Malware Analysis Report

2024-10-16 03:05

Sample ID 240610-ey8j7sca7v
Target 2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike
SHA256 aa9e70fd3330beb031d02af944a608913de60ae79bad55855858f6ab6580d309
Tags
xmrig miner upx 0 cobaltstrike
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa9e70fd3330beb031d02af944a608913de60ae79bad55855858f6ab6580d309

Threat Level: Known bad

The file 2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

xmrig miner upx 0 cobaltstrike

xmrig

Cobalt Strike reflective loader

Xmrig family

UPX dump on OEP (original entry point)

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

XMRig Miner payload

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-10 04:25

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 04:22

Reported

2024-06-10 04:41

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe"

Signatures

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vNdCMnq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\eGeHsoE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\aPwvZoG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\TgZnhhg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\PThnaVG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fdmkQFL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\IJTUrbB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fMHdyLO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hqhmkkm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kScZLRu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uDqyBQn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\jNTRXQa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\irKUmZE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fflYVjl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rNHqFUw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\BOSBujS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\fyownSg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\XlUUFvn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\pmeqENH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\QpVnTtW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\sbtsiSQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\jNTRXQa.exe
PID 2216 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\jNTRXQa.exe
PID 2216 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNdCMnq.exe
PID 2216 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\vNdCMnq.exe
PID 2216 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyownSg.exe
PID 2216 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fyownSg.exe
PID 2216 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\XlUUFvn.exe
PID 2216 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\XlUUFvn.exe
PID 2216 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdmkQFL.exe
PID 2216 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fdmkQFL.exe
PID 2216 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmeqENH.exe
PID 2216 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\pmeqENH.exe
PID 2216 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\irKUmZE.exe
PID 2216 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\irKUmZE.exe
PID 2216 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\IJTUrbB.exe
PID 2216 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\IJTUrbB.exe
PID 2216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMHdyLO.exe
PID 2216 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fMHdyLO.exe
PID 2216 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGeHsoE.exe
PID 2216 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\eGeHsoE.exe
PID 2216 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fflYVjl.exe
PID 2216 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\fflYVjl.exe
PID 2216 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqhmkkm.exe
PID 2216 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\hqhmkkm.exe
PID 2216 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\kScZLRu.exe
PID 2216 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\kScZLRu.exe
PID 2216 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNHqFUw.exe
PID 2216 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\rNHqFUw.exe
PID 2216 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDqyBQn.exe
PID 2216 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\uDqyBQn.exe
PID 2216 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpVnTtW.exe
PID 2216 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\QpVnTtW.exe
PID 2216 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPwvZoG.exe
PID 2216 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\aPwvZoG.exe
PID 2216 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgZnhhg.exe
PID 2216 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\TgZnhhg.exe
PID 2216 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOSBujS.exe
PID 2216 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\BOSBujS.exe
PID 2216 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\sbtsiSQ.exe
PID 2216 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\sbtsiSQ.exe
PID 2216 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\PThnaVG.exe
PID 2216 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe C:\Windows\System\PThnaVG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-10_02b6c70c71381a6ecc3b0ff77184f6ca_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\jNTRXQa.exe

C:\Windows\System\jNTRXQa.exe

C:\Windows\System\vNdCMnq.exe

C:\Windows\System\vNdCMnq.exe

C:\Windows\System\fyownSg.exe

C:\Windows\System\fyownSg.exe

C:\Windows\System\XlUUFvn.exe

C:\Windows\System\XlUUFvn.exe

C:\Windows\System\fdmkQFL.exe

C:\Windows\System\fdmkQFL.exe

C:\Windows\System\pmeqENH.exe

C:\Windows\System\pmeqENH.exe

C:\Windows\System\irKUmZE.exe

C:\Windows\System\irKUmZE.exe

C:\Windows\System\IJTUrbB.exe

C:\Windows\System\IJTUrbB.exe

C:\Windows\System\fMHdyLO.exe

C:\Windows\System\fMHdyLO.exe

C:\Windows\System\eGeHsoE.exe

C:\Windows\System\eGeHsoE.exe

C:\Windows\System\fflYVjl.exe

C:\Windows\System\fflYVjl.exe

C:\Windows\System\hqhmkkm.exe

C:\Windows\System\hqhmkkm.exe

C:\Windows\System\kScZLRu.exe

C:\Windows\System\kScZLRu.exe

C:\Windows\System\rNHqFUw.exe

C:\Windows\System\rNHqFUw.exe

C:\Windows\System\uDqyBQn.exe

C:\Windows\System\uDqyBQn.exe

C:\Windows\System\QpVnTtW.exe

C:\Windows\System\QpVnTtW.exe

C:\Windows\System\aPwvZoG.exe

C:\Windows\System\aPwvZoG.exe

C:\Windows\System\TgZnhhg.exe

C:\Windows\System\TgZnhhg.exe

C:\Windows\System\BOSBujS.exe

C:\Windows\System\BOSBujS.exe

C:\Windows\System\sbtsiSQ.exe

C:\Windows\System\sbtsiSQ.exe

C:\Windows\System\PThnaVG.exe

C:\Windows\System\PThnaVG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2216-0-0x00007FF623FA0000-0x00007FF6242F4000-memory.dmp

memory/2216-1-0x00000270DDAC0000-0x00000270DDAD0000-memory.dmp

C:\Windows\System\jNTRXQa.exe

MD5 2c29c56557704a5af675ac862b6acadc
SHA1 8095e9a472d534a6ef5dc3ab384273149ae12d48
SHA256 ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d
SHA512 f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049

C:\Windows\System\jNTRXQa.exe

MD5 4a486a2a371d8db348dc0ad03e9fd9f0
SHA1 edd912c5d606628022dc3216eaf2db7c93554ff7
SHA256 93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b
SHA512 deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

memory/4384-6-0x00007FF77CCE0000-0x00007FF77D034000-memory.dmp

C:\Windows\System\vNdCMnq.exe

MD5 1d3a027708a48a3c73a911f7d1532fca
SHA1 f960fd40bf0cf951600c386a6a9501a01e54ab51
SHA256 f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda
SHA512 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539

C:\Windows\System\fyownSg.exe

MD5 3c90c2f250bb2f2a0b2b0d84a76d90b6
SHA1 592a1c403bcca9367301fdd6d0053ffa966d8139
SHA256 e9b77f7f68ca67c5dc06c5e8b359f5015816a8801f1224c2364438564dc0400b
SHA512 977c97219518fa48470c706578f56d23105ee7200ba44a555f72794ca4a9281e65da64b5957db1f96a5505e08bf9e5880f1f0c0b5ddb70d27e7596c5d32ddac0

memory/3116-26-0x00007FF7BFF00000-0x00007FF7C0254000-memory.dmp

C:\Windows\System\XlUUFvn.exe

MD5 2ce606c8914a93e8099fbe79f858cddb
SHA1 84c0492537801d7a093e26e19cf4c331d45e34b2
SHA256 123e1b5c54e74a2b85d791a13a70a807b17f0be8051243b35346e4af6c8b27c2
SHA512 5c6486fc06f9adfce629555823737332bd9e3943d8602dcb566f7345f3dff87a1c5a388aa2d15d323ec818fa1361cdde0489ac6ee08baef5228473de98fc73bd

C:\Windows\System\fdmkQFL.exe

MD5 d97939e7759d9307f9eaf0d8918eba95
SHA1 12c61fef52f0fd06026becd4921bdb4f54b880b5
SHA256 c2a8fd656ce934ba0938d6b9d21954c48c0b2661eda466f5c4e9be62e4c2f657
SHA512 29000522b29d463094669a814e5ab09084f3920f905f01bb0c9ca85deb9c75d2cf18f8b81d5ac7b82427975dd12de0dac245946fcf8aba34f067f41d3147fb6f

C:\Windows\System\fdmkQFL.exe

MD5 6207c08555e637186de329c9179e16d9
SHA1 09098b1d2cbfb2ab317439f6c4fc0121d5b8f70a
SHA256 90e60744ec9da51fba847be626db348bca6bdaf98ac91b116446f5b42433003b
SHA512 a17015ce5be9dbe107f45a5361c78d0722d3574d1684f1ab5a78044304a8f13b281179a8bde4be29c0529678da2d8332817db568d46fd1e81541274c1a2a6ea7

C:\Windows\System\pmeqENH.exe

MD5 0642442db4acbbfb6037e06789624264
SHA1 923aee440a6887c7a7a8a78085aa492b2cdcee65
SHA256 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85
SHA512 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

C:\Windows\System\irKUmZE.exe

MD5 327dd6244bc5f8a28d919977455d4a3a
SHA1 1227318bb74fac692f09688ef46f2e1fdc4688df
SHA256 7f87235e9ff264ea8e583dd5846e8ce41e0a86ad67d01a118f2f4135dcd49070
SHA512 710348371b5f71434f9bb302cc0513d9765052911ad10a69fe54633ca83755ccf7c1d0790bf348b05758afe35b97ff25f18d6c09faf8d5a0dcfe7d97235f0ffb

memory/2880-62-0x00007FF6D0CF0000-0x00007FF6D1044000-memory.dmp

C:\Windows\System\fflYVjl.exe

MD5 25b25d8a5d9f5e91f4e29c4bd80f79b0
SHA1 6163cad571ac0c2a92bf519045d228f0fa399d62
SHA256 c0beebd54fe3af297d5eaba7163c540fc8e2fbe774b8729877e642c557809db1
SHA512 683e3eaf5beccba6f2c27dab404c04e768614bbfef91c61fb270063222b4e548944bdbc8e86fdc8b7f4335212b6f4feaa951a2d481f55ed336d100e7e5f3b6c8

memory/4624-70-0x00007FF62E7D0000-0x00007FF62EB24000-memory.dmp

C:\Windows\System\rNHqFUw.exe

MD5 7ce4ba1725e83a50f64ba525f8815dcf
SHA1 b1714a2d23cfc42c18c37e1546ac0908d8252c04
SHA256 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908
SHA512 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

C:\Windows\System\uDqyBQn.exe

MD5 711965c0ed770375b388ea9b5ea57c70
SHA1 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2
SHA256 c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666
SHA512 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

memory/2096-98-0x00007FF6F9FE0000-0x00007FF6FA334000-memory.dmp

memory/3116-114-0x00007FF7BFF00000-0x00007FF7C0254000-memory.dmp

memory/4496-128-0x00007FF62C760000-0x00007FF62CAB4000-memory.dmp

memory/336-130-0x00007FF704500000-0x00007FF704854000-memory.dmp

memory/1580-125-0x00007FF73FDB0000-0x00007FF740104000-memory.dmp

memory/3216-120-0x00007FF783900000-0x00007FF783C54000-memory.dmp

memory/1816-117-0x00007FF626B30000-0x00007FF626E84000-memory.dmp

memory/1060-133-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp

memory/5104-104-0x00007FF605640000-0x00007FF605994000-memory.dmp

memory/3860-100-0x00007FF72BE90000-0x00007FF72C1E4000-memory.dmp

memory/2692-91-0x00007FF7915E0000-0x00007FF791934000-memory.dmp

memory/2180-89-0x00007FF7AFED0000-0x00007FF7B0224000-memory.dmp

memory/1372-84-0x00007FF623330000-0x00007FF623684000-memory.dmp

memory/4384-81-0x00007FF77CCE0000-0x00007FF77D034000-memory.dmp

memory/1704-75-0x00007FF6E3380000-0x00007FF6E36D4000-memory.dmp

memory/2216-74-0x00007FF623FA0000-0x00007FF6242F4000-memory.dmp

memory/3680-67-0x00007FF63C850000-0x00007FF63CBA4000-memory.dmp

memory/1468-59-0x00007FF6B7500000-0x00007FF6B7854000-memory.dmp

C:\Windows\System\eGeHsoE.exe

MD5 6b5887af4274a78686a788865765637c
SHA1 5afc15e6fcbc11377bbabbda47ff43f6ebedd369
SHA256 ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006
SHA512 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

memory/1176-46-0x00007FF6016B0000-0x00007FF601A04000-memory.dmp

memory/3448-38-0x00007FF760A70000-0x00007FF760DC4000-memory.dmp

memory/1580-32-0x00007FF73FDB0000-0x00007FF740104000-memory.dmp

C:\Windows\System\fyownSg.exe

MD5 cefe7ebbcbdc6a5e5023e2ad8530b25b
SHA1 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8
SHA256 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475
SHA512 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844

memory/3860-18-0x00007FF72BE90000-0x00007FF72C1E4000-memory.dmp

C:\Windows\System\vNdCMnq.exe

MD5 d872631fef320bcfe95799f5b4c466cb
SHA1 451a1400f207f69d35ba907e243aed76879dcd2c
SHA256 2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438
SHA512 2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d

memory/2180-12-0x00007FF7AFED0000-0x00007FF7B0224000-memory.dmp

memory/4624-134-0x00007FF62E7D0000-0x00007FF62EB24000-memory.dmp

memory/2096-135-0x00007FF6F9FE0000-0x00007FF6FA334000-memory.dmp

memory/5104-137-0x00007FF605640000-0x00007FF605994000-memory.dmp

memory/2692-136-0x00007FF7915E0000-0x00007FF791934000-memory.dmp

memory/336-138-0x00007FF704500000-0x00007FF704854000-memory.dmp

memory/1060-139-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp

memory/4384-140-0x00007FF77CCE0000-0x00007FF77D034000-memory.dmp

memory/2180-141-0x00007FF7AFED0000-0x00007FF7B0224000-memory.dmp

memory/3860-142-0x00007FF72BE90000-0x00007FF72C1E4000-memory.dmp

memory/3116-143-0x00007FF7BFF00000-0x00007FF7C0254000-memory.dmp

memory/1580-144-0x00007FF73FDB0000-0x00007FF740104000-memory.dmp

memory/3448-145-0x00007FF760A70000-0x00007FF760DC4000-memory.dmp

memory/1176-146-0x00007FF6016B0000-0x00007FF601A04000-memory.dmp

memory/1468-147-0x00007FF6B7500000-0x00007FF6B7854000-memory.dmp

memory/3680-148-0x00007FF63C850000-0x00007FF63CBA4000-memory.dmp

memory/2880-149-0x00007FF6D0CF0000-0x00007FF6D1044000-memory.dmp

memory/1704-151-0x00007FF6E3380000-0x00007FF6E36D4000-memory.dmp

memory/1372-152-0x00007FF623330000-0x00007FF623684000-memory.dmp

memory/4624-150-0x00007FF62E7D0000-0x00007FF62EB24000-memory.dmp

memory/2692-153-0x00007FF7915E0000-0x00007FF791934000-memory.dmp

memory/2096-154-0x00007FF6F9FE0000-0x00007FF6FA334000-memory.dmp

memory/5104-155-0x00007FF605640000-0x00007FF605994000-memory.dmp

memory/1816-156-0x00007FF626B30000-0x00007FF626E84000-memory.dmp

memory/3216-157-0x00007FF783900000-0x00007FF783C54000-memory.dmp

memory/4496-158-0x00007FF62C760000-0x00007FF62CAB4000-memory.dmp

memory/336-159-0x00007FF704500000-0x00007FF704854000-memory.dmp

memory/1060-160-0x00007FF6BAFD0000-0x00007FF6BB324000-memory.dmp

Analysis: behavioral1

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A