Analysis Overview
SHA256
b08d1158805d1abddb6cec41bf40af7b1164e2f6a54c1d41f01e557c37230628
Threat Level: Known bad
The file 2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
Detects Reflective DLL injection artifacts
xmrig
Cobalt Strike reflective loader
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 04:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 04:09
Reported
2024-06-10 04:12
Platform
win7-20240215-en
Max time kernel
132s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\shHVpKl.exe | N/A |
| N/A | N/A | C:\Windows\System\srTMTyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\LMIlbes.exe | N/A |
| N/A | N/A | C:\Windows\System\LeVAUxt.exe | N/A |
| N/A | N/A | C:\Windows\System\OJEBzxP.exe | N/A |
| N/A | N/A | C:\Windows\System\HlsPfyy.exe | N/A |
| N/A | N/A | C:\Windows\System\wjDyWPo.exe | N/A |
| N/A | N/A | C:\Windows\System\YkUTgJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\qPSpnCz.exe | N/A |
| N/A | N/A | C:\Windows\System\hzyUfRw.exe | N/A |
| N/A | N/A | C:\Windows\System\QzCfvkc.exe | N/A |
| N/A | N/A | C:\Windows\System\YuyZrUN.exe | N/A |
| N/A | N/A | C:\Windows\System\PMRKzSA.exe | N/A |
| N/A | N/A | C:\Windows\System\YAPTYbF.exe | N/A |
| N/A | N/A | C:\Windows\System\vNOmxna.exe | N/A |
| N/A | N/A | C:\Windows\System\brnvSNR.exe | N/A |
| N/A | N/A | C:\Windows\System\IzpjUKd.exe | N/A |
| N/A | N/A | C:\Windows\System\wXIoSVW.exe | N/A |
| N/A | N/A | C:\Windows\System\zxyzwRz.exe | N/A |
| N/A | N/A | C:\Windows\System\iZYYFOy.exe | N/A |
| N/A | N/A | C:\Windows\System\zbdOiVf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\shHVpKl.exe
C:\Windows\System\shHVpKl.exe
C:\Windows\System\srTMTyJ.exe
C:\Windows\System\srTMTyJ.exe
C:\Windows\System\LMIlbes.exe
C:\Windows\System\LMIlbes.exe
C:\Windows\System\LeVAUxt.exe
C:\Windows\System\LeVAUxt.exe
C:\Windows\System\OJEBzxP.exe
C:\Windows\System\OJEBzxP.exe
C:\Windows\System\HlsPfyy.exe
C:\Windows\System\HlsPfyy.exe
C:\Windows\System\wjDyWPo.exe
C:\Windows\System\wjDyWPo.exe
C:\Windows\System\YkUTgJJ.exe
C:\Windows\System\YkUTgJJ.exe
C:\Windows\System\qPSpnCz.exe
C:\Windows\System\qPSpnCz.exe
C:\Windows\System\hzyUfRw.exe
C:\Windows\System\hzyUfRw.exe
C:\Windows\System\QzCfvkc.exe
C:\Windows\System\QzCfvkc.exe
C:\Windows\System\YuyZrUN.exe
C:\Windows\System\YuyZrUN.exe
C:\Windows\System\PMRKzSA.exe
C:\Windows\System\PMRKzSA.exe
C:\Windows\System\YAPTYbF.exe
C:\Windows\System\YAPTYbF.exe
C:\Windows\System\vNOmxna.exe
C:\Windows\System\vNOmxna.exe
C:\Windows\System\brnvSNR.exe
C:\Windows\System\brnvSNR.exe
C:\Windows\System\IzpjUKd.exe
C:\Windows\System\IzpjUKd.exe
C:\Windows\System\wXIoSVW.exe
C:\Windows\System\wXIoSVW.exe
C:\Windows\System\zxyzwRz.exe
C:\Windows\System\zxyzwRz.exe
C:\Windows\System\iZYYFOy.exe
C:\Windows\System\iZYYFOy.exe
C:\Windows\System\zbdOiVf.exe
C:\Windows\System\zbdOiVf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2072-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2072-0-0x000000013FB80000-0x000000013FED4000-memory.dmp
C:\Windows\system\shHVpKl.exe
| MD5 | d15e768aef9d15055ec4b3034b3ccdef |
| SHA1 | b7c0b851daab60d5ed2e36f0f5e9a905c65b707a |
| SHA256 | 0b4762eb910ef7585c273dabfc7111253fb9c93cbfba46de7a150a9f7baee65d |
| SHA512 | a2606ecff46a037af8fa0063865efdce263c333c0e5bde0383461c49a0bd0911d38300c6b04983a624dbfb0d7fd41a41ea1330bc519d679feae00b2241c57598 |
memory/2072-12-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\srTMTyJ.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
C:\Windows\system\LMIlbes.exe
| MD5 | f097f237ea5dc9aa48e8bfa11fcd323e |
| SHA1 | 5cf3e03dadbb6c4aecd721b3361826bc7b9c5aec |
| SHA256 | 2ef5952f7b573a42dd453421d5a901b578f572d34fde34ba8ac8a6fa61983601 |
| SHA512 | f07f0ac84598447786cbcbe8c0c17f52d5736217a32c0939dd1b2044e01e2a2c935bf264fd3e2b6b6a5b9ed6d092c6f58f3b796bdf733a09346ce7e1aeda996c |
\Windows\system\LeVAUxt.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
memory/2508-24-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\LeVAUxt.exe
| MD5 | be943acf604cb7ea48faa2d1fa0b0ffd |
| SHA1 | 0aace86361c207d0b4b36483efeb236f2eac231a |
| SHA256 | 232ef48efa775eaae77be3e09f9800087a39a283528e58eaacbd231174ee2c72 |
| SHA512 | 1945a54f5439e572527a727ebb2703852a519277c01c290901656c19c1e9e62c247db9e631c1ea0525d803762aaa63dd4ecc0335fc779ebf63d51be528ae65eb |
memory/2072-21-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\HlsPfyy.exe
| MD5 | 4258090a2fca3e9a4bcd033515408571 |
| SHA1 | 2da85a967dfb76aa8b9c664d1a75552128b29bd6 |
| SHA256 | e1883b961a33097a8c31bc03eac72fbcb2940a0f0b2e39c8982a8b87e1421c30 |
| SHA512 | d0880b7d2198a16c7023d2bd8727905958be2259d15a24791f827b669d868bd77eb4c6076295a513a551f42583f0f4fd2ccc540fbaf758dc0c19f528bd92790f |
C:\Windows\system\wjDyWPo.exe
| MD5 | 634f00228ff888f37f77695b200dccd9 |
| SHA1 | 0d06f5fb784848205450b986e232f1434723e794 |
| SHA256 | 45af8a1a8d4d4f515d3577e89db810f9f8a432876922f98070e1e1d2b27fa4f6 |
| SHA512 | 35aeb6acc34a34ad37117e46091260f3d499958b9f8f0d430bdb19cf431860718a0809a84e618fe9a3ed9c820e0fc47fa4586ad700c1c0d9d82c2eadc28d9423 |
C:\Windows\system\YkUTgJJ.exe
| MD5 | da63e9321954d6ebca0976c42a3cc582 |
| SHA1 | 2af573456146047be88147ba318d2b85b8e301e2 |
| SHA256 | 9973876fe43d62cc46c034da187ae677d86511ba7248b118056cff2025067437 |
| SHA512 | 637bf2b406c026939b3dff83b5fe469a4b6e52ce218187deb56785207678f5dab17537d27810b95b56ea33bb14f6cc3a03aabc8f8a3775d3e48e18c05ad77ffd |
memory/2516-51-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\qPSpnCz.exe
| MD5 | 2cfc662ee4084477eee44d52cd5e0757 |
| SHA1 | 6690b6d33280fd528c9a463d61bfdac4a04ad1de |
| SHA256 | 2a7378f8632d32fa3649617ffa137a2c89e9a73f73c79d46030811e6d7435f58 |
| SHA512 | 1c2e3298f8f0f33347b59ad90fdccc2f3e4f515fb7e9fdcde83b6c1590aceabc6959f1cef587079db381e0ce01bd320a10ed61ec094ef0e7febe9e16bf2a7fcf |
C:\Windows\system\hzyUfRw.exe
| MD5 | c665d55523745ebd550a2c4296ad8ec9 |
| SHA1 | 43f72a8e93454ded742dbec7a7c84f59cb0d6520 |
| SHA256 | 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b |
| SHA512 | 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454 |
C:\Windows\system\vNOmxna.exe
| MD5 | d0b35a94ea7dd65e9c7d0f5ad30c19d7 |
| SHA1 | 09c06dd0599811655ad16bf9fcc19663703e05ab |
| SHA256 | 810cd9e5773c5d802a821b3a2ae7e9b235d3f80675cc44375649197e679c64ed |
| SHA512 | 02d23d2528e477cbfde2b84285c244535c5339c942c3b8073a4977dcc8103363f5a57f140604aa768ba108b7205eb9abb77e57c07c4970366c62a490af4e252a |
memory/2428-77-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2180-88-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2072-85-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2420-103-0x000000013F640000-0x000000013F994000-memory.dmp
\Windows\system\zbdOiVf.exe
| MD5 | 5d817473d2ff2dab4cad9a09baa84fed |
| SHA1 | fb12a426cc2a831e039fa9ad73a8692819c636ae |
| SHA256 | a173ec32a5089928ec35141143f553c8254f0929025f9cc4771fe82929957cf0 |
| SHA512 | 6092d1688b3e5bd95f9e028ac072e76bd0a19e28e292d4d8d10a099547e6dfb6ce85c160b34c94d3950de9dda4185e9e3fc122c452cbeaefe72e6e6bbc697d54 |
memory/2956-125-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2664-119-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2072-118-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2072-126-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2072-130-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2072-132-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2072-134-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2072-133-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2648-131-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2744-129-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2072-128-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1992-127-0x000000013F7E0000-0x000000013FB34000-memory.dmp
\Windows\system\iZYYFOy.exe
| MD5 | e96e592164100e1a631d99faa141bfc6 |
| SHA1 | 21d4f12d30e5a0b4ad11b15e40e0571bfce6e6ff |
| SHA256 | ddcd704ae996251f32be7b33621f56cc763b31894a12ce4a40b2eb190a983cbe |
| SHA512 | ee1b7ce3108f085731759f5a748a2b7b787784d7c15a732197691849a4b7f46c7a951453157ad00a704b93bcabcb84513ac319ede4b6198fd842a84bf7c8eada |
C:\Windows\system\iZYYFOy.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/2520-113-0x000000013F3C0000-0x000000013F714000-memory.dmp
\Windows\system\zxyzwRz.exe
| MD5 | c83a72fd32d1ea03c4c25e0b40a06534 |
| SHA1 | de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1 |
| SHA256 | c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359 |
| SHA512 | 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c |
C:\Windows\system\zxyzwRz.exe
| MD5 | 6c5ec31357cd7491c758a41d8896b5e8 |
| SHA1 | 9bd5b5c977a97280860eb4420aa9ad32fac8fcdc |
| SHA256 | d48833917ad3afe2f68f43f0c4c143636211ba92df2e46d3742c28f6ae682a23 |
| SHA512 | f5e61d94c0973ae77df587dee0ccda709da3aad246b5d76d7ea494a2bf56ba4f17ea85bd655fec07033da1e4982427babc85170f378b607318ccffb504dcb2eb |
memory/2072-109-0x000000013F3C0000-0x000000013F714000-memory.dmp
C:\Windows\system\wXIoSVW.exe
| MD5 | 4c71e0d142daa2f0f7239144b818e5b0 |
| SHA1 | e7490fd37c685f25c6930071114c921e0a80e7f0 |
| SHA256 | 4ed2886d7b943718acd7c29c8ba75b13fe1136bc220ee346576f03a36aad8dca |
| SHA512 | 1c9dc711cc38d1cd19e18324d0293f04a9aeccf46e6e5a3c02527d5a083543361cbdb14b9b96c18577c0615e5d756727b224dd04b43cade4d6d1a96e128f50e8 |
memory/2072-99-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2456-98-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\IzpjUKd.exe
| MD5 | 7d5be8475d00d2723ea4fb3a5fd6cd67 |
| SHA1 | c5dcad9bb680fa1799c617db100122c8ae1e2671 |
| SHA256 | 9877cc2c0f3af6c79550d561f659094804b0ff3b226fba055204c66fb979788a |
| SHA512 | 10ed57370308f555ef31575d7676be6e0e612b42575952e0c871f1901b3d52093c2ad6b749f1e27698a6b362460204ddee25fdad27b4bdba932b25e9d4aaa43e |
memory/2072-95-0x00000000023C0000-0x0000000002714000-memory.dmp
\Windows\system\brnvSNR.exe
| MD5 | 18201d3b335ac963630d450f34dd55fa |
| SHA1 | 520e73a4de0aff7b3a903c8c986a6c6b07cdce35 |
| SHA256 | b0b17284e2641959968b4a1b4ac558b3d33f076db1066934c04d3cff720f31f9 |
| SHA512 | 8595addfcd7771869b38fd7737e1ab55beddf7baa63249c41588a643ccf9c2f17eb0cf6113d286398e88623dbd0382eb0d997178aaadae8662f405019f3b3de2 |
C:\Windows\system\YAPTYbF.exe
| MD5 | 8a33d9706aa4557fa43645257f9c1ae3 |
| SHA1 | b1dd4d20f52c3b74066615c12a75d89ed0a4573f |
| SHA256 | 22d9e83d9fc3ac46ce3d4466d77c16c8ba3f15570a8c404ea3f97d17424cb533 |
| SHA512 | 8194f227b80970ffd92a5c91a00dd1d24fe199d3095770c55617dff8f43e581278513b635bff12cb3a3211b34adf9153ee39081758d5cf58a7daf08b5724a4ce |
C:\Windows\system\PMRKzSA.exe
| MD5 | 2c29c56557704a5af675ac862b6acadc |
| SHA1 | 8095e9a472d534a6ef5dc3ab384273149ae12d48 |
| SHA256 | ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d |
| SHA512 | f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049 |
\Windows\system\PMRKzSA.exe
| MD5 | 27325bfabbdc4972370e582028fa6156 |
| SHA1 | 7bf9aac31d33eeee5fae91bb6b3889aad835f190 |
| SHA256 | f82f05155730b033b5fa2cf5570aa9cda5def0f4e5398910869c43aa58ff0106 |
| SHA512 | e810de03f3ddceefe7895ec2db05630fc207e13e70d442fbdec6b408c9badf729d24266be3abb56bc55a875303291d66198a7359c2c5be0b20a667d04cd4490f |
C:\Windows\system\YuyZrUN.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
\Windows\system\YuyZrUN.exe
| MD5 | 52769ac9891e89581321c34c116b73ff |
| SHA1 | 4dafcc73f4b528e9b723d8c4b0953e36c597f220 |
| SHA256 | 8cc69cbf71f024629c9896e810c997dcaeaa79574b5a43a1b2164fcb037540a7 |
| SHA512 | e9529663e360e161b413e00d1e906152ac2eb06cb5fb756d820da7003e815b27c550ffa12a717760a704e921e0627bfb00b96cf24dea633639a9f3c552b82aeb |
\Windows\system\QzCfvkc.exe
| MD5 | ff9815bdf6526cdcf8140ddff6605969 |
| SHA1 | 6775cd34e81ea55202e8e0e537f69c394383c95e |
| SHA256 | 7c796f7c5d32b2082eaf48464da879089c6aaf9658a1df78c15ae381d688c199 |
| SHA512 | 2f1ac330e00c3a6bba7819a410b9caecb573f7214791765019f9136b1af232bbe715a1a0788620681d8ae902e5e182b2188f654c728c42f3e08db509e4fe1b76 |
\Windows\system\hzyUfRw.exe
| MD5 | e0dd38ffdcd50af0823a408c76338f93 |
| SHA1 | 5fb539a1a0005fb4d8c6e57d29561ec782209155 |
| SHA256 | 6e48360dcb977211a62de2c649bd86309e64d68c8acee20f1f330a0dfdd60d86 |
| SHA512 | 2f9937804e20dbde6f9363a3e24bf1b297cf809141f71ba1b72211a3a1475e59375b0e0fb921b12a6571086074746e608172f6f121f780f3b5ede89c990d6b5c |
\Windows\system\qPSpnCz.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
memory/2524-38-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2072-36-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2588-30-0x000000013F810000-0x000000013FB64000-memory.dmp
C:\Windows\system\OJEBzxP.exe
| MD5 | 5c18200a60b1175509e04c74ff572f08 |
| SHA1 | 897bccc513a84fd24b23857830b75ab467b6ee95 |
| SHA256 | e75448d20c5eeedf80ab10704e7c8d8a153b2a43a5f15a1bd549e252c285edad |
| SHA512 | 1097e8c57f71fd78115aa3f348dc9960fb3cfd17d947c68dbaa73633b62e7d164bf6f7477d0280bbf660a8208a91234ec81c8a8e656e4a51e2c78e757bbd3342 |
\Windows\system\srTMTyJ.exe
| MD5 | c5f33c208b8352c92ff94fbc2b599111 |
| SHA1 | 0842e8833ca026da14c777f19216ac8823767900 |
| SHA256 | 6fd2df6d3131682515e5fc159d81918ada218168622149be278bff78e6839f6f |
| SHA512 | 62f9100bcb029dacf5e5850ff2c364497a0db747c663dacd840839ef6bb501ef0b8fddc8b075af9a33043a07665b866db4f1c551c78513d6efa407abe8c56db5 |
memory/2072-135-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2072-137-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2428-138-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2072-136-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2072-139-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2744-140-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2508-141-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2588-142-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2648-143-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2524-144-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2516-145-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2180-146-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2956-150-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2420-152-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2664-153-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1992-151-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2520-149-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2428-148-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2456-147-0x000000013FB60000-0x000000013FEB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 04:09
Reported
2024-06-10 04:12
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
160s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\iGykqmj.exe | N/A |
| N/A | N/A | C:\Windows\System\TunsvIe.exe | N/A |
| N/A | N/A | C:\Windows\System\JBtYJbx.exe | N/A |
| N/A | N/A | C:\Windows\System\bIINYJt.exe | N/A |
| N/A | N/A | C:\Windows\System\gsBfIVm.exe | N/A |
| N/A | N/A | C:\Windows\System\BAZMdDJ.exe | N/A |
| N/A | N/A | C:\Windows\System\NAKVPxY.exe | N/A |
| N/A | N/A | C:\Windows\System\PNIrapP.exe | N/A |
| N/A | N/A | C:\Windows\System\AotCOYA.exe | N/A |
| N/A | N/A | C:\Windows\System\SdCBGbP.exe | N/A |
| N/A | N/A | C:\Windows\System\HymQfSS.exe | N/A |
| N/A | N/A | C:\Windows\System\eJrPguN.exe | N/A |
| N/A | N/A | C:\Windows\System\bFqIdbI.exe | N/A |
| N/A | N/A | C:\Windows\System\LxrCHAg.exe | N/A |
| N/A | N/A | C:\Windows\System\JMBbjol.exe | N/A |
| N/A | N/A | C:\Windows\System\FjNNwhN.exe | N/A |
| N/A | N/A | C:\Windows\System\IgALYyj.exe | N/A |
| N/A | N/A | C:\Windows\System\jsMSkAY.exe | N/A |
| N/A | N/A | C:\Windows\System\mWkIQQu.exe | N/A |
| N/A | N/A | C:\Windows\System\GSEwobt.exe | N/A |
| N/A | N/A | C:\Windows\System\bDTNykW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4c30c25d9df195fa73ca51612686c3d8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\iGykqmj.exe
C:\Windows\System\iGykqmj.exe
C:\Windows\System\TunsvIe.exe
C:\Windows\System\TunsvIe.exe
C:\Windows\System\JBtYJbx.exe
C:\Windows\System\JBtYJbx.exe
C:\Windows\System\bIINYJt.exe
C:\Windows\System\bIINYJt.exe
C:\Windows\System\gsBfIVm.exe
C:\Windows\System\gsBfIVm.exe
C:\Windows\System\BAZMdDJ.exe
C:\Windows\System\BAZMdDJ.exe
C:\Windows\System\NAKVPxY.exe
C:\Windows\System\NAKVPxY.exe
C:\Windows\System\PNIrapP.exe
C:\Windows\System\PNIrapP.exe
C:\Windows\System\AotCOYA.exe
C:\Windows\System\AotCOYA.exe
C:\Windows\System\bFqIdbI.exe
C:\Windows\System\bFqIdbI.exe
C:\Windows\System\SdCBGbP.exe
C:\Windows\System\SdCBGbP.exe
C:\Windows\System\HymQfSS.exe
C:\Windows\System\HymQfSS.exe
C:\Windows\System\eJrPguN.exe
C:\Windows\System\eJrPguN.exe
C:\Windows\System\LxrCHAg.exe
C:\Windows\System\LxrCHAg.exe
C:\Windows\System\JMBbjol.exe
C:\Windows\System\JMBbjol.exe
C:\Windows\System\FjNNwhN.exe
C:\Windows\System\FjNNwhN.exe
C:\Windows\System\IgALYyj.exe
C:\Windows\System\IgALYyj.exe
C:\Windows\System\jsMSkAY.exe
C:\Windows\System\jsMSkAY.exe
C:\Windows\System\mWkIQQu.exe
C:\Windows\System\mWkIQQu.exe
C:\Windows\System\GSEwobt.exe
C:\Windows\System\GSEwobt.exe
C:\Windows\System\bDTNykW.exe
C:\Windows\System\bDTNykW.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 142.250.179.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.179.250.142.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/3080-0-0x00007FF6C5CD0000-0x00007FF6C6024000-memory.dmp
memory/3080-1-0x00000244211A0000-0x00000244211B0000-memory.dmp
C:\Windows\System\iGykqmj.exe
| MD5 | 8f3e042656ca2d15e2d3556b4210d8b8 |
| SHA1 | 84923fde0b209ed9c9e5289d3a522f4d55a282f4 |
| SHA256 | 3a3612ed95f2d16190ca3baec18edd71f2021b9b3329b51803c1be65d27dd725 |
| SHA512 | bb132ca894d52155be5c94160fd924e7e916630bda4147a0b3afeafd4e7f69f853a5e489474590008952145552660c581f521032b0a03bd038f7eb38fb3ff7fe |
memory/1048-8-0x00007FF62A0B0000-0x00007FF62A404000-memory.dmp
C:\Windows\System\TunsvIe.exe
| MD5 | 5509dafdd683d6904709f3a859d7d750 |
| SHA1 | dcafa2654b716ad83fe82b9b34dde528b3035e91 |
| SHA256 | 8ab66799a6ba4ab4cf553be0addf5fa166d15d477cecc14785b3135724a43ce7 |
| SHA512 | c1f353ce29f57b53c27573959f00552510960dfade505c030f994b6a98a1956fd4184b42698a4d8c827122a70b239851adcf0e50fb0eddf68cc3a9045a4d97c9 |
memory/800-14-0x00007FF7C6220000-0x00007FF7C6574000-memory.dmp
C:\Windows\System\JBtYJbx.exe
| MD5 | 62c8a44b95a7e1983c754847cbec6501 |
| SHA1 | ec12ff6489b4b6907409410db381dd6ab5138ace |
| SHA256 | c9e00beee5c29d59c0435065557e64ffef35e5a3faba75842e641be9be948969 |
| SHA512 | d3f4bbec8f7d63377b070fe111cdc23720594a7126e8474af90e8fb51dbc811d40c1c1e9d4f18dda4f9cb4f8a761a597666fcdde79df35f6586ad733332a13fa |
memory/220-20-0x00007FF71B520000-0x00007FF71B874000-memory.dmp
C:\Windows\System\bIINYJt.exe
| MD5 | ce07a533538d80bd815c0f0967fb1dbf |
| SHA1 | dc4b8de84601ae7dd626c9e3f3df4de23c03cb94 |
| SHA256 | 80cab21034fd1e2f31435e622084272f6aef8d590ed61bd086f992290f5b30cc |
| SHA512 | c7b2d0d21fab5511bcea39e04ea3ca162e46f880f0812aa4461af45f37bb0d23e06afdc17e6ad60e1c10e30badb9efa2df7ddf71ea750d5f6b9d77df41836bf7 |
memory/2156-26-0x00007FF78B3C0000-0x00007FF78B714000-memory.dmp
C:\Windows\System\gsBfIVm.exe
| MD5 | 2c9e4d7d7a3e08c35659dfb6ddc73b8b |
| SHA1 | caf2abdd74991ef1932fcb4f20ecff5ee7e06110 |
| SHA256 | 0e58b6c734b30388d54963b6167a4f0336b3e962fdbb10123573a5aa565d3420 |
| SHA512 | 54f765c345591d14d8129f254b5e7633ca3a7ee009124d2b5f60e7b9a154bf0a81c371299b15c979cd0a957215279e39c01b8a1217c66853a7ce662783c50392 |
memory/3568-32-0x00007FF78CFF0000-0x00007FF78D344000-memory.dmp
C:\Windows\System\BAZMdDJ.exe
| MD5 | cf1d4532ce9b1598ebebf5ef5f5cd7ca |
| SHA1 | b2ee9fc6ae0eab0bef84277b5cb071659b5f9d8a |
| SHA256 | 5dd137041bbd388451fa3b3018ea095e622d3f9616ef9a5e9189f3fd6553f21b |
| SHA512 | 166637c6d87511fb068a692a2eb290d5ac9eca8663ccb7f94f424ae67594be6080b24bc82b2cd67c05d73e1cf34c906582428945df353f4162b260fd33303e2a |
memory/3732-38-0x00007FF764510000-0x00007FF764864000-memory.dmp
C:\Windows\System\NAKVPxY.exe
| MD5 | 3cd5b5f9f531a8c99c67a4fef1589415 |
| SHA1 | a06d66b169ababb1208e67f7c7a80f4f7c0cfebb |
| SHA256 | 1698a04cc543045811cdf1c4ab63eecb0c7ed17e3403fa9cf448d6e1ea6daead |
| SHA512 | eb10576a1c7f326b255a5677ca6653a3df1ee671360fd7ddfa478b335344ac158f88574fcbd7893ea753cbc7b5f761d9966e40ca1d06449d71d4a86a4bcc5e28 |
C:\Windows\System\PNIrapP.exe
| MD5 | 947613ad51cd3ad91239a4ea8d2e68fa |
| SHA1 | 5435c7e7e98d20c618efd5236be29a6acc7dd9ba |
| SHA256 | d6784ab251af6e1c5eda272a935ae68c4c4451f5fa64937265fb7ff0d718fb88 |
| SHA512 | bb46c82c53f96fbb8b22c27cc6a4747cdb071b3387ddefb4d33a0a60f91820b9ceb58b535066db927db78b239e2854bbd3bc6a3112058c1f804cc023ee37c404 |
C:\Windows\System\AotCOYA.exe
| MD5 | cf8434e53015f29f67bebe94a6aabf21 |
| SHA1 | 43a48c1189f5b11914d6b95008e44e6f9b3bee0d |
| SHA256 | bf12cfb0901560abcbd446470352fcd87ace7763cc873b971565fd120a4f49a9 |
| SHA512 | 9844392bf13f8cc8dd2e41c3ef6a13efb044fb50f12f19df2c91e147c1174502da0e10252e4c5c13e8299d84daaf0bb86636caa85a754252917570ea3093c08c |
memory/2432-56-0x00007FF634400000-0x00007FF634754000-memory.dmp
C:\Windows\System\SdCBGbP.exe
| MD5 | c3bf8d756603d1c4783bd33606ff8371 |
| SHA1 | 42256bb6559b9d1d05fbcea7f0ae3248f8a1e577 |
| SHA256 | 92553ba4110455a5c8bf7b881c53f6b061bd06c8f076d746af5531c3cb0ded5a |
| SHA512 | 37085c9b72fd3c0c65ad0bb6eba0ec7d11884f094bfcfb1ac514109f3ea4d458f62f97cc36a6ef3572693af0e4e2b60bf733e938b5320203267c1053f0a3f81f |
C:\Windows\System\HymQfSS.exe
| MD5 | c2850bba1540684953609ac7f535b743 |
| SHA1 | 659e1fdd3d53bd7c2af8948990a1a21b00a086ce |
| SHA256 | 335f515fbf4ab4ec4f49fa55edcb093c60b7019659dda87de1a07da8a7a7200b |
| SHA512 | 08dc87195d504b4f71e9d4f506f9adea58f59516dee9245c6ff5e494a4d4c67ff994d5b6be75b2dfdca089e20b53d8cb23d7014597b29056faeb046553c386b2 |
C:\Windows\System\eJrPguN.exe
| MD5 | bc3a81b298f53baec8f01b8c55cf4eec |
| SHA1 | 74dce05e28cacd40b7a0b093f6e0635ef835325c |
| SHA256 | ddc8c87204f186f8fa4a09ba3048f0276ac56c04b6091ac7895405e9879b2036 |
| SHA512 | 4261fdfcf4ad3260d9d0174654d5f8b5de0f511ff01f77d00889c09683606145245ed77b221d7f633c5702f72d25b491dc428759e86c28ac757d9466d8681905 |
C:\Windows\System\bFqIdbI.exe
| MD5 | 785548e0e5157223ca5d336614511fff |
| SHA1 | 911cf5718900c80c4ccaeff80efeddcab52629cb |
| SHA256 | 1923f086e504da9eafc96636ae49e245327a494c12479168a81629c606e233cc |
| SHA512 | 25022405d666a3329523138a7e1a8a0d6574c87af6533dbf1f5852983a5e32f5216551a6efe0139f1bf79426731cd25270f499af496dfc06f269e993a4e59e10 |
C:\Windows\System\LxrCHAg.exe
| MD5 | 6b80e4c4ed7edc6c8f90ef19482507b5 |
| SHA1 | 0845b72f0e25432667cfcb197b891c8fd540689a |
| SHA256 | efb933eab4130786a3bccd628c84718b9d20962e5a2d7273ed214d9af0be7b31 |
| SHA512 | 8a3ec306d91f5fa2458bc38b11287339587c26e5ca4c6e3e5070e239dead776d68d592ed980c63f547fff09e80c06a16c76e959095f8eecff2d242b478124088 |
C:\Windows\System\JMBbjol.exe
| MD5 | cef1e7911b766587fa6f36ac308f55cf |
| SHA1 | c5da13ff02381d59d5105bba6341e3c6da42624d |
| SHA256 | a932da4fb0e2fccd17d992122ea4a4ea975f497e9eb4e5345d6a11fb366d6a95 |
| SHA512 | aa39ba80aa9237e7b509bd9b8f9ce8bd0f0059ac465c3ddd7caa4136ee97d4e3e37b4ae3c00b64286829e2ba30ac06cacf3c4641fb8f29b0f8a0889035ad7b55 |
C:\Windows\System\FjNNwhN.exe
| MD5 | 2605df5d35d37a58f5d5ea88bcc9d523 |
| SHA1 | 2e265a8ec493eca5753b257619f23d2caa35ffc4 |
| SHA256 | 8770fbbb8d81c51f4f8395e2bf39714c7ca2ef3ea06a3b6ddfc5a973240b0dfc |
| SHA512 | 28d6e4f930f9ecd1576d604f981eea64b52e5f06551324f5c2f08ea34864001768b88cadd398e587fe7f6f4911b0dec9f51069c46c58af1c0fc8b2dde48b7acd |
C:\Windows\System\IgALYyj.exe
| MD5 | 5287d67f85f2eb537ef598d8db20e6ab |
| SHA1 | 302b40585cdfe93652784117482dd1f46dea1c22 |
| SHA256 | 60f91f53b0b4213b73df3c33af2742132141ad235e9d6ee881a0f300a59590a4 |
| SHA512 | 51458da86e0594dbfac7ce51d7096caa97862fb423ede71e604c9fd6977fdf1618516301ceb3646cd4a90614a53d9a68d6843bec1df5183aa5799c8c5602da07 |
C:\Windows\System\jsMSkAY.exe
| MD5 | ae6afaa32912b70bdcc84f0b7d34779b |
| SHA1 | 908e9b06f766fd97b706977e8d6e30e619d62a85 |
| SHA256 | 6a33aad948c4d1e8237b9ea3a55d59ff87989786a97e3cd54b6db72419361f2b |
| SHA512 | 116a19cd752409175790e0166677c426735e6a14833a9c3ac4af4bc0f3135bfdf15116624b40d148ccfc742054bbe174c8d9c7aad1e4c775098146b7a97491c0 |
C:\Windows\System\mWkIQQu.exe
| MD5 | b6978e33b5fdb1a9afa9e93dc3e7ee42 |
| SHA1 | 2f04ec6e321acb2d3239705e35a16dd2d34b3824 |
| SHA256 | 99b6a84058da4904e544858783f233551821ba5807a7b64ee6d24414e44bee8f |
| SHA512 | 58233a4f4ee8ea68b5ddf91c952de4ec9c887b6dcbeb274ef73e28333f6212a41a129c96ad6920fb0cdd26c5d8b0dbc7c44b00f559660f783442149363884327 |
memory/4268-104-0x00007FF7FA6D0000-0x00007FF7FAA24000-memory.dmp
C:\Windows\System\GSEwobt.exe
| MD5 | 8c70aa70071054f97c01052aaf940466 |
| SHA1 | 0dad8414eb35d87415918a765779acef903c7811 |
| SHA256 | 8f01ea63dc99d525e2cba7f2b5a61c4c534b3f7a4c0dc03519faed1db96c9508 |
| SHA512 | e42f5bf534a402f2b5d56e4cf5f6ceb2bc03eba83fa35d76866660e7b0a455edd2d200c7d5a0e1285484f61e881588d65e0d30e2401fa3814f614165992bec1b |
memory/4296-121-0x00007FF68A870000-0x00007FF68ABC4000-memory.dmp
memory/4528-126-0x00007FF74C3C0000-0x00007FF74C714000-memory.dmp
memory/4088-127-0x00007FF605860000-0x00007FF605BB4000-memory.dmp
memory/1144-125-0x00007FF6C4E90000-0x00007FF6C51E4000-memory.dmp
memory/3068-124-0x00007FF709750000-0x00007FF709AA4000-memory.dmp
memory/1576-122-0x00007FF66CBB0000-0x00007FF66CF04000-memory.dmp
memory/1624-120-0x00007FF74B8E0000-0x00007FF74BC34000-memory.dmp
C:\Windows\System\bDTNykW.exe
| MD5 | b18155232f5a5bc3e2d0b00051cd8807 |
| SHA1 | 3641d603139313c08f4383be46ee5f9a5bdc71d6 |
| SHA256 | f8f6978807169dc2b05026a3713c2e994e17d5a8af456050854fe7705b0c4f34 |
| SHA512 | 8b4bd753021a2fdbe665be73dc968f12e88d81c8ab8ec7395bb132993b42b457ac7eb0bf2f48a5630629fe1936613aaa12be0f7e66aff704726634a50d1764a7 |
memory/2044-115-0x00007FF6D3010000-0x00007FF6D3364000-memory.dmp
memory/3420-114-0x00007FF69CE40000-0x00007FF69D194000-memory.dmp
memory/4116-108-0x00007FF672960000-0x00007FF672CB4000-memory.dmp
memory/3556-107-0x00007FF67F1C0000-0x00007FF67F514000-memory.dmp
memory/4828-103-0x00007FF72D870000-0x00007FF72DBC4000-memory.dmp
memory/1704-97-0x00007FF6E5B70000-0x00007FF6E5EC4000-memory.dmp
memory/3080-128-0x00007FF6C5CD0000-0x00007FF6C6024000-memory.dmp
memory/1048-129-0x00007FF62A0B0000-0x00007FF62A404000-memory.dmp
memory/800-130-0x00007FF7C6220000-0x00007FF7C6574000-memory.dmp
memory/220-131-0x00007FF71B520000-0x00007FF71B874000-memory.dmp
memory/2156-132-0x00007FF78B3C0000-0x00007FF78B714000-memory.dmp
memory/3568-133-0x00007FF78CFF0000-0x00007FF78D344000-memory.dmp
memory/2432-134-0x00007FF634400000-0x00007FF634754000-memory.dmp
memory/1048-135-0x00007FF62A0B0000-0x00007FF62A404000-memory.dmp
memory/4296-136-0x00007FF68A870000-0x00007FF68ABC4000-memory.dmp
memory/800-137-0x00007FF7C6220000-0x00007FF7C6574000-memory.dmp
memory/220-138-0x00007FF71B520000-0x00007FF71B874000-memory.dmp
memory/2156-139-0x00007FF78B3C0000-0x00007FF78B714000-memory.dmp
memory/3568-140-0x00007FF78CFF0000-0x00007FF78D344000-memory.dmp
memory/3732-141-0x00007FF764510000-0x00007FF764864000-memory.dmp
memory/2432-142-0x00007FF634400000-0x00007FF634754000-memory.dmp
memory/1576-143-0x00007FF66CBB0000-0x00007FF66CF04000-memory.dmp
memory/1704-144-0x00007FF6E5B70000-0x00007FF6E5EC4000-memory.dmp
memory/3068-145-0x00007FF709750000-0x00007FF709AA4000-memory.dmp
memory/4828-146-0x00007FF72D870000-0x00007FF72DBC4000-memory.dmp
memory/4268-147-0x00007FF7FA6D0000-0x00007FF7FAA24000-memory.dmp
memory/3556-148-0x00007FF67F1C0000-0x00007FF67F514000-memory.dmp
memory/3420-150-0x00007FF69CE40000-0x00007FF69D194000-memory.dmp
memory/2044-149-0x00007FF6D3010000-0x00007FF6D3364000-memory.dmp
memory/4116-151-0x00007FF672960000-0x00007FF672CB4000-memory.dmp
memory/1624-152-0x00007FF74B8E0000-0x00007FF74BC34000-memory.dmp
memory/4528-154-0x00007FF74C3C0000-0x00007FF74C714000-memory.dmp
memory/1144-153-0x00007FF6C4E90000-0x00007FF6C51E4000-memory.dmp
memory/4088-156-0x00007FF605860000-0x00007FF605BB4000-memory.dmp
memory/4296-155-0x00007FF68A870000-0x00007FF68ABC4000-memory.dmp