Analysis Overview
SHA256
7da6432f77d2255c0a1bd6b0dea1b9b55f589125808e1101ec9de4606db3127d
Threat Level: Known bad
The file 2024-06-21_033c36bfe4c432dccb870dafd1283ce0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
UPX dump on OEP (original entry point)
xmrig
XMRig Miner payload
Xmrig family
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-21 01:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 01:25
Reported
2024-06-21 01:27
Platform
win7-20240611-en
Max time kernel
134s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IIFTgxf.exe | N/A |
| N/A | N/A | C:\Windows\System\TREmhZa.exe | N/A |
| N/A | N/A | C:\Windows\System\ipKCKQr.exe | N/A |
| N/A | N/A | C:\Windows\System\XJZKOIe.exe | N/A |
| N/A | N/A | C:\Windows\System\ixJEFDP.exe | N/A |
| N/A | N/A | C:\Windows\System\GVbsnbx.exe | N/A |
| N/A | N/A | C:\Windows\System\UErwEps.exe | N/A |
| N/A | N/A | C:\Windows\System\XcPkWik.exe | N/A |
| N/A | N/A | C:\Windows\System\EWbZXap.exe | N/A |
| N/A | N/A | C:\Windows\System\uVUDRmx.exe | N/A |
| N/A | N/A | C:\Windows\System\FBzJMcg.exe | N/A |
| N/A | N/A | C:\Windows\System\QKFgNtI.exe | N/A |
| N/A | N/A | C:\Windows\System\ZYaSdbV.exe | N/A |
| N/A | N/A | C:\Windows\System\EKbDqvD.exe | N/A |
| N/A | N/A | C:\Windows\System\rBGhlZY.exe | N/A |
| N/A | N/A | C:\Windows\System\hxGLxEt.exe | N/A |
| N/A | N/A | C:\Windows\System\ljbBNpD.exe | N/A |
| N/A | N/A | C:\Windows\System\GhvaLGN.exe | N/A |
| N/A | N/A | C:\Windows\System\FolLFAi.exe | N/A |
| N/A | N/A | C:\Windows\System\yGSVerv.exe | N/A |
| N/A | N/A | C:\Windows\System\xgYFMWA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_033c36bfe4c432dccb870dafd1283ce0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_033c36bfe4c432dccb870dafd1283ce0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_033c36bfe4c432dccb870dafd1283ce0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_033c36bfe4c432dccb870dafd1283ce0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\IIFTgxf.exe
C:\Windows\System\IIFTgxf.exe
C:\Windows\System\TREmhZa.exe
C:\Windows\System\TREmhZa.exe
C:\Windows\System\ipKCKQr.exe
C:\Windows\System\ipKCKQr.exe
C:\Windows\System\XJZKOIe.exe
C:\Windows\System\XJZKOIe.exe
C:\Windows\System\GVbsnbx.exe
C:\Windows\System\GVbsnbx.exe
C:\Windows\System\ixJEFDP.exe
C:\Windows\System\ixJEFDP.exe
C:\Windows\System\XcPkWik.exe
C:\Windows\System\XcPkWik.exe
C:\Windows\System\UErwEps.exe
C:\Windows\System\UErwEps.exe
C:\Windows\System\EWbZXap.exe
C:\Windows\System\EWbZXap.exe
C:\Windows\System\uVUDRmx.exe
C:\Windows\System\uVUDRmx.exe
C:\Windows\System\FBzJMcg.exe
C:\Windows\System\FBzJMcg.exe
C:\Windows\System\QKFgNtI.exe
C:\Windows\System\QKFgNtI.exe
C:\Windows\System\ZYaSdbV.exe
C:\Windows\System\ZYaSdbV.exe
C:\Windows\System\EKbDqvD.exe
C:\Windows\System\EKbDqvD.exe
C:\Windows\System\rBGhlZY.exe
C:\Windows\System\rBGhlZY.exe
C:\Windows\System\hxGLxEt.exe
C:\Windows\System\hxGLxEt.exe
C:\Windows\System\ljbBNpD.exe
C:\Windows\System\ljbBNpD.exe
C:\Windows\System\GhvaLGN.exe
C:\Windows\System\GhvaLGN.exe
C:\Windows\System\FolLFAi.exe
C:\Windows\System\FolLFAi.exe
C:\Windows\System\yGSVerv.exe
C:\Windows\System\yGSVerv.exe
C:\Windows\System\xgYFMWA.exe
C:\Windows\System\xgYFMWA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3024-0-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/3024-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\IIFTgxf.exe
| MD5 | 955292a6162b73a9d180447b5983b1ec |
| SHA1 | c0476b1f6f3991a3ebe848533953642b4654c584 |
| SHA256 | 1f768825cbf6619ea809e361fae0b6c46f075a89c01001ee401d2c7363dc032e |
| SHA512 | 83b2f5339b5647e54d918ffde9d46a9fd32637b78e77754b37888e5c9f1d1d29caa5ce24eff65a1b6b61ef24271ddc415f00e2dd711b199ac320ea99cf00673e |
C:\Windows\system\TREmhZa.exe
| MD5 | 83c5e89089fb24a4215bd0c27d9b4d14 |
| SHA1 | 5247e4dba933668a759e6118a175787ce6f82169 |
| SHA256 | 0dd4837007d685065389098a42deb5b3a65619e03cfaacc16ba721fe84953c55 |
| SHA512 | 8e789f61add58a0382b12ca7b952030b22f15a6881a95901cf238273d5222993644b11e22b7acb7035dd59ded4284560113fb86be2b9594632deac1de8d43f4b |
memory/2504-12-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2188-13-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/3024-15-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\ipKCKQr.exe
| MD5 | ae636cdfafb4f0a8de289e412b60f407 |
| SHA1 | 603c3217f16c663ed4050c8716a5825326591fa9 |
| SHA256 | 90580dea5c0b3b883cc524a105e8e0a1f3fbece77fa8e1dd7704e4c70167b6bf |
| SHA512 | b3287206e48a0bc52480557b78f949392f06401f0e86b0883252f5c0184d56fba5e9d77aab07e2b79e66f7527f66ceae4f3c44b59ab11772334ca82147e5685f |
C:\Windows\system\XJZKOIe.exe
| MD5 | bf205a36672e03603b630ac11d884dbf |
| SHA1 | 85104add427324c3600fb91717d3d1cf425ce07b |
| SHA256 | 8d57917d183b229c66586f6cb701febe323560b4dc3c9942ae516861ee3441c8 |
| SHA512 | 0971c2d1b745d16ce428be5bc1d7588a9e3e44df6ea4184c91f668d522812680ec44f6945890248ec6790631fb3d2569fd75392b79c1a6e5ba10e1303466cd3c |
memory/3024-25-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2640-20-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2692-26-0x000000013FDD0000-0x0000000140124000-memory.dmp
\Windows\system\GVbsnbx.exe
| MD5 | 7153994f6cf3581513e01aa6cf861ece |
| SHA1 | 35c851f7ca9b13d3341dbd70b658b8c2fa6c2e0c |
| SHA256 | e2e500d32e3b639999f1e36e394e51c2fc28676d98c18b3419cb55e15a0f67fd |
| SHA512 | 4cfd2de20aa36b5616cbb036d7e542af90525dd2a598984a57c4c07a8c2ca066a41a2a2fb0272dafa2099014bbfe27a8a955049594aefbff3d3451e0c7bd7e87 |
C:\Windows\system\ixJEFDP.exe
| MD5 | 2e9b1cfee28828d507fd992b4ad3004f |
| SHA1 | fd10c3a6774ecff653648172cc611e94dff1b2cd |
| SHA256 | 3559075354cd051fd8d3f524c148759aacdc5db425ae0eba1814b7cec98335b6 |
| SHA512 | f88e6f08234c47eaeb882920fa503d2c6b87edd88760114699e6931e8a92194b667f26a6e2708c3139766d6963badf748c620d5445b23cdfab9f3e43679b3ec7 |
\Windows\system\XcPkWik.exe
| MD5 | dc85818ba923b56958cdbe228ac030c2 |
| SHA1 | 6b04311bab33fa2071396d99a0c3e977d7b04e99 |
| SHA256 | ad4df741c2d9d99062c2549b12b8008edd17c3f7d3b9ad3a701ba3d365847f9e |
| SHA512 | ae02cf05fdc1bc26f3f3fe8fbbabd481bab1d6eff80e81ec910f5a2af972f182e729a4999b0b4aced0d3df38c3c399933bce0daca23d03281041486dfe63b6b2 |
memory/2440-46-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2412-52-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/3024-53-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2596-54-0x000000013FE70000-0x00000001401C4000-memory.dmp
C:\Windows\system\UErwEps.exe
| MD5 | 4c82454ba84039a0e05896ea0f264b6d |
| SHA1 | 3f1eedb51e771784a54d2825e284b06df288725e |
| SHA256 | 0f064bc3f5a89eadf624d4b2f2ee6599deed6c66ba7a8f8af47852759d1296a4 |
| SHA512 | cb9ee7fa217ddc163328015b597d67b32be984cf97b56901ac6b2c0c0387cba03875ac03dc2f18c5632aa9110d777bf1b0c7fe4bee23bb3b8aac069af565336e |
memory/2432-55-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/3024-40-0x0000000002400000-0x0000000002754000-memory.dmp
\Windows\system\EWbZXap.exe
| MD5 | f78aa66ad1226dac51db3ac8e2c9f331 |
| SHA1 | 3010975a05730297916aafd196c915809e374882 |
| SHA256 | a5e96d8b6e274925284803548fc0993d487ff8395fb7e71ddc82c8e14d53ab77 |
| SHA512 | 4974259fb6e55ce4c8f2b75263559381ee5284ba1aa107889344a77595779de480caeb4a13a83a9f44da0cb4262f0f944c0b772ff21743ae01e58f2f03af75f4 |
C:\Windows\system\uVUDRmx.exe
| MD5 | 88e4150c2e4f5463aae8052da6fe1b3e |
| SHA1 | 86a080487a100b9c254b6c455ee574792dad57e0 |
| SHA256 | 664b3224a13799c212760f9c53bbe724255b5af6db76ec7a5f783c10de8db670 |
| SHA512 | 6f31551b9520e2d456aadc244a578f9f723b81038601b6943adf03693a2fa09d3c1670ec3938f0d5d0320f89426aebc90b90d61c14433e035bbbd06ddbfe8dbd |
memory/2392-69-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2056-60-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/3024-68-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/3024-64-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\FBzJMcg.exe
| MD5 | 60b7e0a4d79e84dd9ab36f8603818874 |
| SHA1 | acffecb14052acdbd24384067737a3752e562193 |
| SHA256 | 36b2937f36e67cdac8b43f4ec9edd6ee2c6df23a07388a203e048d25785ea33c |
| SHA512 | e54673fdb3bf1b52c902d31f79f2294827fa5b88e0e11a0eca242d564d6a4bf5a6a918b61c995ceaea8570ece79a80c0c1e9019f31e62bd87eaba6f74dfc8e78 |
memory/2768-84-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/3024-83-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/3024-97-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1384-99-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\GhvaLGN.exe
| MD5 | 76088e41e197028332006c33c45a396c |
| SHA1 | f7bb306c7eb5e6967a2360218186fc9b39e4ebc7 |
| SHA256 | a06ea93a034bb98ac1e1b2bc1374298e96f8a38239b3870cd02bc596a7baf8c7 |
| SHA512 | 36f9fd9039e21d94a4cde50c1fc59c32797ea4707084baf57318783a12628c5eb3ae14381725d09f1d7cf20403bc4f488ed4bef22948c3d9f8eefea2e3d38139 |
C:\Windows\system\FolLFAi.exe
| MD5 | 3478503bca3c715f55417cd7b137b21c |
| SHA1 | 5699b9b09da32521ad8387a9772cfff80c522bef |
| SHA256 | 71781525b31083434819f5d58d9b5d237f2d64556ac926b4aabef2aeae9467a4 |
| SHA512 | 3c532c3cfdf914d8c4d4c97acf3c788d94abc9bf30310c57d4d89827a0408523b3e46637080d918f1b9941757811a87312d8a5a5651571659444243176fd8236 |
\Windows\system\xgYFMWA.exe
| MD5 | 1e56c8daf638a9e474d93f07358fb4e6 |
| SHA1 | 49cdd50f06c099f63b74a8568bcde50e6a67aa29 |
| SHA256 | 6b5e0ea72cab39e7e5e0f45d743937457b599e4e7278773060e75f5877d39a87 |
| SHA512 | 5d901228acdb936868c26b211e1780304a54c8a2a3c71b8caf968c00340e008a4fda5293c54fa2a22656c31d3b06d89ba480f7145bbce9accceaf7914fbac932 |
C:\Windows\system\yGSVerv.exe
| MD5 | 00a56dcc47d9abf57d36a2d2c0a25479 |
| SHA1 | 7819ab136c8bf673e0eea43e9fa986c0e431e891 |
| SHA256 | 020b8cfc224b403d2e67bf26d57b0462e21200991a87cd1871e07578a0abe2a6 |
| SHA512 | 2b811417e3133e239db79c4f17ae77c0171799128ed678255e305b474badd672ba09e514ca189a99140b4504d4ec9ab0096d11d1c4d7bb82db3d2a2cc8fbf5ba |
C:\Windows\system\ljbBNpD.exe
| MD5 | ec4bd4755119dc78a958550658ea93cb |
| SHA1 | a449a51f5a5cd6d005fc3e0bbc74df3c1bf212ca |
| SHA256 | 619700101aa44644f5e437fc7dc2eedb833df8362907996deefd77d5d27b78a0 |
| SHA512 | 42e6833b40c8aaac87a65d1835677ee8aeb3ad33f6d6113babc8329cc30b95d71fc3ca37a06edb52db19374123891bf4a76516a5bf4ae86a6380fb1a4b27dce3 |
C:\Windows\system\hxGLxEt.exe
| MD5 | 2565c0c2e7ea4de49a30f13f29d2b276 |
| SHA1 | 32cdba67c457eb8468cdd37e6f042e8eb2f5471a |
| SHA256 | a4b6f4e2cfbd58125a2d06331ffd72fa8fa526f0609e7797ab6c42d02b9ad151 |
| SHA512 | eaf30cda62602e5fa7343d510e705242a944a1c47f342afc938ed0a49bdc917a1eb98d80e012f9106eb0fce69a6f6bf9b1fc1488e40c836b8373ca91a3a40531 |
memory/3024-105-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2412-104-0x000000013FA10000-0x000000013FD64000-memory.dmp
C:\Windows\system\rBGhlZY.exe
| MD5 | 082911a3143b9a7d6f26f6587a626379 |
| SHA1 | dfe7ec0f59c063211cc6975f0261aba038e83e6e |
| SHA256 | 0eecb1d774c69566fb623f1bc7de7124406f9886e8c5a8a5e9e3590864222ae4 |
| SHA512 | f1791be9a76b6eeb51311c851bc7dc27dd721dc05d7c903168fe0266078e19c6e262d26789c23dd28a58e6a67dcc64e835d9a9f9cef885d50baa54b6bfb975f2 |
memory/2056-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/3024-98-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/364-91-0x000000013F0B0000-0x000000013F404000-memory.dmp
C:\Windows\system\ZYaSdbV.exe
| MD5 | bae5577565b45479b0b9c1048e800382 |
| SHA1 | 2f77ca7ce1c9d81232be51569b179779f617d6de |
| SHA256 | bb0cef5e61a720e25979dbfb3e1b5bb93dcd0d3fb37208fd55a01ca309d72944 |
| SHA512 | 76286304c925e34639edb47d78a663da354b5f1443345f8a3437a53a14585a3d02396ce71816a10cc6878ea43da24d7305c1bab2bf23940a7687de8c8a67a82c |
C:\Windows\system\EKbDqvD.exe
| MD5 | da433f927cb1ce87dc002cd0dc3d3045 |
| SHA1 | da5ccd80139e68d7dc12221b98f545743e59fcf1 |
| SHA256 | 5fe88e48800d807891e2c672ae9a66144b9a0c156764631c5f67c9828e3b1101 |
| SHA512 | 42c5b439f299a802fccd949ebff157930199118ca8ada215c699bdff1cc4ab908fbb27bb0aa481fa371899f0aeacefeb9957c8e3aa9d45c73d6a8a03f7b35014 |
memory/3024-138-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\QKFgNtI.exe
| MD5 | 370f9fd0474b6bce38388c7538205b90 |
| SHA1 | ff220b5207e9f1481abdf5545da5a3acd3d11dbd |
| SHA256 | 27fd6bd67b08df8aa3537903f411749cc5f051bfbeff607055b3c256956ec8ab |
| SHA512 | ab8341ec658fd8d951f77198497737ab6f115bf2553ed198c55d2e8021caf646eb55404af1d74687be0b6c8100f5bd95c59b0f7500c03261ba27f820e31a8e8e |
memory/2748-78-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2692-77-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2640-76-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/3024-72-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2188-63-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2392-139-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/3024-34-0x0000000002400000-0x0000000002754000-memory.dmp
memory/3024-140-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2748-141-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/3024-142-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2768-143-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/3024-144-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/364-145-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/3024-146-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/1384-147-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/3024-148-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2504-149-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2188-150-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2692-151-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2640-152-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2596-153-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2440-154-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2432-155-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2412-156-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2056-157-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2392-158-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2748-159-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2768-160-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/364-161-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1384-162-0x000000013F1D0000-0x000000013F524000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 01:25
Reported
2024-06-21 01:27
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_033c36bfe4c432dccb870dafd1283ce0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_033c36bfe4c432dccb870dafd1283ce0_cobalt-strike_cobaltstrike_poet-rat.exe"
Network
Files
memory/2068-0-0x00007FF66A280000-0x00007FF66A5D4000-memory.dmp