Analysis Overview
SHA256
f177ce88f16d1b02b2f16a3bee9a041d283644242c9d3963d8d8cbfda23b3d9a
Threat Level: Known bad
The file 2024-06-11_86f99f2b652571341e4b613fb0148901_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 19:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 19:53
Reported
2024-06-11 19:56
Platform
win7-20240221-en
Max time kernel
137s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uncsNuJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gHCfFKb.exe | N/A |
| N/A | N/A | C:\Windows\System\REEiTef.exe | N/A |
| N/A | N/A | C:\Windows\System\dSzPTKv.exe | N/A |
| N/A | N/A | C:\Windows\System\iEgZOdM.exe | N/A |
| N/A | N/A | C:\Windows\System\ZYDskKp.exe | N/A |
| N/A | N/A | C:\Windows\System\efPvPUO.exe | N/A |
| N/A | N/A | C:\Windows\System\IQlCFkL.exe | N/A |
| N/A | N/A | C:\Windows\System\BExMagZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kxIVEYC.exe | N/A |
| N/A | N/A | C:\Windows\System\ErDQhCO.exe | N/A |
| N/A | N/A | C:\Windows\System\fQpGZSn.exe | N/A |
| N/A | N/A | C:\Windows\System\FUGjXRq.exe | N/A |
| N/A | N/A | C:\Windows\System\OSzVlgA.exe | N/A |
| N/A | N/A | C:\Windows\System\QkEsPSs.exe | N/A |
| N/A | N/A | C:\Windows\System\JgCsrLn.exe | N/A |
| N/A | N/A | C:\Windows\System\NDQQJNI.exe | N/A |
| N/A | N/A | C:\Windows\System\ujLjQev.exe | N/A |
| N/A | N/A | C:\Windows\System\FRnDZvZ.exe | N/A |
| N/A | N/A | C:\Windows\System\zFOcZEL.exe | N/A |
| N/A | N/A | C:\Windows\System\LDvtwBG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_86f99f2b652571341e4b613fb0148901_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_86f99f2b652571341e4b613fb0148901_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_86f99f2b652571341e4b613fb0148901_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_86f99f2b652571341e4b613fb0148901_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\uncsNuJ.exe
C:\Windows\System\uncsNuJ.exe
C:\Windows\System\gHCfFKb.exe
C:\Windows\System\gHCfFKb.exe
C:\Windows\System\REEiTef.exe
C:\Windows\System\REEiTef.exe
C:\Windows\System\dSzPTKv.exe
C:\Windows\System\dSzPTKv.exe
C:\Windows\System\iEgZOdM.exe
C:\Windows\System\iEgZOdM.exe
C:\Windows\System\ZYDskKp.exe
C:\Windows\System\ZYDskKp.exe
C:\Windows\System\efPvPUO.exe
C:\Windows\System\efPvPUO.exe
C:\Windows\System\IQlCFkL.exe
C:\Windows\System\IQlCFkL.exe
C:\Windows\System\BExMagZ.exe
C:\Windows\System\BExMagZ.exe
C:\Windows\System\kxIVEYC.exe
C:\Windows\System\kxIVEYC.exe
C:\Windows\System\ErDQhCO.exe
C:\Windows\System\ErDQhCO.exe
C:\Windows\System\fQpGZSn.exe
C:\Windows\System\fQpGZSn.exe
C:\Windows\System\FUGjXRq.exe
C:\Windows\System\FUGjXRq.exe
C:\Windows\System\OSzVlgA.exe
C:\Windows\System\OSzVlgA.exe
C:\Windows\System\QkEsPSs.exe
C:\Windows\System\QkEsPSs.exe
C:\Windows\System\FRnDZvZ.exe
C:\Windows\System\FRnDZvZ.exe
C:\Windows\System\JgCsrLn.exe
C:\Windows\System\JgCsrLn.exe
C:\Windows\System\zFOcZEL.exe
C:\Windows\System\zFOcZEL.exe
C:\Windows\System\NDQQJNI.exe
C:\Windows\System\NDQQJNI.exe
C:\Windows\System\LDvtwBG.exe
C:\Windows\System\LDvtwBG.exe
C:\Windows\System\ujLjQev.exe
C:\Windows\System\ujLjQev.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1936-0-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1936-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\uncsNuJ.exe
| MD5 | df8b2d6d91d48988796ba479cd14fc1b |
| SHA1 | bb8a428972c35b0cddddeec4799e2e1da202260d |
| SHA256 | f98f34fd0fcce77da80211dce8afb8214934390dbdd6c1f8926e53b8e07dde21 |
| SHA512 | 05d40e7ea75a960e579e2642b50e6e2ed2fcdd3db9a8f7d6a13d9de137839614269d123049ab5c54a8399bc9ce829617e234ccd5baa2d682e948119224ffb674 |
C:\Windows\system\uncsNuJ.exe
| MD5 | 32041569ce29a5ef50883ca4e87e40ae |
| SHA1 | 62752d482ea7fbac09b013a4fe013fc0d3df3abe |
| SHA256 | 2e3378fbc771dcf65b54c5f4fc3d8b2f4d91a4c0824d0dd8ab6cf9cad9802f08 |
| SHA512 | f73e85b6685b7d4ce370cfab3ac9dd8c2d17fe49cb93ecb85f5f1ba15be35390697e7a824474b95109c653c60fc79b37d0e3c8a6792ee455c62ff2a12d3837b4 |
\Windows\system\gHCfFKb.exe
| MD5 | fd6fecc5470792baa12718d604fb8033 |
| SHA1 | 696c0ab10e1d367a8ff4c2a89d76ac7de471254b |
| SHA256 | 82adf80733cc1f6ec234562b986ea9f1e7350181fa23bc505d58628a647d0c11 |
| SHA512 | 20634a64494ff4ce591628046255e1c5b668a743bb7f9e896ded0e6954111906d52e9aefd050b934f747e4d46527d55c0948e9cc240b7c30f73eb25d9d15e050 |
C:\Windows\system\gHCfFKb.exe
| MD5 | f7acd81f956a0ed3ea74f5aa9df0e600 |
| SHA1 | b9a4120f5aab42a09f592079394d88aed04ab0e9 |
| SHA256 | 9d600f54619868fc44b56bad4ba3c8302455c05fe192b2ca7b6a354c6bc91534 |
| SHA512 | 2804ed9955d3d8a493ac8345514c2284bfba040c2ac2fbd1bd34a210682d8932afbae93a4463dabbad928401c9046d6634e6e2bb4c97859f5fac88a573cbd97d |
memory/1936-10-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\REEiTef.exe
| MD5 | 1da9e1ad8a3e1dd54c6b6db3ece5a3a6 |
| SHA1 | 7028f8c666d4d0255ccda2540df31d637a1296b7 |
| SHA256 | 06e8c79abc92de134841d2de4f33f1ff031bb58c56a952b8937647d0db55a409 |
| SHA512 | 91cec4372ecdd7b7d2e6d95a64016a3de86280d64c8e6141b7745704b606ae269b724cf07ad5afc145fb2507d0dd7c12724f954b80037ea6b4e0ac8062253533 |
C:\Windows\system\dSzPTKv.exe
| MD5 | 0e2fd2a522d2418bc7dbaf689ef76673 |
| SHA1 | 5f1c27d705b7b859dfc3a6c555a6c8b3ab244763 |
| SHA256 | 40742f91cd985eb524bd3891d1dd35d24592ad177108d69ed9cd6d4b18b99360 |
| SHA512 | 64301bc0310c56dee53197109af15147dcdc7fc2e4ce1b977cb7e6dcd2f13af6e165bd17c6af06ed25d21fbd4c9cf4f3e78ae062fc175d24eb2fa93590a4ee28 |
\Windows\system\dSzPTKv.exe
| MD5 | 4cbb0a590bd004c1cb77ee8f6ce50a06 |
| SHA1 | 88f31c630b016149cd3854a815eb88638e01cbe3 |
| SHA256 | 21bdb8342a39392071305b41900c269fcb38fb9cd5b72cc33931f5ddeb9fe0a5 |
| SHA512 | 5a688b66a820b16abd56a277892d54fd62e6e471f23d08ad5ac0059884126546c0aa828090fc0b5f8cc9d527e3d2dc278ea2cd51b147297b48bf320bab515b01 |
\Windows\system\iEgZOdM.exe
| MD5 | 3f10e435dff14b717bd3ebdbb642fcd5 |
| SHA1 | 18650aed15cbafd52429155245b46552591848be |
| SHA256 | e4b54440f11aa4b5e240bed64332a9c722edada32522ecd509b0db03cfeef6a6 |
| SHA512 | 7defbaf63088b238a271275e948093e08e8a2357c850b91a7f52ee850b7e61cd262c52fa00f37b691c7f24ca0e204549becb66940a5d664a5abcd9c9f1ad66d0 |
\Windows\system\efPvPUO.exe
| MD5 | 3a6e214d26737681cd38d488507c699f |
| SHA1 | a070afed04c14f26e55b4234976bced175cd0a3f |
| SHA256 | 5b613fb703e1a9c72925dd502702dcf04822272d83fbba42808c201d6246f2ed |
| SHA512 | 1dbfa0bc4f0dd46dea85dac4334bb6ade6ed375ab0bbc8e5722e07895f104ef888acd7ca713fa0b27ffe108e3c5b0d3c6f2a47244e6d2182a1e9865344898dfa |
\Windows\system\IQlCFkL.exe
| MD5 | 18247d7880140b18ecd39ee1adfc731b |
| SHA1 | a157eaa9dd320bef6dfdb40a50d13608394c09ca |
| SHA256 | 652d7057f0ddb4d1a2f5d0f36605fc024f3683e540781cf247d44de8bd9de6cf |
| SHA512 | 86e803ee8318313ac7802d21e9ddf99485d8242e09c937616b13b7f0891cbb086eda558be30105ad71b938275dcac935eb0d6bca4b99ccf49510a012cfc00f29 |
C:\Windows\system\BExMagZ.exe
| MD5 | a02b9240a53e7c5d44bf6f876b05340a |
| SHA1 | 1dcade67c07eb23670e0e1ca732d41ba94c46e92 |
| SHA256 | f73994f347eeafeead82519d55ae3efac2afc72b43e6618c0f440335066ee7e0 |
| SHA512 | 7ab2e585c660fe7a50bdb8c54827d300586cc5532e4c0d5fe2c1b40aab0fdb96e560403179e3026b5f5d5119f04b02f36f635f89cdd5335f9817df2e952671de |
C:\Windows\system\kxIVEYC.exe
| MD5 | 65b1bd3b916571f8bcf3d6acf9bbb421 |
| SHA1 | 3ed6ac8b78afafec17d304e58f3ad9fe550e0345 |
| SHA256 | 4452d7fc62cdeb90cd0799e405d083f800a8a7678cf25a3ce2c13be8ccadb1ff |
| SHA512 | 8326e61296d0fe5d810e0cb5013768b57d55198cdc70baa29591f4de729653ca91114c6262efa63c17d9b121c2daae5e66637ec7880e6ee20e40847055c6eb98 |
memory/2644-70-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2452-81-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\ujLjQev.exe
| MD5 | fe37dd08349b4b1c58f67a0c836a70af |
| SHA1 | 89d8c64500caa8d73ceca429ce4b41850296ba99 |
| SHA256 | de1f679897b22c6382d0f04567f2f92052003cafb3eea52be7799a26abacc666 |
| SHA512 | 124adfa584e11a07540a7023084d419b00855a9c4092f8a7099c3974f3fbd09a08ddb4fa5bfac051b22a6bcfe80671f4b144f49dd485aee5d601d2a7cf837a3b |
memory/2348-114-0x000000013F2F0000-0x000000013F644000-memory.dmp
\Windows\system\LDvtwBG.exe
| MD5 | 1451d99df0f5f478072381743358d482 |
| SHA1 | 82b262cf16529a81c7ee08ee881d26fad7fcefcb |
| SHA256 | d3822504acca5fb020268569cee0b2c51a5357cebbaa45c5106d16ae45cea844 |
| SHA512 | eba5ac8c35bc0a0f8355de20a5e4a89c7dfcdbfc72b7460b8c28cc8671624feaa877dad197fb28fa255779b310d4d3796cfd3abdbc898813a3bf9bb0988e5780 |
C:\Windows\system\JgCsrLn.exe
| MD5 | 8451c9eef1e2f89ddb27816ccff63660 |
| SHA1 | 75126686c8dd6c91cfcf63652e4f6e45e09bc73a |
| SHA256 | b522741019248952368ba770905000eb9487baa8d38bfd21dbf4d28bc5cb2bc1 |
| SHA512 | 30f3b959a20c2f35f3e17b67760dfd75816713562bc4e564f6f10ea26090011bdb317dc6d902b5dde06c0c5baa1c3a4ced37ab5adc5b215e5ca35ed995dd1d33 |
\Windows\system\zFOcZEL.exe
| MD5 | 470e9eee4c5cb2bbccdcf3034dea8e7d |
| SHA1 | a63371cbb76c0be94fa275d1b810f57037aa3aeb |
| SHA256 | cffee4e6d7fd0e0d057d4ad38810c6f294d02558a6b566e97532b83cb08d5129 |
| SHA512 | 00873144de3bc3d47f3aa3a28e8c70b1191ebc76a1248bef0c87ee5f261d1838ab8044925bf0753fc864f22fce742584223ab75d73f102b7314a0f6cbd9e4e73 |
\Windows\system\FRnDZvZ.exe
| MD5 | 7576d702ec85d73d807caedde1e3e8bc |
| SHA1 | d779586a9087ceaca1e1b9622b45e41287f15c77 |
| SHA256 | 970367b4faaf9d63e05ef18ebbec0f482948c9b0448b5eb76b3ebce1be6455d3 |
| SHA512 | 417b975c9f25a730296490d236c6e20eaa801428ebb561b2445bd5d1f5cda22bdb968ae56a2899db302e440f1e861553bb12d36eef892957265b52ad8508d59b |
C:\Windows\system\NDQQJNI.exe
| MD5 | f4089815f10552e097492c3587580047 |
| SHA1 | 94e54c93f21f683005250153af2d1ec809e347a1 |
| SHA256 | d0ec38fc55cca11a679a50d3bc38a839866778f96afe3754084bf0cbcdb934ad |
| SHA512 | 3db582ca2910ca45242afa3a38a553f48177fa67d29d535a034728a78696f1500b52bae375ba9f4de4ab8e8aafe49223ef194f9ceb4c620dc8a221b54b7ae8ec |
\Windows\system\ujLjQev.exe
| MD5 | 70ff90aa4744113bd0310fc0d9642696 |
| SHA1 | 4f02a897376e5e156044a81d440bc1b6f5e73eda |
| SHA256 | 850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5 |
| SHA512 | bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f |
\Windows\system\JgCsrLn.exe
| MD5 | 77935f7fa515e2498097f96e331d34aa |
| SHA1 | 485d7f26bd5cb37bc584d5c8f968f5e9fef298cb |
| SHA256 | a24111205f2806993b03daa9bab173a6d11a16cb18878caa1071fd928980464c |
| SHA512 | 36ce0bab4a0434c7a28f678c10a9627666b81884015f70cf5a1069ddfbb17d42082499c523fc5e2c32acfa6cdf63a0b247d285dc0850603412d2d0c0692584cf |
memory/1936-95-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2552-93-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1456-92-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/1604-91-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1936-90-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2500-89-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/1936-88-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2436-87-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/1936-86-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2468-85-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1936-84-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2592-83-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1936-82-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1936-80-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2004-79-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/1936-102-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\QkEsPSs.exe
| MD5 | 81548653eba0d2ec7205a6d12288bca2 |
| SHA1 | 390f22dd01f441252aa86324ec94e5bc888cfbd9 |
| SHA256 | 7076ef01d379c90ce9986fb1e098593df9590d55a6239585a71e1237f03fae21 |
| SHA512 | 2ae99cb1cab32f557c2fd860f0a731f7823e88343fa119067d328805eb1b4bb8643d2cc7e738f08137891c599645c7c19802bc3b1849ac73c2f135961a38863c |
memory/1936-78-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/3008-77-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1936-76-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\FUGjXRq.exe
| MD5 | 3841d3131bdc70a1cf74942213460680 |
| SHA1 | e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9 |
| SHA256 | b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4 |
| SHA512 | 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe |
\Windows\system\OSzVlgA.exe
| MD5 | 06217924a010736ff69fc4c34caf4199 |
| SHA1 | 1c43e51f334c15ac2039251eed1b924c9e6ac323 |
| SHA256 | 25d7adf149729727d9c17464bc2605d64d00e54395ff24caec7582a2da8c70bf |
| SHA512 | 9365d739694278809302b93279652380b6b241b28a7e143241e1bcbc45aabcbafc0b255422257951c522853c7877cf633ac3eedd8be5bfbf4e086dc6630fbd0d |
memory/1936-69-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2564-68-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1936-67-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2648-66-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1936-65-0x000000013F040000-0x000000013F394000-memory.dmp
\Windows\system\FUGjXRq.exe
| MD5 | e0f258099dcc71eb5136723dc36b2abf |
| SHA1 | 06369204a4e29aa090f08d64ed6c999554293c3f |
| SHA256 | fc3ecae0284f85748e4163e8d74dc23b78b006a385dbce7949b1a3162c04a129 |
| SHA512 | e5e771b58d729c6c2e5be391c3472852275f9809b6a59989d03020b02587a111724b07f4267210e0379988c9bdeb785b25dc195f7e8ce97d17a6e677d81ad615 |
C:\Windows\system\fQpGZSn.exe
| MD5 | b731781bf85531537282fd235875b3ac |
| SHA1 | 59206fda46b1e56bdb976d7da35012e4e6f8f1d4 |
| SHA256 | 2657a1b1a648dd161d8d3ed50a75150d2dc010da365b30b7a3795fcb1daf19d8 |
| SHA512 | 9c8f38979f392f1b992869e4ca74bbf964e203e775e31879ef15724590f704e0e57e3157344250ce39807469b2b0c7b88f0fe314e1bd06187f5de3c3f57f7a8f |
\Windows\system\fQpGZSn.exe
| MD5 | a25afbcddc0d441611a4c84ac85a2912 |
| SHA1 | 10edd9a79f03a65bdaf88bf3053112577b521f64 |
| SHA256 | 49181bc14ad9f5f572fa09159a9cb3e2ffa81e400593603e8554f2f3c7d027ca |
| SHA512 | 85a72a52481c675a3800d6a1b68ba79f9c4a554e83f76c8892e31b4b58d6168a93689f11765aad0636dafb8af887ec8ef9cb7ebc268a5bd7d448df1a1a8c8ae2 |
C:\Windows\system\ErDQhCO.exe
| MD5 | 8501e1b3ec042e7e35c8a420be40052e |
| SHA1 | 9387a8c36b178a4031ee833ba9d467062f0b27bf |
| SHA256 | 586fd82b12dec2e295dad7b24bce29753bf165ba24b0179a447f67e307ffac12 |
| SHA512 | 2feaf4546e56b98718cbacd9b99cd23d02716607d121943151d374b64f8005f9acb6bb2fb4a0e77cd659eeb064ad22db5e63fb4907d0763d44622f3bc9887ac1 |
\Windows\system\BExMagZ.exe
| MD5 | 484f9bd860840f7d2331986e4199e3d2 |
| SHA1 | eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2 |
| SHA256 | d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41 |
| SHA512 | 30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2 |
C:\Windows\system\IQlCFkL.exe
| MD5 | fff1105796a698e093eeb80f89a9259b |
| SHA1 | cc494c299d11f4c72b56b4faabbedfd66f75d8fa |
| SHA256 | e8dcdda69a484a02b166920fdf272c3cca398bdc9cad46e6a2f33735c7b45834 |
| SHA512 | 96fbf9f23c187ae345e704208105957aaf5ceeda2737606674097727c8d33237a4c1c039604f14a154f822e80ac05adc778c9207a58d0ee699d5637ef0ebbe25 |
C:\Windows\system\ZYDskKp.exe
| MD5 | 86830a44d3a91c7f51c84fe5e0a428a4 |
| SHA1 | 43ade72d7d4573a2563d2e2de54ccc6e3ff577aa |
| SHA256 | b4cd52532f65d1567997dde26f8876c5c11c10a5fe58af5e461e508ca9a7d65f |
| SHA512 | f10005eea706091b4885be3decd87be96ca1da111df24bc2c1a4f6187314e3d969c5a5b8a49e2577e8de407fef542b2cf1be253378f0b26c6193a41ed7699133 |
memory/1936-135-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1604-136-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1456-137-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2552-139-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2648-138-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2564-140-0x000000013F140000-0x000000013F494000-memory.dmp
memory/3008-146-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2592-147-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2468-148-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2500-145-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2004-144-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2452-143-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2436-142-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2644-141-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1604-149-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2348-150-0x000000013F2F0000-0x000000013F644000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 19:53
Reported
2024-06-11 19:56
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xQwfgUC.exe | N/A |
| N/A | N/A | C:\Windows\System\BqwfHlQ.exe | N/A |
| N/A | N/A | C:\Windows\System\AwfNkoi.exe | N/A |
| N/A | N/A | C:\Windows\System\DSdZomg.exe | N/A |
| N/A | N/A | C:\Windows\System\yfdUjDP.exe | N/A |
| N/A | N/A | C:\Windows\System\bqigyrB.exe | N/A |
| N/A | N/A | C:\Windows\System\oQMgHJP.exe | N/A |
| N/A | N/A | C:\Windows\System\afWGCup.exe | N/A |
| N/A | N/A | C:\Windows\System\DgpbPyb.exe | N/A |
| N/A | N/A | C:\Windows\System\wYZeNcf.exe | N/A |
| N/A | N/A | C:\Windows\System\jLjpUpJ.exe | N/A |
| N/A | N/A | C:\Windows\System\XqloNAd.exe | N/A |
| N/A | N/A | C:\Windows\System\LcWvsXc.exe | N/A |
| N/A | N/A | C:\Windows\System\rXNzrDW.exe | N/A |
| N/A | N/A | C:\Windows\System\PQppThT.exe | N/A |
| N/A | N/A | C:\Windows\System\OxTHoWc.exe | N/A |
| N/A | N/A | C:\Windows\System\ahIbNgS.exe | N/A |
| N/A | N/A | C:\Windows\System\wBtbhUR.exe | N/A |
| N/A | N/A | C:\Windows\System\ycRVAgh.exe | N/A |
| N/A | N/A | C:\Windows\System\SvdXsyK.exe | N/A |
| N/A | N/A | C:\Windows\System\FcLGYpM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_86f99f2b652571341e4b613fb0148901_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_86f99f2b652571341e4b613fb0148901_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_86f99f2b652571341e4b613fb0148901_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_86f99f2b652571341e4b613fb0148901_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xQwfgUC.exe
C:\Windows\System\xQwfgUC.exe
C:\Windows\System\BqwfHlQ.exe
C:\Windows\System\BqwfHlQ.exe
C:\Windows\System\AwfNkoi.exe
C:\Windows\System\AwfNkoi.exe
C:\Windows\System\DSdZomg.exe
C:\Windows\System\DSdZomg.exe
C:\Windows\System\yfdUjDP.exe
C:\Windows\System\yfdUjDP.exe
C:\Windows\System\bqigyrB.exe
C:\Windows\System\bqigyrB.exe
C:\Windows\System\oQMgHJP.exe
C:\Windows\System\oQMgHJP.exe
C:\Windows\System\afWGCup.exe
C:\Windows\System\afWGCup.exe
C:\Windows\System\DgpbPyb.exe
C:\Windows\System\DgpbPyb.exe
C:\Windows\System\wYZeNcf.exe
C:\Windows\System\wYZeNcf.exe
C:\Windows\System\jLjpUpJ.exe
C:\Windows\System\jLjpUpJ.exe
C:\Windows\System\XqloNAd.exe
C:\Windows\System\XqloNAd.exe
C:\Windows\System\LcWvsXc.exe
C:\Windows\System\LcWvsXc.exe
C:\Windows\System\rXNzrDW.exe
C:\Windows\System\rXNzrDW.exe
C:\Windows\System\PQppThT.exe
C:\Windows\System\PQppThT.exe
C:\Windows\System\OxTHoWc.exe
C:\Windows\System\OxTHoWc.exe
C:\Windows\System\ahIbNgS.exe
C:\Windows\System\ahIbNgS.exe
C:\Windows\System\wBtbhUR.exe
C:\Windows\System\wBtbhUR.exe
C:\Windows\System\ycRVAgh.exe
C:\Windows\System\ycRVAgh.exe
C:\Windows\System\SvdXsyK.exe
C:\Windows\System\SvdXsyK.exe
C:\Windows\System\FcLGYpM.exe
C:\Windows\System\FcLGYpM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 28.121.18.2.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2468-0-0x00007FF6D16B0000-0x00007FF6D1A04000-memory.dmp
memory/2468-1-0x000001C3613A0000-0x000001C3613B0000-memory.dmp
C:\Windows\System\xQwfgUC.exe
| MD5 | 565fc1b28ea6d82a5320d820ab4260a5 |
| SHA1 | d4b0df391b36c4487b37b66e88d8ab6a6ed9b111 |
| SHA256 | 98b8c261d52a8cfe32f61135ee3a7b14385ffac39599013a9552d91ee4e6a118 |
| SHA512 | aaa7c3dec9071a08c31d49abc6c3c6e4c9bc965effdd8f0f4b9a484be7b4a933372626488f1b97fb10367dcf92022216ce87d20ea5d9a5e273b83cdd36bc0899 |
C:\Windows\System\AwfNkoi.exe
| MD5 | 529baf6c57e608aaab708e54ef5b673b |
| SHA1 | 27aa40e729f18dae8cd8832cd63a2dde083c01dc |
| SHA256 | 0e05a34cc174946181ce448daa9f4bed749e76aae4362f428303b2bdd430dfc4 |
| SHA512 | 622ddaea663bb4fe17a6976f50c7422b6f2b45846b4640298b7b130bc6bbc1ae51684776ed77bea2d14c77c9297432982087dc2c382f1cb7e19bb702ed263bc0 |
C:\Windows\System\BqwfHlQ.exe
| MD5 | 3a84b1e16d0fdc05e4f6a0d1d93d5fb7 |
| SHA1 | b17577aaf1526f45432331e39872a4968ce62060 |
| SHA256 | 8e2e4ba3b5d6f0179e8a0325d135c37b35fecd3082555e5b3aacd3aa0978436d |
| SHA512 | b8ba2b4a25fe21bd0ddb23ef8d2bfdc3af606fba271042e02f9192de4ed9fc9b6c589b059686f24c51cb639c2a7abc8efe72bb3dcc0414581b7499b22e7ba61b |
memory/2988-14-0x00007FF6C0F20000-0x00007FF6C1274000-memory.dmp
memory/2496-9-0x00007FF77DEA0000-0x00007FF77E1F4000-memory.dmp
memory/1776-19-0x00007FF65B040000-0x00007FF65B394000-memory.dmp
C:\Windows\System\DSdZomg.exe
| MD5 | 63a79ed4925929ed5ce7b86113f0549a |
| SHA1 | da440566196db667cccca73527e043e51b1c28f3 |
| SHA256 | e8cb65dcf3f8677e60a58470aef553007aea72f4a5c6ddf9277de9d61d66aa12 |
| SHA512 | 6d6826006ebf9df3fc2c1fc11d08c75cdb84c99ac68c1c1621e4c9dbe5fd85a00b90f0461a24081d56eef666c4d22f162274c6ca8361fe85d9682f3948875ea8 |
memory/2752-25-0x00007FF6325D0000-0x00007FF632924000-memory.dmp
C:\Windows\System\yfdUjDP.exe
| MD5 | 3193ea2ea732a16b4d33495c9e5b3d9d |
| SHA1 | fb0d6ea6e885f458fcaa837158d250ea338113a8 |
| SHA256 | db3f9e4ace56bc5340fa7c89f2d96f5fbb7ee75ff39e2c5df525905d1865120d |
| SHA512 | aa1274aa846713dc9a82dbc65e0e41dec26ebe9241e7d39d821faf15321f575fde62def27be2162d6921e5872b62a5c0dd1c1b207615464c5592766dddd55e9f |
memory/316-30-0x00007FF77F1B0000-0x00007FF77F504000-memory.dmp
C:\Windows\System\bqigyrB.exe
| MD5 | 1d36ac9d3559dfb35d65120cb48f99a5 |
| SHA1 | 9fe463e0f8abf82aa5f80b58a0a4c3c65053e9dc |
| SHA256 | 103440d7542288d0c1bfed69398da0df3d019af475d7506e3d4f2520a5d2eab3 |
| SHA512 | 322fdb34b9aee1d9e8ac2009ac750d0e60f62155056a5647f63e2904f0aa03f5cdfbc4c076b39a049ceddd088e444f9b52b0822d03abd299745746475a55461d |
memory/1064-38-0x00007FF791F10000-0x00007FF792264000-memory.dmp
C:\Windows\System\oQMgHJP.exe
| MD5 | db04090e0b42c11cebd05391810d14c6 |
| SHA1 | c20312269239d3a46785e4c0fcaae82876aed2d9 |
| SHA256 | 70243bab6d90130fbadfcbec2f433f75bac9d0049d60b598610895656d9824c9 |
| SHA512 | 82abc901148ae099b0c04065fe89e7da39df80690b36373cd691263abe9a172c3170eb6e3552196159a9960b8a6bfefa6a9afafacc47f5b384b2107a8b0a5fc7 |
memory/4220-42-0x00007FF66D590000-0x00007FF66D8E4000-memory.dmp
memory/4672-46-0x00007FF7DFC60000-0x00007FF7DFFB4000-memory.dmp
C:\Windows\System\DgpbPyb.exe
| MD5 | 8b547c51731e4a054e9fc64fca5fc228 |
| SHA1 | b5e19f5f70027d6e1e44b8ac113afe763e3b6f5e |
| SHA256 | d897335b9247af44f32a4d3fb9baab103a0652a86fda4a9e5ace6ef992c892b9 |
| SHA512 | aa8a4551c48d2eb225da04e3282818b4a7ca9f0e4b69b8da00ed7f710ef3bd75e39683b443aee1f3e85666331a7a3e2ddb47ede50648dd17c3d0804daedf7124 |
memory/1020-57-0x00007FF72A640000-0x00007FF72A994000-memory.dmp
memory/2468-62-0x00007FF6D16B0000-0x00007FF6D1A04000-memory.dmp
C:\Windows\System\jLjpUpJ.exe
| MD5 | abd85565b3f328d136e374295e854b58 |
| SHA1 | 3d8a2e6b99b13554a56cf9b8ec0a3c12ab38670e |
| SHA256 | 64069df053ee358764e6885b210d33858bd0bd299d116cfe082ea146534c7c32 |
| SHA512 | 8eb42c75b89d1defdcc052606acb6dca92c61d2e44ff24d2c9fc0c38970905c92eb2d389847e7b6c444e5ca9847db7c9fbcbc391be83eabb4ff3872116296b62 |
memory/4556-73-0x00007FF63D8A0000-0x00007FF63DBF4000-memory.dmp
memory/1528-75-0x00007FF7AF390000-0x00007FF7AF6E4000-memory.dmp
C:\Windows\System\XqloNAd.exe
| MD5 | 9a3b1d78e4d085b386a8fa97d34e5649 |
| SHA1 | 62ab80dff332c0d4a306d457249943cdcd4db287 |
| SHA256 | 75d22679e33df1e6953703f25bf86ab643cd34225c8f7f1213d38786bc620fba |
| SHA512 | 757e0e787a121b1fcf4b2495c09cbea0f207ea0b4e29203ec1b6b4a93425be4449943cf0e5984e1b48b33fab8f69a62da1967d72e562426ad4b5397264d0eb9f |
C:\Windows\System\LcWvsXc.exe
| MD5 | 3edcf5460bdbeda810fa9e6c2ffc7faf |
| SHA1 | fd32dc5aefd440e6f078c11a92ca0596f12b7c5e |
| SHA256 | 576da08ae7054f8ead3a07dd9bb0fc1b303ab8608d6317d380a729969a35051e |
| SHA512 | 97d871d03e212a5c258aa1b4ae347ef23ce182eb19495f7d3237474736c5e9a43b81cc376b98af34165005acf8a4bfeb6618343ebfebce59f9c18b8a2e9bb763 |
memory/4348-76-0x00007FF7292F0000-0x00007FF729644000-memory.dmp
memory/3668-74-0x00007FF7BE3D0000-0x00007FF7BE724000-memory.dmp
C:\Windows\System\wYZeNcf.exe
| MD5 | b156f832b66dbf6c0dc77a6ba6293513 |
| SHA1 | 17d298d0aa193abda61db37b48720d94ec60671f |
| SHA256 | 68c23a6e35c3982f2fdb653c3ec322ae5bf9c3ef46c3df60bfb8ea936a384d94 |
| SHA512 | d5cc0c8eed77897ded800d4beb7fa31430dafae84840f4b078c5f345c28281b621f0eb63320d8e0376ceef3017868a55de40afcdd7e5a017f14f01d3c9dc5d72 |
C:\Windows\System\afWGCup.exe
| MD5 | 5f50e565c6341e225e493b62eb073394 |
| SHA1 | a34b99fdc88d9e140b20ca4ddb014267e0d74d4e |
| SHA256 | 34443352fdc702cfa31b932098769e08973fdfe73bc3d63c63f320ba61c981a1 |
| SHA512 | f1d4185af93709c179502f11dc76a448b8668737de3d607dd909b76d9dffdbff2dd9b002ea6772c9ae75d9d99a26dae9c1e6be72feca61715f094c6ff2e21995 |
C:\Windows\System\rXNzrDW.exe
| MD5 | be83de881673254e446ecebcbe723936 |
| SHA1 | 41ec56b504976df4b7d1273215538a69214122f4 |
| SHA256 | 56182f43a00a83e52de147e7184cc2c957c9557dc8b1d98a8ef2845200c2223d |
| SHA512 | b71190dd9dc2682a35cb6038ae79121852fc0aac85f62e0f2f5664a5525d1b28f8c570ad4f6ac51ef35c1d7939dcb619d2704f35f87ad68cb43c867c22d6b002 |
memory/1720-87-0x00007FF622970000-0x00007FF622CC4000-memory.dmp
C:\Windows\System\PQppThT.exe
| MD5 | 862140883916d5e3eed58ceea3a7a2cf |
| SHA1 | e208c88a09a98f95aa549a96f4041fbc3fbf7a84 |
| SHA256 | 2f929bb596c35f0c580dce815c13920e371e8dee4d86ca049f4624baaccf191f |
| SHA512 | 13753f59da9dab60d98192cc7a727c907aa296a7499ca10d71598ed1d69ab272090bd9f38078a6e1a5849dd7f8939270c09d57df3dc97815484a45a6d0d851be |
C:\Windows\System\OxTHoWc.exe
| MD5 | b1f631f9a8f76463fd2be3afce2d6d92 |
| SHA1 | e73528b3fbe34774b78f07dce38e74c0ca6160b4 |
| SHA256 | 8b0900950714939153c1ff17237dfabd756065151a62855d741886085a0546b3 |
| SHA512 | d8dedecab9e4611473b673e88b26c7fffceb319b847cbdd50d6cdb87bcc12a9032a0abf945470e5518d52535bdbbbfe24ffe26a0cfcb45f47e8f567d08a80000 |
memory/4144-99-0x00007FF640010000-0x00007FF640364000-memory.dmp
memory/1776-98-0x00007FF65B040000-0x00007FF65B394000-memory.dmp
memory/2204-103-0x00007FF7251F0000-0x00007FF725544000-memory.dmp
C:\Windows\System\wBtbhUR.exe
| MD5 | 82c2d673409f1a668733de028acb1bb7 |
| SHA1 | 08af052b05214d9f2a37dddded304e84876444cd |
| SHA256 | efc370d389ba6ff6dbffdd8add6d7d186cda6c92d8fe485f2f8321b903ce1cd5 |
| SHA512 | fe04bcce3f6390aed4251a43cd956ec7b364fa8ad20f78069b4ab1b52b5ed6b731eb64a46253182869e2d86fa3e844a17cf7961d8266c4d71ccb980dbc3028f6 |
C:\Windows\System\SvdXsyK.exe
| MD5 | 965602da7f9296aa10f82369f4b652b9 |
| SHA1 | f5314922bfd67ddee22128e56ebe871b7bc9267e |
| SHA256 | ef0014fc58d83d37157023ab90cafedbfad9b5c3d3cad2770dbf5f04579960ae |
| SHA512 | 4639780c195dfe58ae7d27da662b50e975f8ff0c26110caac45ca0bf075ca76eb0bd0bf2ae41aa27a8847db70863e0996676d6042d2fefc2602ba43a435b051d |
memory/4220-119-0x00007FF66D590000-0x00007FF66D8E4000-memory.dmp
memory/4828-132-0x00007FF71A370000-0x00007FF71A6C4000-memory.dmp
memory/1020-131-0x00007FF72A640000-0x00007FF72A994000-memory.dmp
C:\Windows\System\ycRVAgh.exe
| MD5 | df4d0c4c9ce5d20e05ae53295538595d |
| SHA1 | bad12c315a3eef1f2039e7a129c2f8e9ff5b1ec9 |
| SHA256 | 5eee32d6f0944530893f5327306333033cc92493a1a306770679a7ff36a25e60 |
| SHA512 | 20ebe4de436108a864f7c3f7b0cae1e75ed27692e20736c07c8cd990700ca3418bc4d397dfa25430a2fa54b58f82d00a353ea49f03128fe2e31a7121c436b4c2 |
C:\Windows\System\FcLGYpM.exe
| MD5 | c6ae06bb8d18bce5606ff14db32bec0d |
| SHA1 | 1b109bb79c605dfb18db74b9dabe53fef3093869 |
| SHA256 | 3358b1a8615e1adde7d683142b6fa06067cc4d24830e08980fca7c24a738aa2a |
| SHA512 | e84fabc3ff843fc952962de4a04f3474ab636da8c4aff274c5e0245a73ead6e0db1c051bfbe7c809c7aeb646180048d254f6352e796aa2df17579f5400124102 |
memory/2304-125-0x00007FF70C750000-0x00007FF70CAA4000-memory.dmp
memory/4772-123-0x00007FF780D90000-0x00007FF7810E4000-memory.dmp
memory/4672-122-0x00007FF7DFC60000-0x00007FF7DFFB4000-memory.dmp
memory/3736-113-0x00007FF6724E0000-0x00007FF672834000-memory.dmp
memory/316-110-0x00007FF77F1B0000-0x00007FF77F504000-memory.dmp
memory/4280-109-0x00007FF656340000-0x00007FF656694000-memory.dmp
C:\Windows\System\ahIbNgS.exe
| MD5 | d9bd5168432763a2e6b98ecbcbd84795 |
| SHA1 | ade27b323cbe4e6f542eb5981eda2e707b85381f |
| SHA256 | a8abcfd452d9554958c8c91e1cec36c98891222ce34072dc2a487589614c92b1 |
| SHA512 | 4980437e6a591fc962de99d3551b17ca684485d6866ddb01853e6990f89f0cc2cdc65a3a73b41e376a8a4c2449af4d26cc053460c94a384d5bc7e974b71c6802 |
memory/3668-134-0x00007FF7BE3D0000-0x00007FF7BE724000-memory.dmp
memory/4348-135-0x00007FF7292F0000-0x00007FF729644000-memory.dmp
memory/1720-136-0x00007FF622970000-0x00007FF622CC4000-memory.dmp
memory/2204-137-0x00007FF7251F0000-0x00007FF725544000-memory.dmp
memory/4280-138-0x00007FF656340000-0x00007FF656694000-memory.dmp
memory/3736-139-0x00007FF6724E0000-0x00007FF672834000-memory.dmp
memory/2304-140-0x00007FF70C750000-0x00007FF70CAA4000-memory.dmp
memory/4772-141-0x00007FF780D90000-0x00007FF7810E4000-memory.dmp
memory/4828-142-0x00007FF71A370000-0x00007FF71A6C4000-memory.dmp
memory/2496-143-0x00007FF77DEA0000-0x00007FF77E1F4000-memory.dmp
memory/2988-144-0x00007FF6C0F20000-0x00007FF6C1274000-memory.dmp
memory/1776-145-0x00007FF65B040000-0x00007FF65B394000-memory.dmp
memory/2752-146-0x00007FF6325D0000-0x00007FF632924000-memory.dmp
memory/316-147-0x00007FF77F1B0000-0x00007FF77F504000-memory.dmp
memory/1064-148-0x00007FF791F10000-0x00007FF792264000-memory.dmp
memory/4220-149-0x00007FF66D590000-0x00007FF66D8E4000-memory.dmp
memory/4556-150-0x00007FF63D8A0000-0x00007FF63DBF4000-memory.dmp
memory/4672-151-0x00007FF7DFC60000-0x00007FF7DFFB4000-memory.dmp
memory/1020-152-0x00007FF72A640000-0x00007FF72A994000-memory.dmp
memory/1528-153-0x00007FF7AF390000-0x00007FF7AF6E4000-memory.dmp
memory/3668-155-0x00007FF7BE3D0000-0x00007FF7BE724000-memory.dmp
memory/4348-154-0x00007FF7292F0000-0x00007FF729644000-memory.dmp
memory/1720-156-0x00007FF622970000-0x00007FF622CC4000-memory.dmp
memory/4144-157-0x00007FF640010000-0x00007FF640364000-memory.dmp
memory/2204-158-0x00007FF7251F0000-0x00007FF725544000-memory.dmp
memory/4280-159-0x00007FF656340000-0x00007FF656694000-memory.dmp
memory/3736-160-0x00007FF6724E0000-0x00007FF672834000-memory.dmp
memory/4772-161-0x00007FF780D90000-0x00007FF7810E4000-memory.dmp
memory/2304-162-0x00007FF70C750000-0x00007FF70CAA4000-memory.dmp
memory/4828-163-0x00007FF71A370000-0x00007FF71A6C4000-memory.dmp