Analysis Overview
SHA256
c36053b2574772ec2ce1a1e04295f2a2157e0c4079e460c7b4364bf11d789695
Threat Level: Known bad
The file 2024-06-21_16414d28e9a66ad49604505d8dbdf503_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-21 01:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 01:26
Reported
2024-06-21 01:29
Platform
win7-20240419-en
Max time kernel
138s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xxNYBct.exe | N/A |
| N/A | N/A | C:\Windows\System\eZjHpar.exe | N/A |
| N/A | N/A | C:\Windows\System\rqqSODO.exe | N/A |
| N/A | N/A | C:\Windows\System\JOgHCso.exe | N/A |
| N/A | N/A | C:\Windows\System\wSoyXcH.exe | N/A |
| N/A | N/A | C:\Windows\System\cjFrecq.exe | N/A |
| N/A | N/A | C:\Windows\System\lJovADx.exe | N/A |
| N/A | N/A | C:\Windows\System\msaHUTY.exe | N/A |
| N/A | N/A | C:\Windows\System\nxtlxIu.exe | N/A |
| N/A | N/A | C:\Windows\System\bclofXg.exe | N/A |
| N/A | N/A | C:\Windows\System\zzXQFVU.exe | N/A |
| N/A | N/A | C:\Windows\System\njCEnSI.exe | N/A |
| N/A | N/A | C:\Windows\System\ieEUGQe.exe | N/A |
| N/A | N/A | C:\Windows\System\EerMGkH.exe | N/A |
| N/A | N/A | C:\Windows\System\alBzzVY.exe | N/A |
| N/A | N/A | C:\Windows\System\RBSrITq.exe | N/A |
| N/A | N/A | C:\Windows\System\OYxlHwr.exe | N/A |
| N/A | N/A | C:\Windows\System\SMLCJvP.exe | N/A |
| N/A | N/A | C:\Windows\System\wAoTUEF.exe | N/A |
| N/A | N/A | C:\Windows\System\FpiJoTg.exe | N/A |
| N/A | N/A | C:\Windows\System\cTbllWx.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_16414d28e9a66ad49604505d8dbdf503_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_16414d28e9a66ad49604505d8dbdf503_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_16414d28e9a66ad49604505d8dbdf503_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_16414d28e9a66ad49604505d8dbdf503_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\xxNYBct.exe
C:\Windows\System\xxNYBct.exe
C:\Windows\System\eZjHpar.exe
C:\Windows\System\eZjHpar.exe
C:\Windows\System\rqqSODO.exe
C:\Windows\System\rqqSODO.exe
C:\Windows\System\JOgHCso.exe
C:\Windows\System\JOgHCso.exe
C:\Windows\System\wSoyXcH.exe
C:\Windows\System\wSoyXcH.exe
C:\Windows\System\cjFrecq.exe
C:\Windows\System\cjFrecq.exe
C:\Windows\System\lJovADx.exe
C:\Windows\System\lJovADx.exe
C:\Windows\System\msaHUTY.exe
C:\Windows\System\msaHUTY.exe
C:\Windows\System\nxtlxIu.exe
C:\Windows\System\nxtlxIu.exe
C:\Windows\System\bclofXg.exe
C:\Windows\System\bclofXg.exe
C:\Windows\System\zzXQFVU.exe
C:\Windows\System\zzXQFVU.exe
C:\Windows\System\njCEnSI.exe
C:\Windows\System\njCEnSI.exe
C:\Windows\System\ieEUGQe.exe
C:\Windows\System\ieEUGQe.exe
C:\Windows\System\EerMGkH.exe
C:\Windows\System\EerMGkH.exe
C:\Windows\System\alBzzVY.exe
C:\Windows\System\alBzzVY.exe
C:\Windows\System\RBSrITq.exe
C:\Windows\System\RBSrITq.exe
C:\Windows\System\OYxlHwr.exe
C:\Windows\System\OYxlHwr.exe
C:\Windows\System\FpiJoTg.exe
C:\Windows\System\FpiJoTg.exe
C:\Windows\System\SMLCJvP.exe
C:\Windows\System\SMLCJvP.exe
C:\Windows\System\cTbllWx.exe
C:\Windows\System\cTbllWx.exe
C:\Windows\System\wAoTUEF.exe
C:\Windows\System\wAoTUEF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1936-1-0x0000000000200000-0x0000000000210000-memory.dmp
memory/1936-0-0x000000013F820000-0x000000013FB74000-memory.dmp
\Windows\system\xxNYBct.exe
| MD5 | 9395652a75afa8a78ca496ca6acb804f |
| SHA1 | e993d3dc7a7174f8ffa1bf48c8e6b844f8b6ff52 |
| SHA256 | 925241733e472476ae6db6c67a87ba7371d01682e4d64440ec7fc90c1bbb4141 |
| SHA512 | 7fa43b8b1d3cc2acd17945b2231ec9a1e1d2b99204f3e4db2cd80d3e8d33d8bb3e05999e8a068f131156203d95ffe57ecfbbf38c863f2a914866cb6b82e8eb78 |
C:\Windows\system\eZjHpar.exe
| MD5 | ac85b987d70ebddfc5cc5518f42909d2 |
| SHA1 | da49c6a2edb63cb19b1d563c2481b6ba6ad19867 |
| SHA256 | cf620f7368718d684e978fa2dc238ba02653dece88c5ba4bafb90b5381b38f65 |
| SHA512 | c5fecc5beb0bc5fd09c3b162a9700ba2f3d1be6a90b566de8bb054841e65bb19babcdda6f4a53f648a305ae5c37996937b4372fe68fe68f6c1cb224ce94d5143 |
memory/1936-15-0x0000000002240000-0x0000000002594000-memory.dmp
\Windows\system\rqqSODO.exe
| MD5 | b37986a8c75258b849df2cb2b59b8428 |
| SHA1 | 32fbac4f9d6619b9461181fc81451e8909f56d21 |
| SHA256 | 024f9a6d88f4111ae6395b3ebe5f0864d0e9dc19284b36314d8fdeb8104b5fb8 |
| SHA512 | c92e12d0eb68b30257fbf0ebeca2b8d5dfefab18e2292b8805374e3a63b5b369dc1d87857245cd7712519dfb967d1f991358072583df66b95452fb5925514532 |
C:\Windows\system\JOgHCso.exe
| MD5 | 2652c109f0c251b0a7342e617bfa1c6d |
| SHA1 | 12665ee6c45a3ed2a7e086e1f76a23d160f7fc17 |
| SHA256 | ffaf04993dc1b68dc2209d72951597f3f8ad9ddcdac23b9fbb611aff7785593f |
| SHA512 | c678aae7e9339d6eef2ee8aa8e63d5a9cc549c2a51a946f071dd302941762f8c5d8446a9974e355c96fe0a873388ce41cd0dde41e7d326135c1ccfecdac6dfe0 |
C:\Windows\system\wSoyXcH.exe
| MD5 | f7bf8f822fb9fd03c76f5cc0234f19b5 |
| SHA1 | 01dfffead83d1836661755ae3307aa2a3c670967 |
| SHA256 | 7444cbbcc653285be7124bc475e4b1363e0dfae8b9cc600520cda69fe88d033d |
| SHA512 | 44f3569be30312cb903c39211670dfca25e32b9402f4ee31cbeff1c7ef5f0e98dd38db7628a5d14c3b870f5bc702b9282600e2b913d579cd160dd41fb628c15f |
C:\Windows\system\cjFrecq.exe
| MD5 | 3214321d5a219698dad7d591555cf20e |
| SHA1 | ea6060a97bf2b5d9ccaad70f6e70830f033bbf63 |
| SHA256 | 21e5bb1a44b5255c3f8576f74d19de7ef527aec668d8fe2acfaca4a608f73538 |
| SHA512 | d3b290d9d6e98fc2652e8158349857b592e8b7763d4227fd3874ba96b9d9ac285af3b2d4b3b6b428c44dc04c5bb97d502149aefd16a66cb18594a5746c91a91b |
C:\Windows\system\lJovADx.exe
| MD5 | b39e1bd8af1bda92a20e9d359549e845 |
| SHA1 | f9e2205f8727138b23b4ab324c798daf632a612b |
| SHA256 | ddcd1308308239a1b3703a4ac4618e6fe244858e7d13f1b06eb6c6062dceb041 |
| SHA512 | 644aa229f322673469b4017b4cb70ee0eab3f239a456764180c74936c4ee3615c5bcfa8cfacb5561a58916149c874b677322f63ee41b57feb85e4de30aca5093 |
\Windows\system\msaHUTY.exe
| MD5 | 3c668584fcac33d0e9d78811eb4f9c9e |
| SHA1 | 273f8ac2568d7cba1d29a667d7902ac34983fe96 |
| SHA256 | 435e2eac343dfcdb5ea603203d13cde9ca29ae84a047d212cc632eb22442114e |
| SHA512 | 1a0398f46f4b50881fc2305f5802a68d5ed5068a08b8961566793765bd7af7e544b84002848fc122749b1bc495b189038310e6195afbde79577e990244fb6669 |
\Windows\system\nxtlxIu.exe
| MD5 | b3ad1a31380ba2806c9a4b5032396d7d |
| SHA1 | 44b021368dd3aa034c0f8029c37ae0594c1d2982 |
| SHA256 | 6ae405259ae41b194d4140627fef4d8d8bce2f4a6f265121d2bbd3ce1688200d |
| SHA512 | ec76568f8402b84dc39af5ebbc6d9ff8547bca9d251e4b29a4409224b842547698cfd7c6c919396f920329656020bf6b10f08c88c9e7baa462b4381cc46f7e3b |
\Windows\system\bclofXg.exe
| MD5 | 601bb5877059a811508bd6e787e47d0d |
| SHA1 | 8c848ba433ca8aa47e07052ae2393ea31b7b5dcd |
| SHA256 | 357d1b1eb819bed88095ff145c0eda785ec5855a0c69b99462fa2cfbd0e0814b |
| SHA512 | 1d7acbb511415e9a723c8d4e4f228021a65f101827ba224251b31f0e112ea7c64cd10e75413e52bcb50110df7bf9cdb00b9e052bddac8d8fec1c02e25abb6d8f |
C:\Windows\system\zzXQFVU.exe
| MD5 | 88b6e83983eb8e0010451dc7cc0659a8 |
| SHA1 | 26bc03b63f38541aad71b823dc6ddcdca7497d22 |
| SHA256 | 9a5ea7b87ffa323d69b8868cdf9e8f3dd8a1e22fa3bedec62f6fa33502b36e72 |
| SHA512 | b7e0d7037d8e26b949cae8df3a4b33c903af14014203b749d67964195d63344d0a4d7f40f9f86c28242108821ac198ba9df453621b593ec263e407ca34b113e3 |
C:\Windows\system\ieEUGQe.exe
| MD5 | f7bfe93c33829400cbd6355b46269233 |
| SHA1 | d7437c23174e2ea008ff6751cf9783dc8a333ca2 |
| SHA256 | 8ed1f1bafda300ab469ecb0c52d58011443fd4b60dc2f11fcb095ba1b8434db3 |
| SHA512 | d889e0fdc4bce6b7792b90d9ea817938e14d92b60c4b040972e3be276267d71c68cba302831d57abecb95b3c614c1e5cf8817915c94e3e047463071caacff0c1 |
\Windows\system\SMLCJvP.exe
| MD5 | 95dd77017789435b96db8d76901b4576 |
| SHA1 | 1b9cf7a25ac5807010ce122fa9513142618924aa |
| SHA256 | 9c1d69f30f7500f2750c4a8d20e38879721d35234154c3bb0e608f9f9158fef9 |
| SHA512 | 142f3f1985c7bbbdc09cae1720cfec1e8a79999e80110b20d9b3de868f98812458019a55f1ed86d798c539b141a29dd2aae2021a9072f59a9038776a250bc43c |
\Windows\system\cTbllWx.exe
| MD5 | 9c0f5e896c0cecd41d516a2017dce8b8 |
| SHA1 | 1fde0bc4defd5a4268436e7d3e1a702cf4a6ca1c |
| SHA256 | f74b2ab8389cecc1dd5bcf95c8208c2cc91e6271300f3490863953dbc31b021d |
| SHA512 | 4b118fa686feb83f070ab2e5288bd13e4adf0108d7bd3db002871a5207b916d230b52025e378a8c3765e77a190525f9fa74bdef4657c853aa9121b9edc1da74b |
memory/3048-107-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2704-120-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2640-121-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1936-119-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2664-118-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2308-117-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1936-116-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2652-115-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/1936-114-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2804-113-0x000000013FB10000-0x000000013FE64000-memory.dmp
\Windows\system\FpiJoTg.exe
| MD5 | 2b95ca6f7832ed291d1e68368633554b |
| SHA1 | b335b035bdcd1be3c3f0afff736956d0f697109f |
| SHA256 | 6b0e9a485a0f97b815f803dd8a214d5d52e16f0bdc80ef2661841eb3b94d5d68 |
| SHA512 | f1432e8b976a9ebc32800aae9890f596acab8f386ddabae6c9be2e9d40f94f3c2b556cc38c5e63f043802a3f79aa33999e68e358ffa79ec29d93f6ad19810e03 |
memory/1936-112-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2632-109-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/1936-108-0x000000013FEC0000-0x0000000140214000-memory.dmp
C:\Windows\system\RBSrITq.exe
| MD5 | 717b4ce4d8f24de8b1e3e7935c50edd0 |
| SHA1 | f3be8118def03fd8e38af86542c1f48006db1a68 |
| SHA256 | f0f408ce73d3df3984b85b7d7a85a85f837ee5b6c6288dea3e426116c492d6cd |
| SHA512 | 61b92342a47c4b6cc4b73548e44a96f103534c1672bf861d2d9b83ac4f74a9b551775675d6b569395d53f8240f56c777b352c36e464ba8be9fdf3901194fddc0 |
C:\Windows\system\wAoTUEF.exe
| MD5 | 5970b0b9ad6050c41ec20f150ee89a66 |
| SHA1 | 896092c5958e16d51d28835e8b13030e1d806d6e |
| SHA256 | 91a294aa53b578a6fa8326f1440e3e30e3e8fe72e91346e8ff0336687e95a715 |
| SHA512 | fe34318c77f4df4a44ea56c4068729deb7afb73c13da4fa0232d1e2ed9cb67d163809543504e5f388202662cd1c651aa909f2daf83b55735c38826b42da89c19 |
C:\Windows\system\OYxlHwr.exe
| MD5 | 79a8cb7dce7f2c2a2856e4f30d810d8d |
| SHA1 | 9c9a1b64d555a33b8c5391894b69b2e4938d2b7f |
| SHA256 | 670bbeddc0f306ef809bb2f553af331d528fd1d1c3d1bf035dd5be0235ab5bfb |
| SHA512 | 6978a7ac144539a8193118c628b45db3a983bbb2b65303c0b1e950b57865fe9c1b35e9fb7f1a41241b36a8fe36a61df874f2ce5e62f64ecd81e7df5427ed96c2 |
C:\Windows\system\EerMGkH.exe
| MD5 | 14d34fabe88c3096e666cd25298a29fb |
| SHA1 | 4395730215a0dec3a7b80022aa76e137ab90ec0e |
| SHA256 | 9230284551bba686099fa6ce112afbc4d145d67404fcbb641091c54e233646e4 |
| SHA512 | 20d6f9413c462bd197bf6acac8577a4eb3d9cfb5726a8bc53aff310ddd102575ad7528f80c2d35bfbc48df8f917759ced87602018d51b53603d35cc7cf4c2bb7 |
memory/2584-83-0x000000013F9D0000-0x000000013FD24000-memory.dmp
C:\Windows\system\alBzzVY.exe
| MD5 | fe5418fc40c08b2b5a95024f89d57a13 |
| SHA1 | a2db2683f67242b7c6689c70f270ac71d2868eb3 |
| SHA256 | e32541e38743dcad8dcc197f91c91ac3e7750960c06f6435e841373f5c710c15 |
| SHA512 | c45e940ad771b24eb1b1fcbea9177a4389c403350df589dfc71fea3d0d8ab2827aaa460e8ad3ba057585e54d3de8224be5f848a27073b58eebcb067788546ae4 |
C:\Windows\system\njCEnSI.exe
| MD5 | 3d9b0042cbbe8cf7aed49515f4399f57 |
| SHA1 | f9e9ce2218377819b8674e93c7ad11c6c1a72f23 |
| SHA256 | f56e60e4ee5588c488cbb553052d2db27f7e86383591c94cdae04cc8a7d73ec4 |
| SHA512 | ed86b7a93ca5bd8bb66f896017594dffd7466066c3d1ab28d78c20e7b2c43f4ac2ef04e856a868eb3a06f40af13b4f0d4456582304d44ed506c64a9153060b9d |
memory/1936-123-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2556-122-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1936-125-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2516-124-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2580-126-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2552-127-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/1936-128-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2384-129-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1936-130-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2584-131-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/3048-132-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2384-133-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2632-134-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2804-135-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2652-136-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2308-137-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2664-138-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2704-139-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2640-140-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2556-141-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2516-142-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2580-143-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2552-144-0x000000013FDA0000-0x00000001400F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 01:26
Reported
2024-06-21 01:29
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
58s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_16414d28e9a66ad49604505d8dbdf503_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_16414d28e9a66ad49604505d8dbdf503_cobalt-strike_cobaltstrike_poet-rat.exe"
Network
Files
memory/116-0-0x00007FF762690000-0x00007FF7629E4000-memory.dmp