Analysis Overview
SHA256
0a2e2133cc6a881450ab8695c7eff0735014f3b567b9f6c7bbc82113f39f5619
Threat Level: Known bad
The file 2024-06-08_f413667acbe3d264730db62c410a5bd0_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike family
xmrig
Xmrig family
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 20:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 20:01
Reported
2024-06-08 20:04
Platform
win7-20240221-en
Max time kernel
137s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DDFaorS.exe | N/A |
| N/A | N/A | C:\Windows\System\wIygHkm.exe | N/A |
| N/A | N/A | C:\Windows\System\qlZgJjx.exe | N/A |
| N/A | N/A | C:\Windows\System\rWfylPh.exe | N/A |
| N/A | N/A | C:\Windows\System\aOpDcdO.exe | N/A |
| N/A | N/A | C:\Windows\System\RAsGfJm.exe | N/A |
| N/A | N/A | C:\Windows\System\pUCQgQb.exe | N/A |
| N/A | N/A | C:\Windows\System\ZGYSLLS.exe | N/A |
| N/A | N/A | C:\Windows\System\iwqIkVP.exe | N/A |
| N/A | N/A | C:\Windows\System\fiTZgSd.exe | N/A |
| N/A | N/A | C:\Windows\System\bvowKlR.exe | N/A |
| N/A | N/A | C:\Windows\System\YYuYQYu.exe | N/A |
| N/A | N/A | C:\Windows\System\bdFAIPj.exe | N/A |
| N/A | N/A | C:\Windows\System\MpfLVwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\hiYhqVe.exe | N/A |
| N/A | N/A | C:\Windows\System\FKsKmfv.exe | N/A |
| N/A | N/A | C:\Windows\System\sdKYGVw.exe | N/A |
| N/A | N/A | C:\Windows\System\zkvRLqr.exe | N/A |
| N/A | N/A | C:\Windows\System\IIjObdA.exe | N/A |
| N/A | N/A | C:\Windows\System\tcpYRwG.exe | N/A |
| N/A | N/A | C:\Windows\System\GOcTdld.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f413667acbe3d264730db62c410a5bd0_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_f413667acbe3d264730db62c410a5bd0_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_f413667acbe3d264730db62c410a5bd0_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f413667acbe3d264730db62c410a5bd0_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\DDFaorS.exe
C:\Windows\System\DDFaorS.exe
C:\Windows\System\wIygHkm.exe
C:\Windows\System\wIygHkm.exe
C:\Windows\System\qlZgJjx.exe
C:\Windows\System\qlZgJjx.exe
C:\Windows\System\rWfylPh.exe
C:\Windows\System\rWfylPh.exe
C:\Windows\System\aOpDcdO.exe
C:\Windows\System\aOpDcdO.exe
C:\Windows\System\RAsGfJm.exe
C:\Windows\System\RAsGfJm.exe
C:\Windows\System\pUCQgQb.exe
C:\Windows\System\pUCQgQb.exe
C:\Windows\System\ZGYSLLS.exe
C:\Windows\System\ZGYSLLS.exe
C:\Windows\System\iwqIkVP.exe
C:\Windows\System\iwqIkVP.exe
C:\Windows\System\fiTZgSd.exe
C:\Windows\System\fiTZgSd.exe
C:\Windows\System\bvowKlR.exe
C:\Windows\System\bvowKlR.exe
C:\Windows\System\YYuYQYu.exe
C:\Windows\System\YYuYQYu.exe
C:\Windows\System\bdFAIPj.exe
C:\Windows\System\bdFAIPj.exe
C:\Windows\System\MpfLVwZ.exe
C:\Windows\System\MpfLVwZ.exe
C:\Windows\System\hiYhqVe.exe
C:\Windows\System\hiYhqVe.exe
C:\Windows\System\FKsKmfv.exe
C:\Windows\System\FKsKmfv.exe
C:\Windows\System\sdKYGVw.exe
C:\Windows\System\sdKYGVw.exe
C:\Windows\System\zkvRLqr.exe
C:\Windows\System\zkvRLqr.exe
C:\Windows\System\IIjObdA.exe
C:\Windows\System\IIjObdA.exe
C:\Windows\System\tcpYRwG.exe
C:\Windows\System\tcpYRwG.exe
C:\Windows\System\GOcTdld.exe
C:\Windows\System\GOcTdld.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
\Windows\system\GOcTdld.exe
| MD5 | b5aadba1f6fb47e17df08502bb332625 |
| SHA1 | d6b8b6f6903a3d56a63bbfb7820b6e42e9b765f7 |
| SHA256 | 905ca3d37e73557f890f2abf53f1e365c7ae14ac65aac28ff3ed343ffdb4fa66 |
| SHA512 | 6a2b6c0a8c27a2b77f5176eb7f3f77bbee8186b62fc146053d06d01b9d513dc089f4cf943dd812b88f6afc15bb2903ed34aa842c2fdbb16ae30bfc495b81bd00 |
C:\Windows\system\IIjObdA.exe
| MD5 | 2b317429e3337a3d21ae7e18a207c32c |
| SHA1 | 88daef90e70ddfc892b4ab908fb242671b0dd2d7 |
| SHA256 | 5232a3fa11f9be6d02dae85fa47ca7c19b549f260bc9b13978d846f7a6f4ad2a |
| SHA512 | ec0c8b327748e9ef602a531889004cade3b9d856415afade3592029fa0a05a29f8e54514df7e10f0af7e9e7d20d612395736c426c51a00882288311089ccebdd |
C:\Windows\system\tcpYRwG.exe
| MD5 | b11755b34114ffbddb719bcbcf225214 |
| SHA1 | 613be945dfea425e506c1fd4d31a9fc0d8cd755f |
| SHA256 | 722dbe87ceea238f35e00638de5af7a472c26f2d24691d5a3716c905a8c85f1b |
| SHA512 | 2df306633049e179c270521c80921819f41bc818902cb7f85cf3cd7d3e5c75914b1d215fd8a77897bf4ff01f0558288e22004580e614056abb775c003fa8a739 |
C:\Windows\system\zkvRLqr.exe
| MD5 | 87d17954549f8a44b4d87f523d3af19c |
| SHA1 | 101d3a647f25d383e9b97439521ab61b5300d481 |
| SHA256 | 285c8f7435a52f360d2f91df3078761aaf4f934d1d2d88b788e08dd53a8b3265 |
| SHA512 | 93a12b8f537dc07950d805a9e56879ce327548f9bcdf8ea0690a0084ddc5a850ff3e85fb9dd481244f201e0c1d8f022f72dc317df08d625ed5ee0dc89ec21d19 |
C:\Windows\system\sdKYGVw.exe
| MD5 | a2767a505b2bb58c12931de0c953f87b |
| SHA1 | 69e6a150ab009b2203ac8c9826970b0e8b988532 |
| SHA256 | 6291b231bb60942ac81da4fec3b04b5220bf094b4711a37deb8974ad11740e05 |
| SHA512 | f5f0fd6a462c75486d0285585017b011e32ab45c85b7e666a914cff04e7bdaa73514e1b2a7616088f9b5519243c000a4ac22a52fc3fe2e72e119c618d2ef9b14 |
C:\Windows\system\FKsKmfv.exe
| MD5 | a64ecf1f64e1a2a109e6ee9ad016e116 |
| SHA1 | b6140e3ba69fdd87ed665c8e5a5c8ed71496ba87 |
| SHA256 | 1f4b05b9db66098ded77c8a21e2af32c6546bdf1606791a635946839237fa0c1 |
| SHA512 | f60e598cbdd774af3e8d3e1a24b86ef20e0b821f2ca95420cda2d89b07a018d54091f65e8dcaa594ecb9887fe8ce767b989a426ef6294efaaddd21bb4412d298 |
memory/1924-106-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2704-105-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\hiYhqVe.exe
| MD5 | 7598789cbd60db1b5f742cba2c41790f |
| SHA1 | 4969810f407e155434364a04accc8af805a98c7e |
| SHA256 | 8f4f774634e730edae191746eae54a8fbe534b2eb583c7a5134362653629f2ee |
| SHA512 | 62905b93cc91a29a63fb101cd426f3cfaa0c22c853461f2117dae00184cf4d0ac9e24eec20560867898c83fa9f38c4ec6ad84acb0107ac5bdcef8ac944a7e6bf |
memory/280-99-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1924-98-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2792-92-0x000000013F4E0000-0x000000013F834000-memory.dmp
C:\Windows\system\bdFAIPj.exe
| MD5 | 1c7cafa2803df4e9166764f43c95a40b |
| SHA1 | 98f47ab8dab0b36a48b38a8ae72b2441aa643ba3 |
| SHA256 | 7f4025cee0337c3b6ac30a96497436352823887a9c90e2efd0d450155b923354 |
| SHA512 | a3da92abdf8f31a304898095d60010d3cf3d935690379ca2ad480a96e8617a159efd64c4f12bc0291774bbd6226ea27834fac7da4da7d58f71e6ade47a77a91c |
memory/2480-137-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1924-90-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2664-88-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\MpfLVwZ.exe
| MD5 | 2b3b90b2d958e77f6f89a35630a7b90a |
| SHA1 | 47b3b35dced202540e7b4aaaee86b611af9c7b56 |
| SHA256 | 3ee434f22f38272adb600b45bb59653fc1e38a75aad1dc1ec2a0f567ca92b21f |
| SHA512 | deae469268b9151e96cfcf1e5a4a275711c9df94bdb4a935e2e01cc2b361cbc93f20c1c36728e8862fca7c9f6cff95dbd703d561eae6907d4b662735d5a9a410 |
memory/2900-81-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2912-80-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2532-79-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/1924-78-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2464-77-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1924-76-0x000000013F760000-0x000000013FAB4000-memory.dmp
C:\Windows\system\bvowKlR.exe
| MD5 | 1ee2445f50bc22c76faf80b090f6be85 |
| SHA1 | 744dd21228e7f5f46e6e42c886e0f85874706f7c |
| SHA256 | 9eca0b637b5f06b7967ecc4066b6dfbde48c8ce90d90f5d2cee5f7a075f46e6d |
| SHA512 | 712b378734342bdca3cc8ac5d7968e775e0b5c33c3a573fdfc0715cc0b43155ceccd9940184f608f1de31e8e45da32d4b2be4bef3349e2e81b7ed85fddcf7e77 |
\Windows\system\YYuYQYu.exe
| MD5 | 32a6a03d300dc240cf30bc7fdfa7148a |
| SHA1 | 7479e0e271e093106657d84c7f4fb71832083cfc |
| SHA256 | b423e4a1cbcfdfef987ae1c6e26b7b5b8e3090500c429ef8bf8885109eb72127 |
| SHA512 | 16237efde8fde1c755240d9f489f5dd61ff04f5536cf28a8c702df1f5490d3fd0f844a95575d4c0e09e74793ac8b418a625a5fbabfc88d1b54cf134c888ea3c9 |
memory/1924-71-0x0000000002440000-0x0000000002794000-memory.dmp
C:\Windows\system\fiTZgSd.exe
| MD5 | 7c2dc4787b0e71b0d531001d60c4ffde |
| SHA1 | feaef5376e7a2fc9aa56c53eea15868bce0089fb |
| SHA256 | 3c55a89b398334f3f106a2bf8689d88b58cd1e300e1215cc99bc22ab6e02828f |
| SHA512 | 3051daa753392b3b2e4a005cde5ec420c64aa9a917ef62ae20faf20d50f0ca9ca11dedab150ab377bca90381f5feb6fcf69f6e67ac3212f3a239cb8af2f5bed3 |
memory/2404-69-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2332-63-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\iwqIkVP.exe
| MD5 | fbff3ab2f5fae3376d782730f8d78edd |
| SHA1 | 80eba296173f0b4514947c47d959052eae946698 |
| SHA256 | daee7e00cdaef84643b644739f7d55e307a5a9c7ede69828a292d5422097d8da |
| SHA512 | 6419f1182f5590210dae27c9039e84cfcfe7a1f984b37b2bda28198b179dbe0614938ed19e9bdc44680caf2f38483e49e062f2ccbde0fafed9601bb2bae4b99c |
memory/2480-48-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1924-47-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\pUCQgQb.exe
| MD5 | 0462a0e16afb4f13245e86d086f74c9a |
| SHA1 | c2c9ac193f52b90678101213d5aa4b3616f7cb1e |
| SHA256 | b68abce5a09189854e5185e1e7bbbae2a1db64cf28bcae3af0caa307a16bd7b0 |
| SHA512 | ee1e7c19a6a5ba4c0f45edcf89a37bc3b4c687d609ad7c8463bfe4def6c5c55cf879a462f5edb7b04f447cb89982a52007bc2258f6331a81c070fa36aef33f89 |
memory/2560-54-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1924-53-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\ZGYSLLS.exe
| MD5 | 7eac25e5ddbe45db0e5c63a4bb7f8636 |
| SHA1 | 58f38b8bed621f11bdb4a1a80cfa6e1adc1cfe37 |
| SHA256 | 31ac67f04df3f9f22cb9f3958dcb69a5069548ee0c85ec565c8a0c80c07384b9 |
| SHA512 | d9e748d9428a58287f6f1a2e835ad11b67c8735ceb05a3e0d14a20fa5ef7eb27d05f0948aa77e462148618d9b8b24550dc6a8802a8ebbe1cf83a0a76efba5237 |
memory/2704-41-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/1924-40-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2520-35-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\RAsGfJm.exe
| MD5 | e4afa601e690066e6d86c9b8b6efb0d7 |
| SHA1 | 71e9680e3a38015b0fbf42ce680af344c445976c |
| SHA256 | 8a73ebdfac35a09c2173783ab573df4138b3de1a85f5c3a37cd16083c8b0f24e |
| SHA512 | 9428e53120af7f05dae133523e26149f64650bd1b945908dd833df1ee3517a5194f714ddc06b78a7c2a7003e74cf9b7da66a7d8d117da9db8461cf1dd1e5364e |
C:\Windows\system\aOpDcdO.exe
| MD5 | d6794812e079aafbc8bc4c3fe77b9e51 |
| SHA1 | e5363fa4aea95f22c53543447a6724b1ef36ac75 |
| SHA256 | 3bddbb0ad3d6f1096f8b2a80606e6c228c1b060b04dfbbfa27e4d2df0bef6bf7 |
| SHA512 | 569d2e0c2ec95b0845a5738d20682466096d34cbfe165d1b379b67f056fa300a9dc9cd543584759db4836fcd44e637d882b997b284d6a39b3086a1edca6e9976 |
memory/2320-19-0x000000013F7B0000-0x000000013FB04000-memory.dmp
C:\Windows\system\qlZgJjx.exe
| MD5 | f8322b9b561858cee89d24f457bb84d6 |
| SHA1 | b8e13c09434a7aa69641304934a69f0817a5e9de |
| SHA256 | 20f3082f4df15af675d39ff6caa992db354975544bcd3a481225b09586d4b0a7 |
| SHA512 | 008cb71c984ad1d1141044735c796ec9996ee2c76d620b20a14aec8160bd3c085163a8ed8d553baba1cb05a82506c7cd53dbc8ce913715d11955bd92544a3fc8 |
memory/2332-15-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2664-29-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/1924-27-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2532-25-0x000000013FA60000-0x000000013FDB4000-memory.dmp
C:\Windows\system\rWfylPh.exe
| MD5 | 82e348f7d7f1554dd1de9328c339f73b |
| SHA1 | 733923cf22905daffce9fe91c77ae346df41f8a8 |
| SHA256 | 59f88ed4a517a610ecea0674f07a81134c66542f4e30686e87f20194a0e8bce6 |
| SHA512 | c55a9dfa689c45c5c0707025609721a8877392ee492aa16375f48f15774fcd4f1ceee942d9b2e43bf3e64ab9679ad4e843fc8a2b2eb7afb9534ea11b2137ddb8 |
memory/1924-22-0x000000013FA60000-0x000000013FDB4000-memory.dmp
C:\Windows\system\wIygHkm.exe
| MD5 | dd0896c215a7882e03fd48efc8243f97 |
| SHA1 | c9b7f796a72721afe8a332355d85727406f37cac |
| SHA256 | 830c3d63eeb67dda1e023345e52a640cc7198c4b4f3c718749ad5a45e18cb324 |
| SHA512 | 881681407e52e1853a2e3a7bcd67ffa18b3aa3f1762278f5e00ef277b7720258312dd03ca8ef6362748738af203d06ebbdf140435fe94d63973a84498dfb467f |
C:\Windows\system\DDFaorS.exe
| MD5 | 1e60a7a55f7e24e7206ab41cdd0afd64 |
| SHA1 | b17a13ea119ca93a2fea39d39637bda7b980e48b |
| SHA256 | df126e6cffcf9feac4726128b7ea786fa345b1264741f63b8a9e1f794db19164 |
| SHA512 | 3e3e347daf1aa915eb58e207cad4fb09262fe6e8f5f2633dca47252c366a4e67afd4c18d424d472cf50b5ab8dcf03a9569074bdfa2a9a5b7d7140b20691a5b8a |
memory/1924-8-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1924-1-0x0000000000080000-0x0000000000090000-memory.dmp
memory/1924-0-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2560-138-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1924-140-0x0000000002440000-0x0000000002794000-memory.dmp
memory/1924-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1924-141-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2464-142-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2912-143-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2900-144-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2792-145-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/280-147-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1924-146-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1924-148-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2320-149-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2332-150-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2532-151-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2664-152-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2520-153-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2704-154-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2480-155-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2560-156-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2404-157-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2900-160-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2464-159-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2912-158-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2792-161-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/280-162-0x000000013F1C0000-0x000000013F514000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 20:01
Reported
2024-06-08 20:04
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
97s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_f413667acbe3d264730db62c410a5bd0_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_f413667acbe3d264730db62c410a5bd0_cobalt-strike_cobaltstrike.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/3984-0-0x00007FF718610000-0x00007FF718964000-memory.dmp