Analysis Overview
SHA256
eec516657e1a07f573969c2252d78b5d962ac037ac2632cc82e9dce580270d26
Threat Level: Known bad
The file 2024-06-08_e851bd4d0901fe1a8696fe87fc0ab330_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
UPX dump on OEP (original entry point)
Cobaltstrike family
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:57
Reported
2024-06-08 19:59
Platform
win7-20240221-en
Max time kernel
133s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZgMnMub.exe | N/A |
| N/A | N/A | C:\Windows\System\vtbBAHL.exe | N/A |
| N/A | N/A | C:\Windows\System\CYAIGAh.exe | N/A |
| N/A | N/A | C:\Windows\System\ODNBvXR.exe | N/A |
| N/A | N/A | C:\Windows\System\GRvNcZp.exe | N/A |
| N/A | N/A | C:\Windows\System\yOxMoyA.exe | N/A |
| N/A | N/A | C:\Windows\System\grHOEkA.exe | N/A |
| N/A | N/A | C:\Windows\System\kJGDuBq.exe | N/A |
| N/A | N/A | C:\Windows\System\lxRUvDW.exe | N/A |
| N/A | N/A | C:\Windows\System\qMGYFEv.exe | N/A |
| N/A | N/A | C:\Windows\System\FADinId.exe | N/A |
| N/A | N/A | C:\Windows\System\sndHaHY.exe | N/A |
| N/A | N/A | C:\Windows\System\Jjuueqb.exe | N/A |
| N/A | N/A | C:\Windows\System\uEiekbF.exe | N/A |
| N/A | N/A | C:\Windows\System\nQxoMeZ.exe | N/A |
| N/A | N/A | C:\Windows\System\IqJNIMN.exe | N/A |
| N/A | N/A | C:\Windows\System\fhflsIy.exe | N/A |
| N/A | N/A | C:\Windows\System\UvAPNeE.exe | N/A |
| N/A | N/A | C:\Windows\System\ldODlIh.exe | N/A |
| N/A | N/A | C:\Windows\System\rpeFcQX.exe | N/A |
| N/A | N/A | C:\Windows\System\OrxTiZl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e851bd4d0901fe1a8696fe87fc0ab330_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_e851bd4d0901fe1a8696fe87fc0ab330_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_e851bd4d0901fe1a8696fe87fc0ab330_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e851bd4d0901fe1a8696fe87fc0ab330_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZgMnMub.exe
C:\Windows\System\ZgMnMub.exe
C:\Windows\System\vtbBAHL.exe
C:\Windows\System\vtbBAHL.exe
C:\Windows\System\CYAIGAh.exe
C:\Windows\System\CYAIGAh.exe
C:\Windows\System\ODNBvXR.exe
C:\Windows\System\ODNBvXR.exe
C:\Windows\System\GRvNcZp.exe
C:\Windows\System\GRvNcZp.exe
C:\Windows\System\kJGDuBq.exe
C:\Windows\System\kJGDuBq.exe
C:\Windows\System\yOxMoyA.exe
C:\Windows\System\yOxMoyA.exe
C:\Windows\System\lxRUvDW.exe
C:\Windows\System\lxRUvDW.exe
C:\Windows\System\grHOEkA.exe
C:\Windows\System\grHOEkA.exe
C:\Windows\System\FADinId.exe
C:\Windows\System\FADinId.exe
C:\Windows\System\qMGYFEv.exe
C:\Windows\System\qMGYFEv.exe
C:\Windows\System\sndHaHY.exe
C:\Windows\System\sndHaHY.exe
C:\Windows\System\Jjuueqb.exe
C:\Windows\System\Jjuueqb.exe
C:\Windows\System\nQxoMeZ.exe
C:\Windows\System\nQxoMeZ.exe
C:\Windows\System\uEiekbF.exe
C:\Windows\System\uEiekbF.exe
C:\Windows\System\UvAPNeE.exe
C:\Windows\System\UvAPNeE.exe
C:\Windows\System\IqJNIMN.exe
C:\Windows\System\IqJNIMN.exe
C:\Windows\System\ldODlIh.exe
C:\Windows\System\ldODlIh.exe
C:\Windows\System\fhflsIy.exe
C:\Windows\System\fhflsIy.exe
C:\Windows\System\OrxTiZl.exe
C:\Windows\System\OrxTiZl.exe
C:\Windows\System\rpeFcQX.exe
C:\Windows\System\rpeFcQX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2724-0-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2724-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\ZgMnMub.exe
| MD5 | 6534fba997ab3132bf5181f108a7aec2 |
| SHA1 | b566b4b78a00b7325b1652084e54aec6c0b634c7 |
| SHA256 | 9c35917a6b5e71199e8eb8ebcdad3d36ab391ef7d707d17c82f136a101132ac7 |
| SHA512 | fb1d252c157eea39b63225a4b7b9639a5dbb69946df586654b98aaf34ea31024ba8d0fb3911ba833cb5cd97702a53bce153feba8b3ee81c5a5008257c83c5fde |
\Windows\system\vtbBAHL.exe
| MD5 | b216ecbb915858211550c72530ddb6c1 |
| SHA1 | 68a934a526f66de60200d1a63326d648067e6586 |
| SHA256 | 1e813135bc946a6ab3e9a4ede2e792182c17e43b21d8e81158c4104b4ace4575 |
| SHA512 | d3ab50dd671381a3f8de663f2b0af7410632ed2f8795473f5743094c9d446823db2c458de9186cdef5655278f27f99138c2a733b194d53afae95fac545bd21b3 |
memory/1636-17-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\CYAIGAh.exe
| MD5 | 2412516c268ce80bcae8e17fb9418550 |
| SHA1 | a5dc441e03157f130568681e0de1b67f6ac5300d |
| SHA256 | 4010bad7117f3d627fe52ea0c09ffcd7f292921a45864b69d6430334a0a734e1 |
| SHA512 | 21a892c4740745f9ca65d8c13d2f756e398040f184cde4dc495f8dc842e713e1acd3e53b209b6f5ca14416e766466e17bfc4fcf961f0cf18670bf86083beec6e |
memory/2984-19-0x000000013F280000-0x000000013F5D4000-memory.dmp
\Windows\system\ODNBvXR.exe
| MD5 | 65eefffe588f32ae33dafd8e39218df4 |
| SHA1 | 5e0acf10b116610d78e1a9b509b535ca9d254abd |
| SHA256 | 1f736eae73cf704e200aa8a09aca46680beaa95dc639558b1555f7973b8d918a |
| SHA512 | a322cdde50191f0a3ad7e9f75b967c7fad1c966a96e7bb75a2fc7cd95a2399f54af0437a7b21cd7bfc24162fe8f57e5f9917e84ab4d9945510d8ab22c9b70b3b |
C:\Windows\system\qMGYFEv.exe
| MD5 | 646c97c543c45f7295ca7b2c6e8bff81 |
| SHA1 | 5a2ee0c9d70b94be269801f3e37cf64f6057a7b9 |
| SHA256 | 98138a3472195b3be9087b90ebcb95b8216f2c4b98ce9f9c57672c3cf93f29f6 |
| SHA512 | b4363314fe4417b8dd20976821219784f5c7a4e64e587e07967d8adc32629869bd3fd80d1c9a664fd0c9a71d3f40dd158f1ae966fd35176400e158565269ae32 |
\Windows\system\nQxoMeZ.exe
| MD5 | e9aaba5b9a6e16343833bd41146a91a8 |
| SHA1 | bfd6c2e1acc77c073799f2fa4e0e72624f2c0c3a |
| SHA256 | 0aba3e223d84a14478ced4c32627ab6b4224ba44618d8fd120082b7276d334b7 |
| SHA512 | 637f6bf596bd9d036449e094e973dec743e975d99d34177bd28d7aafecfcab9866ca371f4139a6f4fc9f6a5ebea698b33ca81e1d3c03cd336d9e4b78f0ad0706 |
\Windows\system\UvAPNeE.exe
| MD5 | 2612a45f5d87729a3718bfaf9a743720 |
| SHA1 | 30c5d96f4dad4bc37674ea3f7a878cfa2492014c |
| SHA256 | ecd9d48b0f260c66727edee32c8f392d6308d2c18a1bda16d7a85d7aa78c876d |
| SHA512 | 322fc875c1174c9b4bade9cf3aa3aa0e93b50cd85b6715d5d2fa42913085a483fdba82723dfb62f3f6e5464bc6e36ccd363ac7d4d162eb1eb821db650160071f |
C:\Windows\system\ldODlIh.exe
| MD5 | f65576eb8a2cd1037e28d3c0e916a3ad |
| SHA1 | 7fff7a1ba3ee54f3685d3203fe5de64c81158296 |
| SHA256 | bdce4a9a3c918ac35c781177c4d2b30cbe94387dd1b27c1fc47fc3523c5da96a |
| SHA512 | 799fd5aae8b73954eb8106496301c3dd50be7f5c93c11a94909085f2c774bcdfb46004960217dda1ff535fffe4db8fefce8a747ed879bae2155c80abc693a3c1 |
\Windows\system\OrxTiZl.exe
| MD5 | bffded3e50c52ef48f24295dd7d3b3eb |
| SHA1 | e9a0911cfc6a1046e4c339b518d4a2d5388acff0 |
| SHA256 | 1b30a12b2015692bd9a557da3ce8152ff43f9cef7cf55bfd523ee7230554453a |
| SHA512 | 5bd495bcc595c4b106bc95d8406c86664131d3239297f201a3c7600944151cc2918e6c857244f4366a1fa00ec8f2bacd20c7c5438cfeba191cf35dc7ca169a13 |
C:\Windows\system\rpeFcQX.exe
| MD5 | 9363c902eaa895c1572e17c9b3609d0b |
| SHA1 | dc393f49e74fec2ef1824a0f7b7fc4edbd8d26d6 |
| SHA256 | 01d26dc2ae33c3b862453026bcd6715cf559fdef79911d6c92617f20d7e7f6f5 |
| SHA512 | fc0401613e0af187a86ab9b3137233e9d6c9af1240f32643ac01de577584af42840b7e0f47b13db186cdd03e0e595b5b22f25e9711887362a5c13870ea5ab566 |
memory/1960-119-0x000000013F3B0000-0x000000013F704000-memory.dmp
C:\Windows\system\sndHaHY.exe
| MD5 | f894da4927430a14144d858ac12b6662 |
| SHA1 | c8639d7350faf20933b81fb33eda8b10df94242a |
| SHA256 | 46309208d12bef35824ce573626ef70cd8b6411c28b7381696f7cfb53a0e52e0 |
| SHA512 | 2442bbc006ac127b23b7fe9a0a09621ba55e7a88bacd0183c4bf8a5ea2e8145d572b10ff154d522f6832672cf4bf263eaa20a0f500691569911371efb6d87223 |
C:\Windows\system\FADinId.exe
| MD5 | cf069bac6748874014046dc6020e965b |
| SHA1 | 925232855d0994003964a71cb482dce91b6a321f |
| SHA256 | 434f868967e4c629e6a199f477982a7828a284b31e233a116bee32b6b3d6ec7c |
| SHA512 | b5b1dd9f8768a77b7fea52c94fd4427f314078401a5e6da32a15de47a0ca33a2710812ca7bead1b1fb1557f47ed592b5a4b702cedc064c8b1591c8c2a798dd82 |
C:\Windows\system\fhflsIy.exe
| MD5 | d99844eebbb37ef2dc54744f23084894 |
| SHA1 | 9fc42d8fa7f47bccb7c2c6bd80898a1325b10048 |
| SHA256 | f156b1ffc1e72353a2bc0fe9cf0c71793c94f0a6c6a14b9beb58eb2e81457c42 |
| SHA512 | ea2ad6db30bee4d48c6826a5d83701de5ec8dd409796d82798f05586efb373a58a583fdb0b74b271b14bded603ddfd24321fd256e49c840c62aa51969a172e1c |
C:\Windows\system\IqJNIMN.exe
| MD5 | 1d5ac7d796204e5afb9e575b5bbdfe50 |
| SHA1 | 62b9d9270f5fd419201a74df0cb648d1800f0d69 |
| SHA256 | d6da1c271acb1e47dd6cfac4413932f17898e9ad241be6f455b46025cff64c20 |
| SHA512 | 163eaccddc2caa8a71c571583ae86a99b36514e70e9bdc86eebb841c29844ba2de3d2c8e9f43c21d9d4be06da19d6b47e0c0594e3d5aa94188f49c5815cd6869 |
C:\Windows\system\uEiekbF.exe
| MD5 | 92fb36f102e9917f8788e88c607b9ac6 |
| SHA1 | 3d6ef8121a689b6e8be2515dd86193f9362edd0e |
| SHA256 | f33c66538aea9be8b5ec6fe84966e320128b122196d71ab8910c8ebeab7a7376 |
| SHA512 | 42afad0194e8fc3e5674a94dcf041288b93da6520e4b529ba7bf15a1352959eaf827c92bfcaa93056f40c22facd4a289eae1f9ffaad2e492a755b263714d1867 |
memory/2724-98-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2724-76-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2604-135-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2440-75-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2724-74-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2748-73-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2512-72-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2544-71-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2724-70-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2724-69-0x000000013FFF0000-0x0000000140344000-memory.dmp
C:\Windows\system\lxRUvDW.exe
| MD5 | b71a33bc73bea35bc8478af48770bbef |
| SHA1 | 627300f0f7d2ea93ca724e08031b1cb789449994 |
| SHA256 | 1cde4675c262efa466c6de5f41c4bc8fe2c07db2ba45daf8f433a3da406b72b6 |
| SHA512 | ab2ddc083f02e29666cd7d953c3fbe55d7b894ff8a0dc3feab9f4443bc2a7b6a25b43aa85ed74c3e3e97180ef9402207a25cb522dec7ac2a1dee88ef75d15d27 |
C:\Windows\system\kJGDuBq.exe
| MD5 | 8e5ff392b7437ebf0bd7202ff796d0f7 |
| SHA1 | ae54ed85b32cf0605ad4aca5789c223cb877f791 |
| SHA256 | 358f92be80cd7db152b6e44659aa001068aaf3e8bc99b96ee5b82672b354c092 |
| SHA512 | 5e2b411f97e29f9cbfe39d72c087e6b048449adea224abe19d0f02ac1ef97246253614639229aed2db1ef127447ea4b08f5162e22645c17f7d58930538643c24 |
memory/2724-97-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/580-96-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2724-95-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2856-94-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2520-93-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\Jjuueqb.exe
| MD5 | 8bba78cebfbdece297aef32bbb64c039 |
| SHA1 | 414a4b35645d201f85f329b28017ba0b9346efd6 |
| SHA256 | 564766d94447c0bc971667fd6c362eb10679fad4ca9a5542c13554c6a2ea6bc3 |
| SHA512 | 5288315319cd253d8e67bbbcb4d0e70b41796a05a0d10b87b65e6fd1e796391d52affabbe42f76743ff871275373c51a98bfe1e0a59f16f9178599f74bf776b1 |
memory/2724-48-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2604-47-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2440-137-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2724-136-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2800-37-0x000000013FEB0000-0x0000000140204000-memory.dmp
C:\Windows\system\grHOEkA.exe
| MD5 | 23d354992e71cb05190b8f35d160c00e |
| SHA1 | 00e5f943b4807525b2c0870fcb2177bbdc3487be |
| SHA256 | d856e7d0304bac16baa5853e074a1ac01fe0e9eb8d047d227541535a5300eb5e |
| SHA512 | 1c6649ecd93acd8a87819c07c95ad3fe865137376ed30cdf7ef79323465285f4772c70b13aaf762d80851df7acbadb362c7f3ad22de126872a978e96f6525fcc |
memory/2724-45-0x000000013FC40000-0x000000013FF94000-memory.dmp
C:\Windows\system\yOxMoyA.exe
| MD5 | ebab543cd14d3acc64fa0295dcae3041 |
| SHA1 | 8492c161714e39e94bea7dec86ecd76c31d46df8 |
| SHA256 | e416e4f59d1dd516cc109d18ebc3f7bc31549f41ba774212340bf6cdcd6b54a5 |
| SHA512 | 17cd6ad02268c3b55d102c050123740ad9f7bca0de2d38b5d77e696989611c56a352fd89c507f216284b87ef0e60e0fc7071e0cfd8fd80368e7f2fb789524ea5 |
memory/2724-43-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2724-35-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\GRvNcZp.exe
| MD5 | 750c3acee379e1aa737c5c4a315cc187 |
| SHA1 | 901e3c16d49b920bfa2a05858ad70294fd0114b2 |
| SHA256 | 77ec48b603f70658e1e8f5652691c4037c6e4727da7df5cb4be8f01a1b5446c1 |
| SHA512 | 70b594eeabe1c7be9645e479d36ee9188a4555ad08f84665accfe02f6b4376097ef691ba6258a729f8d04c9d37fd9e0ceff8b60f56a07b894330414422799fed |
memory/2548-29-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/3052-26-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2724-25-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2724-24-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2724-13-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2724-138-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2984-139-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1636-140-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/3052-141-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2548-142-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2800-143-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2604-145-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2748-146-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2544-144-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2440-148-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2520-149-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2512-147-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/580-150-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1960-151-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2856-152-0x000000013F2E0000-0x000000013F634000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 19:57
Reported
2024-06-08 19:59
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
133s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_e851bd4d0901fe1a8696fe87fc0ab330_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_e851bd4d0901fe1a8696fe87fc0ab330_cobalt-strike_cobaltstrike.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3468,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.83.221.88.in-addr.arpa | udp |
Files
memory/1592-0-0x00007FF7F60F0000-0x00007FF7F6444000-memory.dmp