Analysis Overview
SHA256
eee036d2a8f6031b01b399eb9d38f359fb45c27dea4b99bfdf19649bdb1e2945
Threat Level: Known bad
The file 2024-06-21_0a9cefb32ee7d7cd794692a674f9b462_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobalt Strike reflective loader
Xmrig family
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-21 01:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 01:25
Reported
2024-06-21 01:28
Platform
win7-20240220-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tFlxzOn.exe | N/A |
| N/A | N/A | C:\Windows\System\USprRET.exe | N/A |
| N/A | N/A | C:\Windows\System\BQnsefl.exe | N/A |
| N/A | N/A | C:\Windows\System\hERvFrw.exe | N/A |
| N/A | N/A | C:\Windows\System\abqKxRk.exe | N/A |
| N/A | N/A | C:\Windows\System\yyXITws.exe | N/A |
| N/A | N/A | C:\Windows\System\VRsORPK.exe | N/A |
| N/A | N/A | C:\Windows\System\pPHsFSk.exe | N/A |
| N/A | N/A | C:\Windows\System\KeUdALe.exe | N/A |
| N/A | N/A | C:\Windows\System\bwtPgeK.exe | N/A |
| N/A | N/A | C:\Windows\System\tYdlcnr.exe | N/A |
| N/A | N/A | C:\Windows\System\KWiKtyy.exe | N/A |
| N/A | N/A | C:\Windows\System\UZZwARl.exe | N/A |
| N/A | N/A | C:\Windows\System\BtKpNkB.exe | N/A |
| N/A | N/A | C:\Windows\System\TRXdJHu.exe | N/A |
| N/A | N/A | C:\Windows\System\fIxCSaP.exe | N/A |
| N/A | N/A | C:\Windows\System\lgljBBE.exe | N/A |
| N/A | N/A | C:\Windows\System\UMBFqjK.exe | N/A |
| N/A | N/A | C:\Windows\System\CxmgKhz.exe | N/A |
| N/A | N/A | C:\Windows\System\ahfVCUr.exe | N/A |
| N/A | N/A | C:\Windows\System\onJZXOw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_0a9cefb32ee7d7cd794692a674f9b462_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_0a9cefb32ee7d7cd794692a674f9b462_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_0a9cefb32ee7d7cd794692a674f9b462_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_0a9cefb32ee7d7cd794692a674f9b462_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\tFlxzOn.exe
C:\Windows\System\tFlxzOn.exe
C:\Windows\System\BQnsefl.exe
C:\Windows\System\BQnsefl.exe
C:\Windows\System\USprRET.exe
C:\Windows\System\USprRET.exe
C:\Windows\System\hERvFrw.exe
C:\Windows\System\hERvFrw.exe
C:\Windows\System\abqKxRk.exe
C:\Windows\System\abqKxRk.exe
C:\Windows\System\yyXITws.exe
C:\Windows\System\yyXITws.exe
C:\Windows\System\BtKpNkB.exe
C:\Windows\System\BtKpNkB.exe
C:\Windows\System\VRsORPK.exe
C:\Windows\System\VRsORPK.exe
C:\Windows\System\TRXdJHu.exe
C:\Windows\System\TRXdJHu.exe
C:\Windows\System\pPHsFSk.exe
C:\Windows\System\pPHsFSk.exe
C:\Windows\System\fIxCSaP.exe
C:\Windows\System\fIxCSaP.exe
C:\Windows\System\KeUdALe.exe
C:\Windows\System\KeUdALe.exe
C:\Windows\System\lgljBBE.exe
C:\Windows\System\lgljBBE.exe
C:\Windows\System\bwtPgeK.exe
C:\Windows\System\bwtPgeK.exe
C:\Windows\System\UMBFqjK.exe
C:\Windows\System\UMBFqjK.exe
C:\Windows\System\tYdlcnr.exe
C:\Windows\System\tYdlcnr.exe
C:\Windows\System\CxmgKhz.exe
C:\Windows\System\CxmgKhz.exe
C:\Windows\System\KWiKtyy.exe
C:\Windows\System\KWiKtyy.exe
C:\Windows\System\ahfVCUr.exe
C:\Windows\System\ahfVCUr.exe
C:\Windows\System\UZZwARl.exe
C:\Windows\System\UZZwARl.exe
C:\Windows\System\onJZXOw.exe
C:\Windows\System\onJZXOw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2208-0-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2208-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\tFlxzOn.exe
| MD5 | adefb3e15b520dccaadbb430edc8cee8 |
| SHA1 | 9dbbe7a4e24243e59d48ca455e7cdbc713f3e2d8 |
| SHA256 | 5d9c6710842fad540f50a74ebbe10bbe05e0b46f4d3c0ad00603c10ffc13553a |
| SHA512 | 627b8295de6140af95b272f8f373e381ee2120d8f96ebe792ed75afbb53e8f32f0dff4db8691f11a0e2b1a6b3bbc85a8d2b32526e6c55ac767330a13ed70999b |
\Windows\system\USprRET.exe
| MD5 | 41a7c20fbfda44708a158c5bfeb8282e |
| SHA1 | 05f19ced0fd8a12e789ab57402a7b98c154904ff |
| SHA256 | 7902369ae75feb6e81e95dcc8462cb68698906d9791f3a6f5342f6c8a3662ff8 |
| SHA512 | 40d79030013e0c6818b95be443cb440d0dbdd5b5ce307a84bec1b6078987eacc2bf61725cac387c06a17f6915f1d4d2987c2aaf37f1b6d956798190448a0b150 |
memory/2208-12-0x0000000002470000-0x00000000027C4000-memory.dmp
\Windows\system\BQnsefl.exe
| MD5 | 741a1546d1693073039a4e153d897872 |
| SHA1 | 650c221fd3b8c49aaf38b819d6fe65fae4b3673b |
| SHA256 | 67906ce7d9048f8abc2008734823db3ef74d4d0309cc8b6c2528ee388f277959 |
| SHA512 | 97368f21c728d81d7db4cab8fd9ecacc78107b8f5f53af9a8e3db1c55a9d4bfe05ad9e433b0bd0385f2a33efdf1d9a25f3a1558ca1bebeeb2d8b2eccfac3133f |
memory/2364-23-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/3020-22-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2344-21-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2208-17-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2208-6-0x000000013FEE0000-0x0000000140234000-memory.dmp
C:\Windows\system\hERvFrw.exe
| MD5 | 7512ce59b3280728852b61507bc8ca57 |
| SHA1 | b768fe57d8d8fdff18112bffd23f5352e8f526f2 |
| SHA256 | 3d521d4c42ff939a7a5908bda57a229912c76460dfe659028309900ae4e9acf3 |
| SHA512 | ef81488ada5bddf11a7e65762a16f18e3642db16cef394d5a9cbe19d2a30c8e4a0d31c9b26716c157052554cfc874fbb6ac74d21886ec8275952134c93c1168d |
memory/2628-30-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2208-29-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2624-37-0x000000013FEF0000-0x0000000140244000-memory.dmp
\Windows\system\KWiKtyy.exe
| MD5 | 90d95650dce423346d97c2578b5d1cd5 |
| SHA1 | 56783ac55be7cc106209361f2592468ede6f272f |
| SHA256 | 27701bf9305e54cc8d288cabc2784b2d7a8034186ff671689847595521881cde |
| SHA512 | 64b57857071ee2375fe4e84c62c726aa66e653b5de381ddd0177bd7538519ca6256637f065c5f8355d3c07bab06f4f594fc56b9fc4f3d85d9d676224ea5852be |
memory/2964-111-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2208-115-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2208-113-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/2832-109-0x000000013F380000-0x000000013F6D4000-memory.dmp
\Windows\system\onJZXOw.exe
| MD5 | 178791d1ee70f959f3577cde93f4fbfb |
| SHA1 | 88bf6f62ec2b9d1eaafa3eeca9e7e18acc85092b |
| SHA256 | 41332e740e4015d09d4f35d94226f48c9a09bc24d491af2081f2f70b34523ba9 |
| SHA512 | 4d63a569ffd43ef57523e583dbeae040982be14a8455ab8a06154c66dbb29c7af1e5697383ab71c1846d31e74ce43f59eddee7bcfc2fea63ebcab71914a3f8b8 |
\Windows\system\ahfVCUr.exe
| MD5 | 7017a128f7311d8b7814f96324d5c016 |
| SHA1 | b60f5be0698eaa40376c6b224f89f3e72ac5e371 |
| SHA256 | c23922f23032aa0baae4e4fd81be1578a49fe3d11ff5d78d141316b6c86914c1 |
| SHA512 | 5b622c45f1649683d40d2c1bd58ed45f8e7c6738709aa02076e8b0b866b0684cffac0c0ac18fff8d354079575bf57b0dff8cf36af80b25d54f496f10ee6d4489 |
memory/2208-94-0x0000000002470000-0x00000000027C4000-memory.dmp
C:\Windows\system\tYdlcnr.exe
| MD5 | 6398b5019821464fb161567e4e8813bf |
| SHA1 | f2626579ff061e0b42ae30ac588913a044f5cb85 |
| SHA256 | fa6b48d7c85ddb154fb24c836cbe053723ae6a485ab696d4f2a2c5d1ac7d45d6 |
| SHA512 | 88045b6940d6d361161231dca98b2eea39770f03325bab24117464ee13de50c79587514f44d643cb6c7016a5de71f6d55f80bf8fd6b88564c8cb15846fd9b61a |
memory/2464-92-0x000000013F2B0000-0x000000013F604000-memory.dmp
\Windows\system\CxmgKhz.exe
| MD5 | 98214c584bba13869328f02b588144c7 |
| SHA1 | 6c0f810b33f898f65476631180766ce1510d11cd |
| SHA256 | e7948098c59b8f7c5779f96ab407862099986ddd80d5d04b5dda417b9144eea6 |
| SHA512 | 71e900f76469398f7b3ebe81acf9b848fefd20288c4e915b5a63791fca2588d1b18a8c171872546de10593b3c68db6eff90dadf4677364788c9b326df0e9ab68 |
C:\Windows\system\bwtPgeK.exe
| MD5 | a725550139b41e8bddc1d603d30ec605 |
| SHA1 | 8c4ba2d7b977da2f8f7fb192c367440dfdbc3a87 |
| SHA256 | 81e653d1c735e90905b5b8605920b9f3750f79ab8e996c541697cb347084142e |
| SHA512 | ad78c78a011cc5703f466a9027524800480ee67fd2a49057fc6a99752275f73b946d75de6f9f6db2fba1be837bb02d1e376c1ce0414fad8412283db934333c7f |
memory/2208-81-0x0000000002470000-0x00000000027C4000-memory.dmp
\Windows\system\UMBFqjK.exe
| MD5 | 7592c9556ee6e33c596fb22fcf0647cf |
| SHA1 | 6a62c2218d30931fc0394a76fc6b119d4fddddff |
| SHA256 | f217513cf5b43789cc8f3aedb38296e0fb5a657ec888fe4a2d5007e33288688d |
| SHA512 | ab7a7e11758306a2019cf3a95169204a3ca6650b1d876fa37a48b9a95039475836c9527ed12dad8d03dc686f6a0dc013219e84c5e10598f6ba2882e719c3785e |
\Windows\system\lgljBBE.exe
| MD5 | 72321927f192b6952c3166b3dc031476 |
| SHA1 | 40ec34a3e24b6861137ad4f7a3e930488b99ca14 |
| SHA256 | ae2623de18dfd174ad753cc754bd8587f821925d9552a320d696c7bd4d8d14c1 |
| SHA512 | bac1cbff65bc1927463f3b202d76d6377f22d74bbf778970afb3d1872dcd89d7f2e731b9fdf674e2ff4e737ebeb61a9d0c8195a5346d21953d145a165f3946d9 |
memory/2208-64-0x0000000002470000-0x00000000027C4000-memory.dmp
\Windows\system\fIxCSaP.exe
| MD5 | 13c35a31a3e441eba3d7fcad9834de7b |
| SHA1 | 26bcf802a54fda15f75058cddab61ed6386ea2be |
| SHA256 | 0e24c4a99c1a981a3afd7de7e3bf91e5058629992f04f33c4b320735793b51db |
| SHA512 | b3fb2359df74948a26fddec6a2fb7c5bc98e1d6c37b0e382d5037ff7d002f55e01fac914f3c6b985ed6b604f598b689fead323b04c8d4388669032fe006c885a |
memory/2208-56-0x0000000002470000-0x00000000027C4000-memory.dmp
C:\Windows\system\VRsORPK.exe
| MD5 | f3eab54239c24f3aa862929fa2d48528 |
| SHA1 | c2cdacc7deeeddd9e1d70b0391f7055efb1f481c |
| SHA256 | d1f3aef57e80378b9def54f8ad848146a7a2a9b9c21af0e60a4438a967a7bd27 |
| SHA512 | 267456e670ebd3362f70955acb7ded0c250859c3026fe04a6c9fb0cb08c729efb04d026dcbc89288d9de6527a1c6ae88d78bf9c31c9f9ead3dd6cf38874dcd09 |
\Windows\system\TRXdJHu.exe
| MD5 | c932e7b3a4c4d1deb78b4a0f115ec99d |
| SHA1 | d7591689119ac40d81f0994347e24c674e8508b2 |
| SHA256 | 7157363bd9f117e1a4ca35fec4861476280657fa095bb58a72195512e8dd79fe |
| SHA512 | 055272a09096619583da33a90e476a5b422a603a5dd85d45e89ad926c86bf5f7318dd5705e1d9e30922a82ec0065a6229e409440d60318cad6689655000d95d9 |
memory/2556-45-0x000000013F250000-0x000000013F5A4000-memory.dmp
\Windows\system\BtKpNkB.exe
| MD5 | 630fa7a10b779776245563d2f9e67cf8 |
| SHA1 | 4e65f62962f03d5a82941cf7111a088d25d58b01 |
| SHA256 | 452dc93967667f3823786201a5f6ff6ab1b2c7ba142cab37337050dadd0fef0e |
| SHA512 | f29d36497e9e2c48f8e6914c60431970c4a36f774bc54daf9a1cc26256b2369724258f905c57dd7e6f260897424c9370b58472347ba211a1c0460057ccb73c9c |
C:\Windows\system\UZZwARl.exe
| MD5 | 4bc2e81c28d991d2cff8690196676ca7 |
| SHA1 | 34d17b8344253e9114b03d67087da2a7dbc5970b |
| SHA256 | f36e291f1bc783d6858fdae2b31b93738377de41be4fa18585238a05576d925f |
| SHA512 | a8c25a13f7a2ecb865be776ccb30ed4e11e432d46f48f2352136e0debbe8b19c7938afc49b6f662abaf8405ec60b6b7bd39e20b17bc0d43bc8a2342885fb217c |
memory/2208-110-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/2208-35-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2476-87-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\KeUdALe.exe
| MD5 | 50dd5a3d7e894d559d5c6eec31f7d165 |
| SHA1 | 3e8091d22851050bc241c76ea7cadc49f062afd1 |
| SHA256 | c506e2734abe15f659f7a3f030de50149644d91ea95d320972fe5dd043b33c2b |
| SHA512 | 4bfaebee1c2a647a4f97eadeeb7516f345b168fb687eec31bfe1d24177587d558d534467234f9df14ea6ce64467c9846d14b8997206e197de5df6d9287a51d28 |
C:\Windows\system\pPHsFSk.exe
| MD5 | 51b70b55d2cffadb48def1c57efa7ef4 |
| SHA1 | 0c7411a356ed1db5a3b167781c83a1a00026c964 |
| SHA256 | 70ad3f95fcbd889ecb5a87792ea61f5c5b30aca540a6de0acf0a7456c3d7ad4f |
| SHA512 | 06ef12dc98685fe90dce308cc1bb78dffb1b4de5a6583fb72ea3f797f30843e9b6bd05099f77c6915cab76163d28ea3cfc388f54798d8343c8daf8c2a5d72264 |
memory/2480-68-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2208-51-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2208-43-0x000000013F250000-0x000000013F5A4000-memory.dmp
C:\Windows\system\yyXITws.exe
| MD5 | 47f71aca904e21285b1e65284d151a70 |
| SHA1 | ac44b8241a9db704e265d9947f9a57e8c8afea00 |
| SHA256 | dc479cdbf725ce5a8124de7f3ebb64506967b44e75e6b46ea1ab92357a219615 |
| SHA512 | 45ad70cb6323a25aa2d21aa416ead23862ccd723f4b35efabf1926163646a49723e9980ba06f3e76c7d2287d0946eb33fdc41644b8737d6f3a42ddd4db2eaab6 |
C:\Windows\system\abqKxRk.exe
| MD5 | e3e60b123e6b9a6c6440a9a2cfa7b572 |
| SHA1 | d397b383f41f03ff046cb33cf0ca25cf9ed238ae |
| SHA256 | f5cbb7d6c6b71c6e7e3869abbcb78a86385917cb53c53fcc8263099dea3842a6 |
| SHA512 | 4a5ad161307a7242d05aabfd4b6dfe4457c89acb2a8ac259c653a98af4a38d8a1a1a8299d45d7df122716188228a42ee850346e45e08ffe60940d3eec0630d25 |
memory/2208-132-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2624-133-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2344-134-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/2364-135-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/3020-136-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2628-137-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2624-138-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2556-139-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2480-140-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2476-142-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2464-141-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2832-143-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2964-144-0x000000013F820000-0x000000013FB74000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 01:25
Reported
2024-06-21 01:28
Platform
win10v2004-20240508-en
Max time kernel
80s
Max time network
100s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_0a9cefb32ee7d7cd794692a674f9b462_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_0a9cefb32ee7d7cd794692a674f9b462_cobalt-strike_cobaltstrike_poet-rat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.48:443 | tcp |
Files
memory/4712-0-0x00007FF72BA10000-0x00007FF72BD64000-memory.dmp