Malware Analysis Report

2024-10-16 03:06

Sample ID 240608-yqcbksfe3x
Target 2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike
SHA256 1015be47ece8a5287906b788392398f66f5aac39975a258fa358d934cd94282b
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1015be47ece8a5287906b788392398f66f5aac39975a258fa358d934cd94282b

Threat Level: Known bad

The file 2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

xmrig

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 19:59

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 19:58

Reported

2024-06-08 20:01

Platform

win7-20240221-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WXmXyiU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CiCxlDv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IvRFntA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PWyqxQE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\Rpjiiem.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\WeRJdnD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VFEAQLj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AnnuoIT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TjaUoYE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\UVSeswR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\FLOyGJq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AWzElQc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\nTWseYg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\ErMflqm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\zdzBSOD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IMmhhvJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uZSEiFW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yXoFcWM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yaVFGzC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hmSHXrg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RzSCDCJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yaVFGzC.exe
PID 2972 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yaVFGzC.exe
PID 2972 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yaVFGzC.exe
PID 2972 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AnnuoIT.exe
PID 2972 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AnnuoIT.exe
PID 2972 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AnnuoIT.exe
PID 2972 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdzBSOD.exe
PID 2972 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdzBSOD.exe
PID 2972 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\zdzBSOD.exe
PID 2972 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWyqxQE.exe
PID 2972 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWyqxQE.exe
PID 2972 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\PWyqxQE.exe
PID 2972 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmSHXrg.exe
PID 2972 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmSHXrg.exe
PID 2972 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\hmSHXrg.exe
PID 2972 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TjaUoYE.exe
PID 2972 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TjaUoYE.exe
PID 2972 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\TjaUoYE.exe
PID 2972 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\Rpjiiem.exe
PID 2972 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\Rpjiiem.exe
PID 2972 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\Rpjiiem.exe
PID 2972 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzSCDCJ.exe
PID 2972 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzSCDCJ.exe
PID 2972 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\RzSCDCJ.exe
PID 2972 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WeRJdnD.exe
PID 2972 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WeRJdnD.exe
PID 2972 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WeRJdnD.exe
PID 2972 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMmhhvJ.exe
PID 2972 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMmhhvJ.exe
PID 2972 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IMmhhvJ.exe
PID 2972 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZSEiFW.exe
PID 2972 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZSEiFW.exe
PID 2972 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\uZSEiFW.exe
PID 2972 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXoFcWM.exe
PID 2972 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXoFcWM.exe
PID 2972 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\yXoFcWM.exe
PID 2972 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVSeswR.exe
PID 2972 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVSeswR.exe
PID 2972 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\UVSeswR.exe
PID 2972 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WXmXyiU.exe
PID 2972 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WXmXyiU.exe
PID 2972 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\WXmXyiU.exe
PID 2972 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiCxlDv.exe
PID 2972 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiCxlDv.exe
PID 2972 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\CiCxlDv.exe
PID 2972 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvRFntA.exe
PID 2972 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvRFntA.exe
PID 2972 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\IvRFntA.exe
PID 2972 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLOyGJq.exe
PID 2972 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLOyGJq.exe
PID 2972 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\FLOyGJq.exe
PID 2972 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VFEAQLj.exe
PID 2972 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VFEAQLj.exe
PID 2972 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\VFEAQLj.exe
PID 2972 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWzElQc.exe
PID 2972 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWzElQc.exe
PID 2972 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\AWzElQc.exe
PID 2972 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nTWseYg.exe
PID 2972 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nTWseYg.exe
PID 2972 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\nTWseYg.exe
PID 2972 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ErMflqm.exe
PID 2972 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ErMflqm.exe
PID 2972 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe C:\Windows\System\ErMflqm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\yaVFGzC.exe

C:\Windows\System\yaVFGzC.exe

C:\Windows\System\AnnuoIT.exe

C:\Windows\System\AnnuoIT.exe

C:\Windows\System\zdzBSOD.exe

C:\Windows\System\zdzBSOD.exe

C:\Windows\System\PWyqxQE.exe

C:\Windows\System\PWyqxQE.exe

C:\Windows\System\hmSHXrg.exe

C:\Windows\System\hmSHXrg.exe

C:\Windows\System\TjaUoYE.exe

C:\Windows\System\TjaUoYE.exe

C:\Windows\System\Rpjiiem.exe

C:\Windows\System\Rpjiiem.exe

C:\Windows\System\RzSCDCJ.exe

C:\Windows\System\RzSCDCJ.exe

C:\Windows\System\WeRJdnD.exe

C:\Windows\System\WeRJdnD.exe

C:\Windows\System\IMmhhvJ.exe

C:\Windows\System\IMmhhvJ.exe

C:\Windows\System\uZSEiFW.exe

C:\Windows\System\uZSEiFW.exe

C:\Windows\System\yXoFcWM.exe

C:\Windows\System\yXoFcWM.exe

C:\Windows\System\UVSeswR.exe

C:\Windows\System\UVSeswR.exe

C:\Windows\System\WXmXyiU.exe

C:\Windows\System\WXmXyiU.exe

C:\Windows\System\CiCxlDv.exe

C:\Windows\System\CiCxlDv.exe

C:\Windows\System\IvRFntA.exe

C:\Windows\System\IvRFntA.exe

C:\Windows\System\FLOyGJq.exe

C:\Windows\System\FLOyGJq.exe

C:\Windows\System\VFEAQLj.exe

C:\Windows\System\VFEAQLj.exe

C:\Windows\System\AWzElQc.exe

C:\Windows\System\AWzElQc.exe

C:\Windows\System\nTWseYg.exe

C:\Windows\System\nTWseYg.exe

C:\Windows\System\ErMflqm.exe

C:\Windows\System\ErMflqm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2972-0-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2972-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\yaVFGzC.exe

MD5 02b427540b632e4bb3356268b887b177
SHA1 ae1f150758b80dc4bb6ab5b75ed1a81d28dc7bd6
SHA256 5d4eced9990262fdfb38b87ba90bed3229d58a8d9b5e0e29e8854efc059d28c6
SHA512 8160cf882219829cdbfe2fc4b40a52887524c53c40ab53a9ffe649920b69936a242bc4b8e25c66722155ea7a6c90e34cc2bafa0801be84662b387d5a6e0920a9

\Windows\system\zdzBSOD.exe

MD5 8872408f6e82b1bdb52ea59a90901f15
SHA1 529078aedab15872b3ff57676a83d9fa9fd9bbba
SHA256 4875a4ad5c597812fa02e99cac0a52637ca7c4eac02c546ee40e2b534761875c
SHA512 6aae40ff1d0eb7886f6d2d97844b35842c781c8773d94f8e917b905ed62dccf7ba1377b8fc71369405ec64eedf1c42d1a286f889cff3e2e2b8860dbadec69d15

memory/2504-15-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2972-9-0x000000013FC80000-0x000000013FFD4000-memory.dmp

\Windows\system\AnnuoIT.exe

MD5 fa6e964cea443317ec0c2fe4b57ad575
SHA1 c65186ea221e92ad13529062bc8ee7dafe01c983
SHA256 b7d4b56f1a1ee6d2cb2eefe13226ee9219ac3610c2d4d0fb74f8234dfc4ba8df
SHA512 f17df93fc62518413a7d4cabb891e1d50b56aee5e8dfc574f7ff0d84eb08f75c64a6d0d5667ef7559cf6e1f65ba8d0a8408a06fbf75d1dd42d77aef5e5e9f1a4

memory/2640-23-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2972-22-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2972-21-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2552-17-0x000000013F1F0000-0x000000013F544000-memory.dmp

\Windows\system\PWyqxQE.exe

MD5 5dd86c1f9172841613d2176780a847fa
SHA1 b0e4340e67edf4ff6e69825c66c282197a057ea7
SHA256 d5fbe804159d18942ecfe4a35d8550ae235b48f4cf668087840b9b9f1d954175
SHA512 aaebf61f09ade48d2851bd0a56e6356adc36030c3046e642c47de70dc1c8f46cc060291b40a3705ab9e7d7b7333976923ecf9ef2bd87d8bf02ec597672a593c2

memory/2972-35-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\hmSHXrg.exe

MD5 d7531b60941bbbcfbb63241d4881a164
SHA1 2e83d7f1c15724d3cad89ab385ab1d0b5cf55029
SHA256 0794a9a63c29e23eff14ae07f27f2ccc940b94534a08d1159184cfbe9966ece9
SHA512 1811cfc1c1dd7edb77b208c8807b3a25f35aa2ea3b03104d3d676257118f91e57084d8589478fa00cd50f06ff80d8c44d1a43d9adf400d6babe8523c017e3133

memory/3008-36-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2828-31-0x000000013F9E0000-0x000000013FD34000-memory.dmp

C:\Windows\system\TjaUoYE.exe

MD5 7159e84ba1273b99488d34ef9032f74b
SHA1 4fa3ba9ea3cb1a26ad248af5f9c45922f8946fc8
SHA256 620a919b349aa20fbf6c96872a21efe18a2d34470d960690aaf69ad0466e725d
SHA512 4b75ddceba7186d150dfa781049139c8f9b16b028ec5bcf773e53a531ad4e03afb71b7ba8be6612b9721c2a7b7ee70cab59dec0369c0f0e5eb54c474678513c6

memory/2972-42-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2440-43-0x000000013F2C0000-0x000000013F614000-memory.dmp

\Windows\system\Rpjiiem.exe

MD5 1d42ec76fe992ebe48766eac89bfa573
SHA1 dd38ae4f5a5ae4aa693a3e499b84fd0cab064278
SHA256 8e3e7f2056b889fc84b03aeaf72381dc20e90c6273dbcaba71efc875a44cbccd
SHA512 e8488419fea959e84f84732e6258342f239bbbdf3f6c0f11dc36f875fd4ca6871509f33a1fb6f9311470e5f5c67215de7e538159d8a152b95f619ed453d609bd

memory/2576-49-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2972-48-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

\Windows\system\RzSCDCJ.exe

MD5 3e5d196f65920c296f04ed6553ac5a95
SHA1 f6dc9fbc86d81adbff917a2b2c90ea2648db3188
SHA256 a57b39c670a75034b7b6a00cc7471a7d71aeb5e7e3705b35dd283461905939de
SHA512 f77d037103d7b248d9265c7452e052325849a942167f66a9d89e4f1abbd3cd115018692b77aebd09fd5c26090517735ecde7f3d06dbec490b22d174b441c18f3

C:\Windows\system\WeRJdnD.exe

MD5 14a4a0bea2726acb68193361aa1d7175
SHA1 a2be4afaf305da878d24459f1275eb214f8a08bb
SHA256 a4bda6c9cca3fb1cae1f15916e9957dd49e44916e36aee52dc079cf5d2d0e79e
SHA512 34bad0c97a476c3fd1bbff77b6c36ae79fdcab144560115e3393661dfcd5e3ed85e764013dfb66abd76e8d82fd2d2f34b15e9f6bef9a8400f0ead70bbaa8d396

memory/2476-62-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2972-63-0x000000013F100000-0x000000013F454000-memory.dmp

\Windows\system\IMmhhvJ.exe

MD5 599d560bf5b09bf288f88f498a3d562f
SHA1 c59b8a010a21d046f27b2db3164e439e21e77de8
SHA256 e509c349987c95e2a06655e509fce561c9471c657f7eefa048d0e654c1fac818
SHA512 f353d564a57b0a5635cc43e56737d3b414ee1eb0bc732a80d06f497d26fcc1a0f6992b322b96de49f7a2a3e8d8efc4a1ffda5bc9bdeaf126fce012ee93625d33

memory/2552-65-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/1920-71-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2972-68-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2412-61-0x000000013F310000-0x000000013F664000-memory.dmp

C:\Windows\system\yXoFcWM.exe

MD5 624c7661fe453cb46440e0f7d82d2a5b
SHA1 6d0acfe2f68c07a8c2617135c4df12044ce32ecb
SHA256 4581b4713eeb187cf862db1dd96736b6aae9b93cfc13013e0665f2b320ea1dde
SHA512 c7c14208a2362d976fbb830776fdb26a79263bb21302eb75e188cbc6855b7d24138ca87dc798b38a58488bf3becb64ff18ef49cecd79323be24e1c04c7eaa48e

memory/2972-83-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2788-77-0x000000013F860000-0x000000013FBB4000-memory.dmp

\Windows\system\UVSeswR.exe

MD5 79e7d17662f628404bc5c261f59a557c
SHA1 3dce9cbe4628904cf9e34ae22ce8676567353156
SHA256 6e20ff87fadbb9a7b3bb0a5149daf4ce3ac0b130298313086868f0d6cd58be43
SHA512 a1bf801cd430bff1e40f8c448d95b0222b6e799257b13d76bf479fa0591d6dde8ddc7cc3a41f24df8151a1769d6688a035363cfa9cc6c5f8dde526a4624f3d92

memory/1620-101-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2972-99-0x0000000002400000-0x0000000002754000-memory.dmp

memory/1708-97-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2972-96-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2972-94-0x0000000002400000-0x0000000002754000-memory.dmp

C:\Windows\system\WXmXyiU.exe

MD5 e47658c283838550ee675046236f3d02
SHA1 f82f72b3a427db9ce1cdf0603cf43bdac5fcdc6a
SHA256 89948d491b6634f48a2ffc029ea3329d9bac56069f26e494675ad2faf7966406
SHA512 44b7fca8c5ee45fbef7ea82956afe8be34e975918490a0ba11d102de30237f5c8c7bb0402800d568c2c4e2f9698a7065224d504f28f909b42d5615e50412536b

memory/2972-76-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2972-92-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2500-91-0x000000013F190000-0x000000013F4E4000-memory.dmp

C:\Windows\system\uZSEiFW.exe

MD5 902cc4bdfd658b871f61f2bfc71c6a38
SHA1 bf0461b3725a7c7945e073ffec6fbe804431100e
SHA256 3cdd238fb164f43c8395cf4db8f7dc65f4bdc392096603df38914a3fefb67488
SHA512 33b3c21f905b71370076eaba6965b406736affe3e3c5ebf71ed073bc0082dfd5ea7438cf9cb990e7811d8b9fbd482016f05d88a489a40d93b4145a022fd8b58e

\Windows\system\CiCxlDv.exe

MD5 2827c02bee4a42f55d8b3213d090e4f1
SHA1 bdadea49345b70f5702d19af79804e256570b7aa
SHA256 d6013f274a83d96bb53bdd82721372704d887af3bd59eaf30fe1ae2fa9e0df3e
SHA512 a8bf68b276abe463f0cd21246b3214e6c5c2b1717d6dfb705fb1196f36a7e7bfdd5d280a476cff49b913bfc975bf9b3912dee94a48ec7012f80bd12781245a11

memory/2972-108-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2576-107-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

C:\Windows\system\IvRFntA.exe

MD5 d64c6a5d6a368d02dd094171e2fecbb4
SHA1 db900be9b26f2e6a78b6104ed52cf7e647806fb1
SHA256 3392482b5ffac41bffa9b4b7c0aa9427d8c9f3555e587e00030725abbe78cc75
SHA512 5e4d4eca2e35e5365d7b536ae829ce0f7d0df24292e0ff4a23ecd5a455840662a4a5fd29b0a966eeeb9848ef38b7f21be5f7767a6b0926143737dcfe7c7f9a9f

C:\Windows\system\nTWseYg.exe

MD5 4b0d042ec253f4cc3a80b91a9718408b
SHA1 1659fa3f08780b79928406d6c0eaeb1064e23a7a
SHA256 8d3861489340aee3ecbafe325d8a90730765e6cf07d260166e5b1493ebc8fc9e
SHA512 9bfc312f07e3c4fe249f8c30ceeab6006d2c71b43ba6dacd04ff42314b04c2ebfdcb5ef3aee5995871dce2c4d91f5be22b0ebdbeaf14ad311cd0ef1311631f0d

C:\Windows\system\FLOyGJq.exe

MD5 3f5ef4342b67ef326e97a90fc0f10a21
SHA1 818f9e51468e995e35134a372c1868a7449c5db7
SHA256 b024197c1bc065c9ae4a9e272aa0c28a9b2c35e6023d81b93ade3aa69ee8a3fa
SHA512 9bd034284f537c8cd3c21956ec22ff1032e9615239cf3f705cc6e9efb99b318cf104444d506c690ec04c593560c9dac62bee5149f50522fef7ac945dede7c547

\Windows\system\AWzElQc.exe

MD5 08f025d5d1f3a2a43e81d08551ed91f4
SHA1 77a73b3e6e30eab2bb2a9a9869c871fd8f0bff44
SHA256 14959168f6ac0cbbbd9614a3ca94bc2763976094c747b9f7188445bf457ee430
SHA512 e1f68e5b244c37bf8cae73a181fb62d174f5197400828e9b5dd7cefb67ee7cad7f9e370119272d31ff175b333f013b87c8544150853506b283db6d8245daedde

C:\Windows\system\VFEAQLj.exe

MD5 db4ca9858e22c99f615c127d7640d9a7
SHA1 5d6a742c6408e1b7c4eb24cc13177c85b32199a2
SHA256 5fc6faefce0a552f7d88abf476afea3709fe6ec6a181db6786f88a6558111648
SHA512 2111424aaa0dcba8775f68e7979ef42b7121a104054094df6d96077b8b92e802483a570d799a62a7ebbdb60fd3c618466ae548a92146358d207ef62edd7e7e53

\Windows\system\ErMflqm.exe

MD5 3989eb76cb65d65a56be79d1f8abab8f
SHA1 d0b72d20365f41aed31252d5fe2f0b7cbd429cc1
SHA256 91573efa76883c29fbb22c12f2e962d62bece84d6ff12d854aa07dd63fae3879
SHA512 e3b0cfaf952e78af44e14502bc974f0b197d23225f61be1da23b31c32d1d597b8d30b5341ab3f4c771ef8acf4b5d790cf381483e67dd3f5dc659e2617e4fcfaa

memory/2972-138-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/1920-139-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2972-140-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2788-141-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2972-142-0x0000000002400000-0x0000000002754000-memory.dmp

memory/2504-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2640-144-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2552-145-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2828-146-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/3008-147-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2440-148-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2576-149-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2412-150-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2476-151-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/1920-152-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2788-153-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2500-154-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1708-155-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/1620-156-0x000000013F210000-0x000000013F564000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 19:58

Reported

2024-06-08 20:01

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/1712-0-0x00007FF7A8260000-0x00007FF7A85B4000-memory.dmp