220d4dd7d4db245150401e14e6f9a999fcb8a513cd814b4f |
| SHA512 | a6f0cfa7b89d543591490fb0b78165c4755a2ef948148106f642be89f1a48a9373a5bc5c7ee6d1d125c7859483dba28e1cf23ab89d1a6006f87da12e526dd77c |
C:\Windows\system\TchcWuV.exe
| MD5 | 9ab53cde7d92f7caaeb7bb96a3e7de72 |
| SHA1 | 9d2fb59ae913e6bff491e0253ea621f6bfa5548d |
| SHA256 | da8040379c17bd37a962feef710012f48e042cc8bbc527daf1db17f083e62db1 |
| SHA512 | b59ff8a4135e6bb062d453621355b81221c329af53c04ef4265b4ed2986753b95621b9c9ded3c6282b5e562523eeeebb97fe88ecb957adf8dc276840269aaf7e |
C:\Windows\system\WFYONhN.exe
| MD5 | 5b727b67c1077620bae65dead077d73e |
| SHA1 | 04a06fbec17a07dfa77c37870c0d701a0be9d271 |
| SHA256 | d630df790283697ca72cc6967937b84afcfd1a3e65605e9de5686412a8796be5 |
| SHA512 | ff492239873c93ab50cf13bce46f9ffa963041781d5c947873fb8597c368b6181432fd43c0881f4dc50d302d0f109a3897fb524200642b77eafa7f269669e91a |
memory/2988-127-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\uTbPIQb.exe
| MD5 | 4ccd716a3c544159c13c64cea5d8f890 |
| SHA1 | 95a75a8eefbcc73b3b9901aec55a0727ab6150c7 |
| SHA256 | 51be71e3984c3a2307d5c27368ad5a1c7875ae590a50adc060d67591eeb64104 |
| SHA512 | 8c36e5dd7aa3aa2e0a21bc880953825842d62ca9feb72be21dcc6e71e891a7f48adb4fa1e56bb2cea665e8ba9846c8513735da196360054a5d5c08c80f0f3509 |
C:\Windows\system\cKyzYSY.exe
| MD5 | b7b08ca47673e9925ec552d55a21c221 |
| SHA1 | 47762f5d1bb9e13c9b6b11e492c54a4a298bdeb1 |
| SHA256 | c728bca78d1c58e385cd61952430d43839d7a9b19cf3007a242f22ab269ab530 |
| SHA512 | 65070f0b37e148970d9531db95c47eec68f3b6e040e2141297bc2d67ba286ebeec5a101e175efac8ff926df70fba19b256ab347aebd0ad0f356f22e54ac3299a |
memory/1036-112-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\uZzkAUN.exe
| MD5 | 52b9c101115921ed39dddb30a63de222 |
| SHA1 | ba3fb55f665f6f429c51fda91d6a0809c413e8ca |
| SHA256 | 843f67e9a2fd8b1192e0c6ba3c66b8f8c100743f2cee7618185e206b676f9b6c |
| SHA512 | b0a9a2c3b90ced5187e2e219fbe64578da31081d55d7c1d3a5ba2a3cf86eb9a4cdc474959ef7a6dd7448f940d29c9eba84128ef45ac1d7ee8ba05db9d63b8835 |
memory/800-98-0x000000013FC50000-0x000000013FFA4000-memory.dmp
\Windows\system\cEpkXpm.exe
| MD5 | 12066d42e8dae521ae624611fbd996cf |
| SHA1 | 6fd5ef62f283d6eb1aeb5ada583f456d215c5b4c |
| SHA256 | 8722c84afb636df6f25dc794e6ca1a6c7ae33c795e9dde8f5f41ce9a526b8aa0 |
| SHA512 | 84987ff45f60eee73c137ead126e690be1774efcb61dc94e9ba5190364836f7fc625be43794329d4a245709b40936d356e4ad885907dc5e429b99596b9fc9d3e |
C:\Windows\system\qreIavv.exe
| MD5 | 223d484e1b390019e4fb291520846bb6 |
| SHA1 | dca81f407f0afd170cae1167b9ea1d352e0399d3 |
| SHA256 | e821d6b6e99e87dce0b7c1e631f5aee8bada023b5f50f4906180ad766fd28189 |
| SHA512 | 3bb2b49d2885cb3088df36fa63eb3474629a7f6ae7b730f78496b8b085462d580e94c949e3787446b6b375900e708d40cf5cbb395ef2ec05d70b03e312a73f62 |
memory/2884-38-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\oHWOBVb.exe
| MD5 | 59be948f7eb3399f0378fde0d8883cf2 |
| SHA1 | 5c54d7529a4b28be3c5c49d43a2e6d3c1e0aff47 |
| SHA256 | b74229be0552be3607f90f8bbbf26e6a2ad4c87a151f6a38534ff1874dc75b05 |
| SHA512 | 010b497861cc0435d220f9f90954ea0f75f83d398e3fc947d4326d97771343c82e30a6736f64ef23bc501415721783484e4949f7bc1fb05b9479f620e6147882 |
C:\Windows\system\lZVEYKN.exe
| MD5 | 9b72f1df37a62162439104a6ca9356a7 |
| SHA1 | 4c08f94fe3923f994049f8b9c3a7dbc6412a0970 |
| SHA256 | bf4dc6a2a1ef9288d57dd4682f0cc9781a63869a89730f85fb946bc8a9d28cdc |
| SHA512 | 8078f55bc13d684f5ff5d50e7ccee2bf7564f127db82e4b65bb0534a10a62ba8479b42644fc539d7901debeca8f6bbd4ebabf2d1ca7733abb9c203aee044ce65 |
memory/3028-28-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2988-9-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\KUahfeJ.exe
| MD5 | aa713ebc446231f6339ee5d5e802a55e |
| SHA1 | 4ee8c349362fc1017d2fc6c3981714168cb6bc13 |
| SHA256 | 6ab229d1226cfea5c7205a48b6f33e967710e278e7ba2b682566f0089eb580e1 |
| SHA512 | a8d0d081da3d2fe62560ecd7d701a4efee3cfa9fd38ccafa0b4355fe0208731ce2464a4593af6e4e88f229846c51e4f0c53965ee8768a4dce196ea2c51955e2a |
memory/2884-136-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2884-137-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2884-138-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2988-139-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/3028-140-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2568-142-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2720-144-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2104-145-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2508-146-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2700-143-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2148-141-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1624-147-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2472-148-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2164-149-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2344-150-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/800-151-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1036-152-0x000000013F520000-0x000000013F874000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 19:54
Reported
2024-06-08 19:57
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_e5d63f545064d78d0d26354d50991b81_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e5d63f545064d78d0d26354d50991b81_cobalt-strike_cobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
Files
memory/1860-0-0x00007FF725210000-0x00007FF725564000-memory.dmp