Analysis Overview
SHA256
0fb298106190f381cc0cc73e2a8a18034857c5232dac26f67b8bfb76ac89886f
Threat Level: Known bad
The file 2024-06-08_fa855a62e2ec82c680fa7a41a08033be_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Detects Reflective DLL injection artifacts
xmrig
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 20:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 20:02
Reported
2024-06-08 20:06
Platform
win7-20240508-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zVJtmKf.exe | N/A |
| N/A | N/A | C:\Windows\System\VRTXcPx.exe | N/A |
| N/A | N/A | C:\Windows\System\xBhtboS.exe | N/A |
| N/A | N/A | C:\Windows\System\mctZAkc.exe | N/A |
| N/A | N/A | C:\Windows\System\ucorHXG.exe | N/A |
| N/A | N/A | C:\Windows\System\ziIQcvg.exe | N/A |
| N/A | N/A | C:\Windows\System\bkZTjLh.exe | N/A |
| N/A | N/A | C:\Windows\System\ytuTxBB.exe | N/A |
| N/A | N/A | C:\Windows\System\ovWrWNW.exe | N/A |
| N/A | N/A | C:\Windows\System\SdgWdUk.exe | N/A |
| N/A | N/A | C:\Windows\System\VDRqlTE.exe | N/A |
| N/A | N/A | C:\Windows\System\XcmFZnP.exe | N/A |
| N/A | N/A | C:\Windows\System\oySGKQE.exe | N/A |
| N/A | N/A | C:\Windows\System\KxGvRPy.exe | N/A |
| N/A | N/A | C:\Windows\System\WWLiHKc.exe | N/A |
| N/A | N/A | C:\Windows\System\VWbIrBm.exe | N/A |
| N/A | N/A | C:\Windows\System\qCoEKUA.exe | N/A |
| N/A | N/A | C:\Windows\System\zINrjxr.exe | N/A |
| N/A | N/A | C:\Windows\System\pjpzmaP.exe | N/A |
| N/A | N/A | C:\Windows\System\vShIFjg.exe | N/A |
| N/A | N/A | C:\Windows\System\YoXqaMR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fa855a62e2ec82c680fa7a41a08033be_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fa855a62e2ec82c680fa7a41a08033be_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_fa855a62e2ec82c680fa7a41a08033be_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fa855a62e2ec82c680fa7a41a08033be_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\zVJtmKf.exe
C:\Windows\System\zVJtmKf.exe
C:\Windows\System\VRTXcPx.exe
C:\Windows\System\VRTXcPx.exe
C:\Windows\System\xBhtboS.exe
C:\Windows\System\xBhtboS.exe
C:\Windows\System\mctZAkc.exe
C:\Windows\System\mctZAkc.exe
C:\Windows\System\ucorHXG.exe
C:\Windows\System\ucorHXG.exe
C:\Windows\System\ziIQcvg.exe
C:\Windows\System\ziIQcvg.exe
C:\Windows\System\ytuTxBB.exe
C:\Windows\System\ytuTxBB.exe
C:\Windows\System\bkZTjLh.exe
C:\Windows\System\bkZTjLh.exe
C:\Windows\System\ovWrWNW.exe
C:\Windows\System\ovWrWNW.exe
C:\Windows\System\SdgWdUk.exe
C:\Windows\System\SdgWdUk.exe
C:\Windows\System\VDRqlTE.exe
C:\Windows\System\VDRqlTE.exe
C:\Windows\System\XcmFZnP.exe
C:\Windows\System\XcmFZnP.exe
C:\Windows\System\oySGKQE.exe
C:\Windows\System\oySGKQE.exe
C:\Windows\System\KxGvRPy.exe
C:\Windows\System\KxGvRPy.exe
C:\Windows\System\WWLiHKc.exe
C:\Windows\System\WWLiHKc.exe
C:\Windows\System\VWbIrBm.exe
C:\Windows\System\VWbIrBm.exe
C:\Windows\System\qCoEKUA.exe
C:\Windows\System\qCoEKUA.exe
C:\Windows\System\zINrjxr.exe
C:\Windows\System\zINrjxr.exe
C:\Windows\System\pjpzmaP.exe
C:\Windows\System\pjpzmaP.exe
C:\Windows\System\vShIFjg.exe
C:\Windows\System\vShIFjg.exe
C:\Windows\System\YoXqaMR.exe
C:\Windows\System\YoXqaMR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1704-1-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/1704-0-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\zVJtmKf.exe
| MD5 | b89af3573790ea15cd27f443c0cac78c |
| SHA1 | ca5aa28c9a44d739ce3cbf950f56b760afeb2bf9 |
| SHA256 | 9ad6af45910ba8b8ddab32fde9d7544648ef915d2d5a6f1d905b04538d4fedb6 |
| SHA512 | 6bd28c0c9bd7dd738bd0d55153f4428118a317e528400f9bfd686eee79d910ee8c3a9e2b34484f1e4811b83ef9e5ff4434d039299e0db4a06204afcf05b8d99b |
memory/1672-8-0x000000013F930000-0x000000013FC84000-memory.dmp
\Windows\system\VRTXcPx.exe
| MD5 | c430ba6f41baea7af1d655a14d6972ff |
| SHA1 | 18bd577c188e5ac46c111eb128719dcc2762f241 |
| SHA256 | bbc597a66cc4eb44c54dc10617eff86172080e839784ba93f629fd380035b37e |
| SHA512 | cda5d0fa8a8963ec13b2df24d7cb025dd13790e57760960964d4ddce8d19f82f01f74ead2d7fc36fc8760c15485e5fd7b0ef969b1a3516fdf222787e1f240571 |
memory/3016-13-0x000000013F6C0000-0x000000013FA14000-memory.dmp
C:\Windows\system\xBhtboS.exe
| MD5 | 0e3c2f20fe601316e2e6df7bfd8c1334 |
| SHA1 | 6d4b4b9852a91ee6bbad591e7626349eab83429f |
| SHA256 | 40f7c9edb00fa0ba9c69a36386f4eae7b04e08ce22df82f4d79d04b74951b760 |
| SHA512 | ec5d9a8275abd6cb44460793cb1a647179a94946c656337e76f8e0063c231d6a7299e616422e9c8502372210a7b81673303c617f2a33e4f9a9f20d9fcaf4399a |
memory/1048-20-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1704-19-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\mctZAkc.exe
| MD5 | cf007f2fa546412c6cc62785589d033c |
| SHA1 | c68365b19f39f9438e64b1f6e89bf85401c345d0 |
| SHA256 | c0c6a456e68f6222881979f62da982f146d24bbc2f4cdb62a7d16d8d895850f3 |
| SHA512 | 8f565f74d3b76c207d8d8f1bb1baad1f43f9a3f30cb4b576180e0f545cedaf2da803b87ee3a8494bfb5012d28eace3afae00334daecdf4cdaea694c0447c6e89 |
memory/1704-25-0x000000013F340000-0x000000013F694000-memory.dmp
\Windows\system\ucorHXG.exe
| MD5 | 7532dbaac76ff93a070ee5571eb78bee |
| SHA1 | 6779c1d3d189d540b16af7c6ea694e4397d24979 |
| SHA256 | 7bb27d135923dc33f5b688889222786169cdc24b10d6933804f83b0f41a70a08 |
| SHA512 | 478816f90dd4a8e764001a294166307633627301725ee8ca3683f3b86a5860156ea3eca882b14fc5b3e5273c5559918decbdead37a172c213854c7f4fce36292 |
C:\Windows\system\ziIQcvg.exe
| MD5 | f5fbffcb2be344e7b2140867a45bee55 |
| SHA1 | 116d1fd3006f2711a20efa8276cc257d48dee323 |
| SHA256 | f863818fe5eda42b070be04f8d1deb248c01aa33980c5b03511a4c3aff659b1d |
| SHA512 | 2bec9f99c34c06f751d25cf22032e929b40774be2f471634bf68435f4ac8b6653f4f7109a40d98c3413feee14d289b1d0127fee5da5ca99199867bb8db26d2cb |
memory/1704-47-0x000000013F190000-0x000000013F4E4000-memory.dmp
C:\Windows\system\bkZTjLh.exe
| MD5 | e1c31e277eb593470d0f6c1d31644da5 |
| SHA1 | 9d1fbae0b64b1cf0d08c4224f5db89a2c118b370 |
| SHA256 | 12caf92b91ad56c519f489696cfb5266ee5c0a0dc9181ea464104b5b88412a4c |
| SHA512 | 5685783b0fc62e21b2767ddf5127996af8ca6ab335367cc12b9b697b006b932aa042ed6fc9b7f1fc8911b248fe2efbc68aefe288c1e6a01a8fed038960932c7c |
C:\Windows\system\ytuTxBB.exe
| MD5 | 7bc043d65096572596ef0d3b265d98db |
| SHA1 | ffbb54646dc68092b3ecba0d754cd6bc5a45e1bd |
| SHA256 | 13d3c3083113d2ca15e178d0816a79dc763b199c6da7f8aeba29d5d2ef7503a4 |
| SHA512 | 0c8112e01a1216bfdfe39eecdcce4272d044c53d3ea8378b2cc6a968a5b591f4dc3eca6b9b4c34372a4113c226b2fe84243ebbb23167076d694e23868983bd1b |
memory/2764-35-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1704-32-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2860-56-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2424-54-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1704-53-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2680-48-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/1704-45-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1704-39-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2736-28-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\SdgWdUk.exe
| MD5 | a23a95681b546fed90c473bacd40fa0c |
| SHA1 | 4b1777348a048fa2a7e460ad16bbad81a0331756 |
| SHA256 | 60a7bec97022ff65e703eacd13608ae3b4b5f3c1392667796f6e8c572b027b44 |
| SHA512 | 0a3d2b0a499c945035f0de37d8906ae5ef3f034df65d750b21c5f32033efcf403bbe30299e1a6c3aedbf3ca98b68549a3b95b23a22142434a09a4b76472e7399 |
memory/1704-69-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2988-70-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/3016-68-0x000000013F6C0000-0x000000013FA14000-memory.dmp
\Windows\system\VDRqlTE.exe
| MD5 | 8cdfb39601612fa6d881a347e96a1a39 |
| SHA1 | dfd801c1fc8cb26804d61bbed40cf1655c86a77b |
| SHA256 | be6c275de2d01ae91b7cb07ce3ffbd9f1025e7f533602287294dc10473446dd3 |
| SHA512 | f3fad174364da3120537f6d640b98d6e02c0e0ab8071d55d2f3f498fe5c4ffb6ac7ebeded321af2398adf7b6fd69423eb1544e2c6a7e674a8ee09625381cd3ca |
memory/1704-85-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2808-88-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\KxGvRPy.exe
| MD5 | d096501035062ed13f749abdf1756431 |
| SHA1 | a7fc2aedd069c25174eab5a8d35a51bba57a7cb4 |
| SHA256 | ff0c3c69928752bf166d412d9a7ae9e1878c333900041b6388ce8ad06ebf42e3 |
| SHA512 | a90eb6cd1edde44f62705484f43ac6efab46cc45d1908d967ae74b8f240c986773284bafea271fdc687975f6615b199224bda278fd09fcbf9b40ecc25d6d8e59 |
memory/2480-102-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2728-95-0x000000013F370000-0x000000013F6C4000-memory.dmp
C:\Windows\system\qCoEKUA.exe
| MD5 | 9b349ab32777b461a2ea904f5b9534c8 |
| SHA1 | c0dc8b9d459eaeb04db6505a6aa910e43a1922db |
| SHA256 | 8a42a096cc7e455226dda4d3c68c3365bd1541631acc4270c645537c265be659 |
| SHA512 | 6fbfb062517d05386d3f604edfc1ae44ce15a536ba76a23e6dee05681dbdd079ab1c6da607b432705f2c517b1256e613ec96120876c8fb75e773cba3583cf85f |
C:\Windows\system\zINrjxr.exe
| MD5 | 6243a9bd663f50c76f41c9a3f85687cf |
| SHA1 | 732fbbf63a578574a8a4e7ebdfdd353ef47f7412 |
| SHA256 | eb5eca0f734dd3a5c9bfa3ea7f09421ced8c3fe49ec8bf1b7689d714420db41d |
| SHA512 | 17ab7c08ac37901e9b20f22c10a2ddff053945025ca7b55dcc79c864bdc8cc0ce93d508899030915ec0d81a52fe2486117e7e93dfd0908859a11776fe5bbaf49 |
\Windows\system\vShIFjg.exe
| MD5 | bbc4c42b8ef47ba6e64a102f2c38f6fe |
| SHA1 | 228f9040c9030ff7202881a3e0ffddf8b4b4ce4d |
| SHA256 | 6770fffcac581518ab8d2424af8ae64407220bb7d8d3d025c6124b5b486fbeda |
| SHA512 | 5931eebda0e3365e930c5900437f0ee9b0550c373ec638a4f26690e2690262ad2cfb875ec480535b6e2941678e3236ee46f49d71caf5f88192a56c52a6140207 |
\Windows\system\YoXqaMR.exe
| MD5 | eb01c36d29e44b66d316512702cef6d6 |
| SHA1 | 31f58784296ed9d9c309b36d84b4f08630045f83 |
| SHA256 | abffbf9ba451129e8c6631cf959943baf107b7e27a8b757a1a142917f90d2ab9 |
| SHA512 | 953a197600df8a707b33dc972e8f8242508b891bfa8714729ad717ba09dc5962b6ff27415dfa10439b249ebc35693353b6fe8cf3a54fa9b20d756ec8aae451e0 |
C:\Windows\system\pjpzmaP.exe
| MD5 | fed5e0f098cb21fbaa9a8f1c8cb2a3bd |
| SHA1 | ec4a64b1ebb9bcde24606320171d2beea853da24 |
| SHA256 | 710d09f2ae4894ae11b18b683dec341a9231a028bcfb7d57ad949776bcff66f2 |
| SHA512 | c83c5d0e549d97e921f899f6fd342028354788a9b3f505ca6217d07aacc5b8fccaf8987edf99ae251e14e3b8ccff957cf235f4425abc7e8f6c0d088fadec9470 |
C:\Windows\system\WWLiHKc.exe
| MD5 | 6c42b80a4c13886c82c878db4e292ee0 |
| SHA1 | aae2baaa19f742dc5c9344288301fde9ea7b6083 |
| SHA256 | ba60bc3e8af412ffe3948317107228b228a3e945db3fbf81b0f4fbfe2208b503 |
| SHA512 | 3963a3f03de4ff2338ec8253a6619e8de630509e1948bb954fde392e0af64b262fbde963ad7dfdd074c2216366dd4a96e15c149ac158398228b3be63686b26ee |
memory/1704-107-0x00000000023B0000-0x0000000002704000-memory.dmp
C:\Windows\system\VWbIrBm.exe
| MD5 | d7bb926b5ca970301ef69f6c674b9bd1 |
| SHA1 | e1e0e89302cf90cfdec9fdade5a4d638128abfe1 |
| SHA256 | 641737741e3657b8763618ade7d52e9342fd2d9d66f9464892afa89f21de18bd |
| SHA512 | 29cc8a742ebaa3bd73dde47d38a769d65deaf81f91c626fd70605e10fa2fa67675a50435fd5085964989e634e929b967f926bc1e9ec7dc9097b054eb1d2251d8 |
memory/1704-94-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2764-93-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\oySGKQE.exe
| MD5 | bc52c7cb0529323b51ac80198a22e69e |
| SHA1 | c1ebc359d7f64d80872b34d3950c13cb35509958 |
| SHA256 | e79862d995bb55ee01e5ad93a66ee8429f70158132c10fe2e39d13bf1f6c5b5b |
| SHA512 | 4328d9e4dfc79da31d86cc6eacae37cd8e1838a477293ece19d9a3d090f438b4840c85d18bde239e4ae62d1b71bd784d1ca9bec36380df1902db8d4fe47f192c |
memory/1704-101-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/1704-87-0x000000013F230000-0x000000013F584000-memory.dmp
memory/288-78-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1704-77-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/1048-76-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2736-86-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\XcmFZnP.exe
| MD5 | 7b69ed80ced85889503a9e9f173c2d9a |
| SHA1 | bbf85cf22be2f1541de41ffd2a41a3a0d9371129 |
| SHA256 | ceeec827d3806f365c7f9d03dd0b15a43f7cc0b5238dbdeb762689ca83f1c666 |
| SHA512 | b9504a2e6c0680bd537a6682347e4a117b91685f1c1c623c3bae7e1c2ff25912a39f6363806613ce7eec2970f7e1a52c8ce2c7d3d039b8b2e8d7b668b0a7354b |
memory/2552-61-0x000000013F400000-0x000000013F754000-memory.dmp
memory/1704-60-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\ovWrWNW.exe
| MD5 | f3d2043b8affaa7dda365e905681c0f0 |
| SHA1 | 552a07764d83b4e0875a802992a1985da8058e80 |
| SHA256 | 8eced4e4cfad21a731a40e85fc91522f0788d9c6df33c44cf0bd49d5229b1dff |
| SHA512 | 78a7f3cba3c581478a401031fd58605846160a793a6cdbf2cdee5cd633be123eb0096e590c11d2830c2ab37c8525ba9d5eacb6d751fa17d07dc17790c512e992 |
memory/2860-140-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1704-141-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2552-142-0x000000013F400000-0x000000013F754000-memory.dmp
memory/1704-143-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2988-144-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1704-145-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/288-146-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1704-147-0x000000013F230000-0x000000013F584000-memory.dmp
memory/1704-148-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2728-149-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1672-150-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/3016-151-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2736-152-0x000000013F340000-0x000000013F694000-memory.dmp
memory/1048-153-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2764-154-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2680-155-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2424-156-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2552-157-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2988-158-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/288-159-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2808-160-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2480-161-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2728-162-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2860-163-0x000000013FF20000-0x0000000140274000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 20:02
Reported
2024-06-08 20:06
Platform
win10v2004-20240508-en
Max time kernel
126s
Max time network
128s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_fa855a62e2ec82c680fa7a41a08033be_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fa855a62e2ec82c680fa7a41a08033be_cobalt-strike_cobaltstrike.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/536-0-0x00007FF71D840000-0x00007FF71DB94000-memory.dmp