Analysis Overview
SHA256
1015be47ece8a5287906b788392398f66f5aac39975a258fa358d934cd94282b
Threat Level: Known bad
The file 2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
xmrig
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:59
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:58
Reported
2024-06-08 20:01
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yaVFGzC.exe | N/A |
| N/A | N/A | C:\Windows\System\AnnuoIT.exe | N/A |
| N/A | N/A | C:\Windows\System\zdzBSOD.exe | N/A |
| N/A | N/A | C:\Windows\System\PWyqxQE.exe | N/A |
| N/A | N/A | C:\Windows\System\hmSHXrg.exe | N/A |
| N/A | N/A | C:\Windows\System\TjaUoYE.exe | N/A |
| N/A | N/A | C:\Windows\System\Rpjiiem.exe | N/A |
| N/A | N/A | C:\Windows\System\RzSCDCJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WeRJdnD.exe | N/A |
| N/A | N/A | C:\Windows\System\IMmhhvJ.exe | N/A |
| N/A | N/A | C:\Windows\System\uZSEiFW.exe | N/A |
| N/A | N/A | C:\Windows\System\yXoFcWM.exe | N/A |
| N/A | N/A | C:\Windows\System\WXmXyiU.exe | N/A |
| N/A | N/A | C:\Windows\System\UVSeswR.exe | N/A |
| N/A | N/A | C:\Windows\System\CiCxlDv.exe | N/A |
| N/A | N/A | C:\Windows\System\IvRFntA.exe | N/A |
| N/A | N/A | C:\Windows\System\FLOyGJq.exe | N/A |
| N/A | N/A | C:\Windows\System\VFEAQLj.exe | N/A |
| N/A | N/A | C:\Windows\System\AWzElQc.exe | N/A |
| N/A | N/A | C:\Windows\System\nTWseYg.exe | N/A |
| N/A | N/A | C:\Windows\System\ErMflqm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\yaVFGzC.exe
C:\Windows\System\yaVFGzC.exe
C:\Windows\System\AnnuoIT.exe
C:\Windows\System\AnnuoIT.exe
C:\Windows\System\zdzBSOD.exe
C:\Windows\System\zdzBSOD.exe
C:\Windows\System\PWyqxQE.exe
C:\Windows\System\PWyqxQE.exe
C:\Windows\System\hmSHXrg.exe
C:\Windows\System\hmSHXrg.exe
C:\Windows\System\TjaUoYE.exe
C:\Windows\System\TjaUoYE.exe
C:\Windows\System\Rpjiiem.exe
C:\Windows\System\Rpjiiem.exe
C:\Windows\System\RzSCDCJ.exe
C:\Windows\System\RzSCDCJ.exe
C:\Windows\System\WeRJdnD.exe
C:\Windows\System\WeRJdnD.exe
C:\Windows\System\IMmhhvJ.exe
C:\Windows\System\IMmhhvJ.exe
C:\Windows\System\uZSEiFW.exe
C:\Windows\System\uZSEiFW.exe
C:\Windows\System\yXoFcWM.exe
C:\Windows\System\yXoFcWM.exe
C:\Windows\System\UVSeswR.exe
C:\Windows\System\UVSeswR.exe
C:\Windows\System\WXmXyiU.exe
C:\Windows\System\WXmXyiU.exe
C:\Windows\System\CiCxlDv.exe
C:\Windows\System\CiCxlDv.exe
C:\Windows\System\IvRFntA.exe
C:\Windows\System\IvRFntA.exe
C:\Windows\System\FLOyGJq.exe
C:\Windows\System\FLOyGJq.exe
C:\Windows\System\VFEAQLj.exe
C:\Windows\System\VFEAQLj.exe
C:\Windows\System\AWzElQc.exe
C:\Windows\System\AWzElQc.exe
C:\Windows\System\nTWseYg.exe
C:\Windows\System\nTWseYg.exe
C:\Windows\System\ErMflqm.exe
C:\Windows\System\ErMflqm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2972-0-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2972-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\yaVFGzC.exe
| MD5 | 02b427540b632e4bb3356268b887b177 |
| SHA1 | ae1f150758b80dc4bb6ab5b75ed1a81d28dc7bd6 |
| SHA256 | 5d4eced9990262fdfb38b87ba90bed3229d58a8d9b5e0e29e8854efc059d28c6 |
| SHA512 | 8160cf882219829cdbfe2fc4b40a52887524c53c40ab53a9ffe649920b69936a242bc4b8e25c66722155ea7a6c90e34cc2bafa0801be84662b387d5a6e0920a9 |
\Windows\system\zdzBSOD.exe
| MD5 | 8872408f6e82b1bdb52ea59a90901f15 |
| SHA1 | 529078aedab15872b3ff57676a83d9fa9fd9bbba |
| SHA256 | 4875a4ad5c597812fa02e99cac0a52637ca7c4eac02c546ee40e2b534761875c |
| SHA512 | 6aae40ff1d0eb7886f6d2d97844b35842c781c8773d94f8e917b905ed62dccf7ba1377b8fc71369405ec64eedf1c42d1a286f889cff3e2e2b8860dbadec69d15 |
memory/2504-15-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2972-9-0x000000013FC80000-0x000000013FFD4000-memory.dmp
\Windows\system\AnnuoIT.exe
| MD5 | fa6e964cea443317ec0c2fe4b57ad575 |
| SHA1 | c65186ea221e92ad13529062bc8ee7dafe01c983 |
| SHA256 | b7d4b56f1a1ee6d2cb2eefe13226ee9219ac3610c2d4d0fb74f8234dfc4ba8df |
| SHA512 | f17df93fc62518413a7d4cabb891e1d50b56aee5e8dfc574f7ff0d84eb08f75c64a6d0d5667ef7559cf6e1f65ba8d0a8408a06fbf75d1dd42d77aef5e5e9f1a4 |
memory/2640-23-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2972-22-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2972-21-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2552-17-0x000000013F1F0000-0x000000013F544000-memory.dmp
\Windows\system\PWyqxQE.exe
| MD5 | 5dd86c1f9172841613d2176780a847fa |
| SHA1 | b0e4340e67edf4ff6e69825c66c282197a057ea7 |
| SHA256 | d5fbe804159d18942ecfe4a35d8550ae235b48f4cf668087840b9b9f1d954175 |
| SHA512 | aaebf61f09ade48d2851bd0a56e6356adc36030c3046e642c47de70dc1c8f46cc060291b40a3705ab9e7d7b7333976923ecf9ef2bd87d8bf02ec597672a593c2 |
memory/2972-35-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\hmSHXrg.exe
| MD5 | d7531b60941bbbcfbb63241d4881a164 |
| SHA1 | 2e83d7f1c15724d3cad89ab385ab1d0b5cf55029 |
| SHA256 | 0794a9a63c29e23eff14ae07f27f2ccc940b94534a08d1159184cfbe9966ece9 |
| SHA512 | 1811cfc1c1dd7edb77b208c8807b3a25f35aa2ea3b03104d3d676257118f91e57084d8589478fa00cd50f06ff80d8c44d1a43d9adf400d6babe8523c017e3133 |
memory/3008-36-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2828-31-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\TjaUoYE.exe
| MD5 | 7159e84ba1273b99488d34ef9032f74b |
| SHA1 | 4fa3ba9ea3cb1a26ad248af5f9c45922f8946fc8 |
| SHA256 | 620a919b349aa20fbf6c96872a21efe18a2d34470d960690aaf69ad0466e725d |
| SHA512 | 4b75ddceba7186d150dfa781049139c8f9b16b028ec5bcf773e53a531ad4e03afb71b7ba8be6612b9721c2a7b7ee70cab59dec0369c0f0e5eb54c474678513c6 |
memory/2972-42-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2440-43-0x000000013F2C0000-0x000000013F614000-memory.dmp
\Windows\system\Rpjiiem.exe
| MD5 | 1d42ec76fe992ebe48766eac89bfa573 |
| SHA1 | dd38ae4f5a5ae4aa693a3e499b84fd0cab064278 |
| SHA256 | 8e3e7f2056b889fc84b03aeaf72381dc20e90c6273dbcaba71efc875a44cbccd |
| SHA512 | e8488419fea959e84f84732e6258342f239bbbdf3f6c0f11dc36f875fd4ca6871509f33a1fb6f9311470e5f5c67215de7e538159d8a152b95f619ed453d609bd |
memory/2576-49-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2972-48-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
\Windows\system\RzSCDCJ.exe
| MD5 | 3e5d196f65920c296f04ed6553ac5a95 |
| SHA1 | f6dc9fbc86d81adbff917a2b2c90ea2648db3188 |
| SHA256 | a57b39c670a75034b7b6a00cc7471a7d71aeb5e7e3705b35dd283461905939de |
| SHA512 | f77d037103d7b248d9265c7452e052325849a942167f66a9d89e4f1abbd3cd115018692b77aebd09fd5c26090517735ecde7f3d06dbec490b22d174b441c18f3 |
C:\Windows\system\WeRJdnD.exe
| MD5 | 14a4a0bea2726acb68193361aa1d7175 |
| SHA1 | a2be4afaf305da878d24459f1275eb214f8a08bb |
| SHA256 | a4bda6c9cca3fb1cae1f15916e9957dd49e44916e36aee52dc079cf5d2d0e79e |
| SHA512 | 34bad0c97a476c3fd1bbff77b6c36ae79fdcab144560115e3393661dfcd5e3ed85e764013dfb66abd76e8d82fd2d2f34b15e9f6bef9a8400f0ead70bbaa8d396 |
memory/2476-62-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2972-63-0x000000013F100000-0x000000013F454000-memory.dmp
\Windows\system\IMmhhvJ.exe
| MD5 | 599d560bf5b09bf288f88f498a3d562f |
| SHA1 | c59b8a010a21d046f27b2db3164e439e21e77de8 |
| SHA256 | e509c349987c95e2a06655e509fce561c9471c657f7eefa048d0e654c1fac818 |
| SHA512 | f353d564a57b0a5635cc43e56737d3b414ee1eb0bc732a80d06f497d26fcc1a0f6992b322b96de49f7a2a3e8d8efc4a1ffda5bc9bdeaf126fce012ee93625d33 |
memory/2552-65-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1920-71-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2972-68-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2412-61-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\yXoFcWM.exe
| MD5 | 624c7661fe453cb46440e0f7d82d2a5b |
| SHA1 | 6d0acfe2f68c07a8c2617135c4df12044ce32ecb |
| SHA256 | 4581b4713eeb187cf862db1dd96736b6aae9b93cfc13013e0665f2b320ea1dde |
| SHA512 | c7c14208a2362d976fbb830776fdb26a79263bb21302eb75e188cbc6855b7d24138ca87dc798b38a58488bf3becb64ff18ef49cecd79323be24e1c04c7eaa48e |
memory/2972-83-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2788-77-0x000000013F860000-0x000000013FBB4000-memory.dmp
\Windows\system\UVSeswR.exe
| MD5 | 79e7d17662f628404bc5c261f59a557c |
| SHA1 | 3dce9cbe4628904cf9e34ae22ce8676567353156 |
| SHA256 | 6e20ff87fadbb9a7b3bb0a5149daf4ce3ac0b130298313086868f0d6cd58be43 |
| SHA512 | a1bf801cd430bff1e40f8c448d95b0222b6e799257b13d76bf479fa0591d6dde8ddc7cc3a41f24df8151a1769d6688a035363cfa9cc6c5f8dde526a4624f3d92 |
memory/1620-101-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2972-99-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1708-97-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2972-96-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2972-94-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\WXmXyiU.exe
| MD5 | e47658c283838550ee675046236f3d02 |
| SHA1 | f82f72b3a427db9ce1cdf0603cf43bdac5fcdc6a |
| SHA256 | 89948d491b6634f48a2ffc029ea3329d9bac56069f26e494675ad2faf7966406 |
| SHA512 | 44b7fca8c5ee45fbef7ea82956afe8be34e975918490a0ba11d102de30237f5c8c7bb0402800d568c2c4e2f9698a7065224d504f28f909b42d5615e50412536b |
memory/2972-76-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2972-92-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2500-91-0x000000013F190000-0x000000013F4E4000-memory.dmp
C:\Windows\system\uZSEiFW.exe
| MD5 | 902cc4bdfd658b871f61f2bfc71c6a38 |
| SHA1 | bf0461b3725a7c7945e073ffec6fbe804431100e |
| SHA256 | 3cdd238fb164f43c8395cf4db8f7dc65f4bdc392096603df38914a3fefb67488 |
| SHA512 | 33b3c21f905b71370076eaba6965b406736affe3e3c5ebf71ed073bc0082dfd5ea7438cf9cb990e7811d8b9fbd482016f05d88a489a40d93b4145a022fd8b58e |
\Windows\system\CiCxlDv.exe
| MD5 | 2827c02bee4a42f55d8b3213d090e4f1 |
| SHA1 | bdadea49345b70f5702d19af79804e256570b7aa |
| SHA256 | d6013f274a83d96bb53bdd82721372704d887af3bd59eaf30fe1ae2fa9e0df3e |
| SHA512 | a8bf68b276abe463f0cd21246b3214e6c5c2b1717d6dfb705fb1196f36a7e7bfdd5d280a476cff49b913bfc975bf9b3912dee94a48ec7012f80bd12781245a11 |
memory/2972-108-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2576-107-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
C:\Windows\system\IvRFntA.exe
| MD5 | d64c6a5d6a368d02dd094171e2fecbb4 |
| SHA1 | db900be9b26f2e6a78b6104ed52cf7e647806fb1 |
| SHA256 | 3392482b5ffac41bffa9b4b7c0aa9427d8c9f3555e587e00030725abbe78cc75 |
| SHA512 | 5e4d4eca2e35e5365d7b536ae829ce0f7d0df24292e0ff4a23ecd5a455840662a4a5fd29b0a966eeeb9848ef38b7f21be5f7767a6b0926143737dcfe7c7f9a9f |
C:\Windows\system\nTWseYg.exe
| MD5 | 4b0d042ec253f4cc3a80b91a9718408b |
| SHA1 | 1659fa3f08780b79928406d6c0eaeb1064e23a7a |
| SHA256 | 8d3861489340aee3ecbafe325d8a90730765e6cf07d260166e5b1493ebc8fc9e |
| SHA512 | 9bfc312f07e3c4fe249f8c30ceeab6006d2c71b43ba6dacd04ff42314b04c2ebfdcb5ef3aee5995871dce2c4d91f5be22b0ebdbeaf14ad311cd0ef1311631f0d |
C:\Windows\system\FLOyGJq.exe
| MD5 | 3f5ef4342b67ef326e97a90fc0f10a21 |
| SHA1 | 818f9e51468e995e35134a372c1868a7449c5db7 |
| SHA256 | b024197c1bc065c9ae4a9e272aa0c28a9b2c35e6023d81b93ade3aa69ee8a3fa |
| SHA512 | 9bd034284f537c8cd3c21956ec22ff1032e9615239cf3f705cc6e9efb99b318cf104444d506c690ec04c593560c9dac62bee5149f50522fef7ac945dede7c547 |
\Windows\system\AWzElQc.exe
| MD5 | 08f025d5d1f3a2a43e81d08551ed91f4 |
| SHA1 | 77a73b3e6e30eab2bb2a9a9869c871fd8f0bff44 |
| SHA256 | 14959168f6ac0cbbbd9614a3ca94bc2763976094c747b9f7188445bf457ee430 |
| SHA512 | e1f68e5b244c37bf8cae73a181fb62d174f5197400828e9b5dd7cefb67ee7cad7f9e370119272d31ff175b333f013b87c8544150853506b283db6d8245daedde |
C:\Windows\system\VFEAQLj.exe
| MD5 | db4ca9858e22c99f615c127d7640d9a7 |
| SHA1 | 5d6a742c6408e1b7c4eb24cc13177c85b32199a2 |
| SHA256 | 5fc6faefce0a552f7d88abf476afea3709fe6ec6a181db6786f88a6558111648 |
| SHA512 | 2111424aaa0dcba8775f68e7979ef42b7121a104054094df6d96077b8b92e802483a570d799a62a7ebbdb60fd3c618466ae548a92146358d207ef62edd7e7e53 |
\Windows\system\ErMflqm.exe
| MD5 | 3989eb76cb65d65a56be79d1f8abab8f |
| SHA1 | d0b72d20365f41aed31252d5fe2f0b7cbd429cc1 |
| SHA256 | 91573efa76883c29fbb22c12f2e962d62bece84d6ff12d854aa07dd63fae3879 |
| SHA512 | e3b0cfaf952e78af44e14502bc974f0b197d23225f61be1da23b31c32d1d597b8d30b5341ab3f4c771ef8acf4b5d790cf381483e67dd3f5dc659e2617e4fcfaa |
memory/2972-138-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/1920-139-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2972-140-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2788-141-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2972-142-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2504-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2640-144-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2552-145-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2828-146-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/3008-147-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2440-148-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2576-149-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2412-150-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2476-151-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1920-152-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2788-153-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2500-154-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1708-155-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1620-156-0x000000013F210000-0x000000013F564000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 19:58
Reported
2024-06-08 20:01
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_eea06aa9ad33274e36f2778f936f740f_cobalt-strike_cobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/1712-0-0x00007FF7A8260000-0x00007FF7A85B4000-memory.dmp