Analysis Overview
SHA256
c68d7515ba1519c19288e506934fd4dc80b276eb6c79e3ab306251b4a54f415f
Threat Level: Known bad
The file 2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-21 01:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 01:28
Reported
2024-06-21 01:31
Platform
win7-20240611-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sWgQEES.exe | N/A |
| N/A | N/A | C:\Windows\System\HUDXtxa.exe | N/A |
| N/A | N/A | C:\Windows\System\Bwiivnu.exe | N/A |
| N/A | N/A | C:\Windows\System\JiwUZwH.exe | N/A |
| N/A | N/A | C:\Windows\System\gsaILxd.exe | N/A |
| N/A | N/A | C:\Windows\System\swfbiSu.exe | N/A |
| N/A | N/A | C:\Windows\System\NLrDjyY.exe | N/A |
| N/A | N/A | C:\Windows\System\sJjeXMd.exe | N/A |
| N/A | N/A | C:\Windows\System\bONywxC.exe | N/A |
| N/A | N/A | C:\Windows\System\hjVLloy.exe | N/A |
| N/A | N/A | C:\Windows\System\UHzxTPU.exe | N/A |
| N/A | N/A | C:\Windows\System\kmjXUwv.exe | N/A |
| N/A | N/A | C:\Windows\System\mXsqVIq.exe | N/A |
| N/A | N/A | C:\Windows\System\NnStjif.exe | N/A |
| N/A | N/A | C:\Windows\System\KIKmyYh.exe | N/A |
| N/A | N/A | C:\Windows\System\YjjZFGp.exe | N/A |
| N/A | N/A | C:\Windows\System\POOoTCn.exe | N/A |
| N/A | N/A | C:\Windows\System\mAYUYfm.exe | N/A |
| N/A | N/A | C:\Windows\System\DMQFLnZ.exe | N/A |
| N/A | N/A | C:\Windows\System\vOcLCwK.exe | N/A |
| N/A | N/A | C:\Windows\System\cQRbHny.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\sWgQEES.exe
C:\Windows\System\sWgQEES.exe
C:\Windows\System\HUDXtxa.exe
C:\Windows\System\HUDXtxa.exe
C:\Windows\System\JiwUZwH.exe
C:\Windows\System\JiwUZwH.exe
C:\Windows\System\Bwiivnu.exe
C:\Windows\System\Bwiivnu.exe
C:\Windows\System\gsaILxd.exe
C:\Windows\System\gsaILxd.exe
C:\Windows\System\swfbiSu.exe
C:\Windows\System\swfbiSu.exe
C:\Windows\System\NLrDjyY.exe
C:\Windows\System\NLrDjyY.exe
C:\Windows\System\sJjeXMd.exe
C:\Windows\System\sJjeXMd.exe
C:\Windows\System\bONywxC.exe
C:\Windows\System\bONywxC.exe
C:\Windows\System\hjVLloy.exe
C:\Windows\System\hjVLloy.exe
C:\Windows\System\UHzxTPU.exe
C:\Windows\System\UHzxTPU.exe
C:\Windows\System\kmjXUwv.exe
C:\Windows\System\kmjXUwv.exe
C:\Windows\System\mXsqVIq.exe
C:\Windows\System\mXsqVIq.exe
C:\Windows\System\NnStjif.exe
C:\Windows\System\NnStjif.exe
C:\Windows\System\KIKmyYh.exe
C:\Windows\System\KIKmyYh.exe
C:\Windows\System\YjjZFGp.exe
C:\Windows\System\YjjZFGp.exe
C:\Windows\System\POOoTCn.exe
C:\Windows\System\POOoTCn.exe
C:\Windows\System\mAYUYfm.exe
C:\Windows\System\mAYUYfm.exe
C:\Windows\System\DMQFLnZ.exe
C:\Windows\System\DMQFLnZ.exe
C:\Windows\System\vOcLCwK.exe
C:\Windows\System\vOcLCwK.exe
C:\Windows\System\cQRbHny.exe
C:\Windows\System\cQRbHny.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2236-0-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2236-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\sWgQEES.exe
| MD5 | 2eb5619b37cde30c7fa1619e47d17037 |
| SHA1 | a79e8c9230d82fac28459d36133aa91b00fa68e3 |
| SHA256 | d8b2f200217508a938e76b0cd59cb7c93370da133e4e0e3fbdd750892540153e |
| SHA512 | b9a378828bc73b0a6171efa5527c8e9098f7031971625d0811a6a77f6966d156ab5577906b32b09647a439fdcdb368418de312b8ba9e8845256d6cabba3b53c3 |
memory/2236-6-0x000000013FD60000-0x00000001400B4000-memory.dmp
\Windows\system\HUDXtxa.exe
| MD5 | 108eeb01c7b190dcd7eae42562c7db3f |
| SHA1 | 2f55c057cf03e48c8f1f0fe4e7ca34fe70505d4f |
| SHA256 | ed781dfa2d523fa5fd4a0f1b98290ea8926698acf5cdaf4380ad5cc91ff15028 |
| SHA512 | ff9360062597182cd893defe7f7eb85c76f12b90536d456c4df39bb207302dc0c661f9e014c35d5f0dcc54d7a382b249fde361a0e59ba10bfb27945548131670 |
C:\Windows\system\Bwiivnu.exe
| MD5 | e51bba14f97172d7e96a26c03baa8e15 |
| SHA1 | b163a342e0174a26c72bb7d93afe437ba3bf5110 |
| SHA256 | 517b83c0e080fe1fbb1a5c91101b94bcff1351fb957ce1d3e46f2e8b3f31b4d2 |
| SHA512 | 2be096ccf4c3154143cd29ad3f4cdae009be422b7ef917a8b2f10b9e3c41fd55c446cd1800912d929ff5b7913b43876e5b4c5a0bafbd5c5cc4752263342a75d6 |
C:\Windows\system\JiwUZwH.exe
| MD5 | dbbcdbabdaa7f1ecf8f6b7e63894b51f |
| SHA1 | a59df9d4e16f81db04b5e8a97460876ca6735ab2 |
| SHA256 | b2ed0d36e6ebf4208c9a6dd6265ef96e0cf6fb8e687f024b13f73a259208ccbd |
| SHA512 | 4d444a4235ef03c2d3a2ac1c35bb38392b609d12266c7a48dc0659b9ee1c804409d9c1f43a394cff905673c3833d86311e23bc5c93a72e8bffdbc73e3be8bf35 |
memory/2800-27-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2116-29-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2024-15-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/1828-26-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2236-23-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2236-20-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2236-19-0x000000013FFC0000-0x0000000140314000-memory.dmp
C:\Windows\system\swfbiSu.exe
| MD5 | cf3efa9ac70e862deee3ca85a8abb349 |
| SHA1 | 60297f9dab1c14cf893c56104bef641c62a6c01a |
| SHA256 | 9fd31da4f165b8f736da6220b2cc0459269648133100afc7d58dbf982fc59198 |
| SHA512 | 82f2f4a6e3554065428374892291a8d0c4e69af7c64bab669f9a60a0e473417233bd6b9b9cd100e619c686ade942185997dc0c73fafb68ec058a9bb3a07ef37f |
memory/2628-40-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2788-49-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2532-56-0x000000013F7E0000-0x000000013FB34000-memory.dmp
C:\Windows\system\hjVLloy.exe
| MD5 | 68fdba6f5643de809e5632281a68abc2 |
| SHA1 | e28f5d7fa637c0e0ca6f9f232356b33b0c2a4fd6 |
| SHA256 | 4e45e93dc52898bbb896f8a9ab3c8d58906f7f8740e30959565b10b2adb73a4b |
| SHA512 | b949ae50db52635c550a074aae2709f49d146605b37bad854df4d0778738abbd4832d74bf86ad112756c11b032be32975d123bc6f012be8137505f5fdac8508e |
memory/2548-70-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/1828-82-0x000000013F990000-0x000000013FCE4000-memory.dmp
C:\Windows\system\UHzxTPU.exe
| MD5 | 1ad46ef17d8815cb2895623eb68fd429 |
| SHA1 | cf7e0bfc23b06422b1f3fceabceb3a94499c1ad3 |
| SHA256 | 6d867d8189f29382c69f903835a00eb1a5f8a3cdda8270845f91afed7e92ab56 |
| SHA512 | ebffb24208a6f9f61c94ec9618092dc88e8ab6ade92483a51c56cf14f37999736c3e0d1294cd3720ac9a5099fae06705b47499169a0c6e7fd036cd9b5905d983 |
memory/2236-98-0x0000000002300000-0x0000000002654000-memory.dmp
C:\Windows\system\DMQFLnZ.exe
| MD5 | 3edb2bb20128c6afc6e21a7babf046ab |
| SHA1 | b2a96aca24b2a0a00ac8280eb5c280fc232f2c1d |
| SHA256 | d9350053b6db0d17def091fed9646a8b1c9fbd34acce854a755fdce64378c976 |
| SHA512 | 360c5228fb2e5297174f414716f579277c9e730a085402c5d29a2afb74bd60b76f9356389a2134b2bdafdb847bd9137cbe0fef9278ee7f1295ff1797a97a7c8c |
\Windows\system\cQRbHny.exe
| MD5 | fdcada326ae62d8be12996c7f3606422 |
| SHA1 | d6941cc65783c68a18a81f62bf9fe02caa2c7fc2 |
| SHA256 | 040a75b1f1a4b24954ce636325d813ab0d69fce08a87ca230706f52f2877db55 |
| SHA512 | 3f27b73cecf52aeb9558de792025fcc706471748d6c4bcc990722ef6561485b7855b566af05acdaa86281ecf8ed495a1ab7936c1c62cd669625fdb07f0912995 |
C:\Windows\system\vOcLCwK.exe
| MD5 | 982805cc1e2dd63646ace1f4f91681a1 |
| SHA1 | 00e213b40d08596157afbf60cdf174b0ca948853 |
| SHA256 | ff7121fa20167ce986345c7e0487447a19d20f35f98d8c057fffdaff82e6bf66 |
| SHA512 | c990acfbd1969fe3bf068c75e8ba5dacd0eccf8bb2e1570063961ae0e6831521ec750f0beec3a25a2f806a725f4df2bbaf44331c56bdab366b70957d6b90cd1c |
C:\Windows\system\mAYUYfm.exe
| MD5 | f502f0491572b62485b7e42ba1ce8cab |
| SHA1 | 392f0f79b5ab77d725a12065290faa95cd5e744e |
| SHA256 | a5c991c5f29c6e31244a1d8ea5fba9f8e9407feb67e2dea04048b206cd29d324 |
| SHA512 | 639117ef1f38d439ed86a65d618f02efe994ada394b05a88e8a2e66a4542562d4b5c606d30fead7ffa2b511ef93288c2e59f31f8afab600cf976f3116c2cb8cb |
C:\Windows\system\POOoTCn.exe
| MD5 | 9b16cb61db539fb98bad8d72d5e6d0f4 |
| SHA1 | 7285d7599d5d23179117bd1fced479c68f5b997c |
| SHA256 | bc9465533285ce966ef96ec44147869a55a7728f7a6e7490480378f3bbfd1dc0 |
| SHA512 | c838b2c8e2bc85c3ec37a31a27e958dad455c75b95d8a791571624a17e47ade30c0096bfd232b829ee3594c60ffd491a47cc54d9ab9fc39e9a93f8cd56d23365 |
C:\Windows\system\YjjZFGp.exe
| MD5 | 46b8a1e57a9054685f19a2e65b89b5dd |
| SHA1 | af7b74f25289a63cfd91c1c32d72fad740e7ab98 |
| SHA256 | 990fa5b42bc49bd95da71e87f3d66f169185762156be31100a662b0aed70acde |
| SHA512 | a0a35e4864ae1853671d9a8548eb5ed246a3a501b7ef6c3b6f58dc3ab67fc4f3f7e4de3f61f236ca09b1146571389d172ab00e128d8a8250dd6f60e07c6232e8 |
memory/2236-106-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2628-105-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\KIKmyYh.exe
| MD5 | b6330aed4615404fe60abb720019622a |
| SHA1 | dd476608628be6943380900acae2595cd5be6c4e |
| SHA256 | b8e138b442e02c91f28c9589cd5b86e5e24539cc0b2359b0db9e7dac79dd1686 |
| SHA512 | dd3862fb81bce11eae787e9da1636dc64adb6d0dd7bf9605dc18ef7cce3030ca65ace38f9715d7105030767e02c2bafbdae5babed06bce847763031fc23e9e93 |
memory/2936-91-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2116-90-0x000000013FDD0000-0x0000000140124000-memory.dmp
C:\Windows\system\mXsqVIq.exe
| MD5 | 75b818da5ba7258692cfb735a97c826b |
| SHA1 | 27254e2d7343f8fd31305088b9e0990f09d722a9 |
| SHA256 | b69af1326ad663aa68dc0707a93e2068ddf8ec9c05d6a28bf5b6728bd0f690ba |
| SHA512 | d7ff4a5186cba6731567394440b9401ce5da10ce1ac143517f2005132c330e10a9c8c137efdfa410fae4656fd7cbdac875b3df4c0031c8638c87c06849f4e03e |
memory/2236-86-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2460-99-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2348-75-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\NnStjif.exe
| MD5 | 41bda7d18255d5ac46d14b88863003f5 |
| SHA1 | 1431374959de2f1b0964ca31580040a04b8cdc0e |
| SHA256 | d3091f60486e553a82a7843caa78c636398e82bcb922df7e66847b07ca031a61 |
| SHA512 | 1b78ed4d15136955b81d5f3de5ae000da09005d76b88911334e5374a8a1f3743121fcd787b77908078fe73cb1ac21d1576cef09b6c55663f7014ac1318044c54 |
memory/2536-84-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2236-83-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\kmjXUwv.exe
| MD5 | 13239c2b4eda05c724954537eb5d3417 |
| SHA1 | b23ba8693e1115fecc6d0c00be518a3cb4a3e321 |
| SHA256 | 292c6e22e7923849d54ce9841add7dc2dbd702c03c324773520ff2ba8fdf895f |
| SHA512 | 08d580c33511b3d24a31b32522186016d538a4766a267a09ea5baeb865d6c9454bf7d1a31cfe686256a8ca2efe97aca62289e378848c4c4130cee56a3c358bad |
memory/2024-69-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2640-63-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2236-62-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\bONywxC.exe
| MD5 | 6024fd787beb58f1a78e56e0e3faeae3 |
| SHA1 | 06f80c5032d4878d9ad9d96515232fcf62eef439 |
| SHA256 | 9ebae468625f746a0eeec68198905913698c4c132c4753ec070b7719680babdc |
| SHA512 | 71e3557d3a9684a65cb82ff2ce17b862ca8547ae4224023902029dfa778f1bfaa846be823f0d0e6dc33b63e3afa7a9e652449602f76d266f477fd089696cb743 |
memory/2236-55-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2236-48-0x000000013F120000-0x000000013F474000-memory.dmp
C:\Windows\system\sJjeXMd.exe
| MD5 | 4db1472ad2e0a0dd03872024250964e0 |
| SHA1 | 8d00b84a1436e43de0080e95c274c43825a4b75c |
| SHA256 | c3f9a5be336bdf4cfe8cf883516f3fe2eff8b47ae5374d7d799e55eb17614f09 |
| SHA512 | 0cd4df279e093cdbab03f1ce45d566ee9517b10f2be1a853f46ec75451487e4c70f1177d32000aa5658d5d49ecb56390ab5d2759caef17101c040bd515c512b7 |
C:\Windows\system\NLrDjyY.exe
| MD5 | 1fef5c8ea6f4ddc5538c61018019ff9b |
| SHA1 | d31fc875dbfc24c23c854be7c74834d1823a3548 |
| SHA256 | 4a9ce8038adb5f962837bf9740cee09442ffd5a21a360385ac769a7a00be75e6 |
| SHA512 | e985ce431f02d9fc53076ba7434e9fc2d0174ee011778cc8fd014749d912cbf71fa502a01c9b0551f0d33d4315005fb1ad20dd2056940161f3b693c7085ff0c8 |
memory/2236-39-0x0000000002300000-0x0000000002654000-memory.dmp
memory/3060-35-0x000000013FB90000-0x000000013FEE4000-memory.dmp
C:\Windows\system\gsaILxd.exe
| MD5 | e70e3c43e6a0df8b69cec5e43d5d2f01 |
| SHA1 | 9999c95020174f9aea57f884af1338fdd97df075 |
| SHA256 | acfc59bc29cb87b611aea503919bb86525aaaa6efb55008b33ba155ae254bd5a |
| SHA512 | b2931862dce5d63df980597673c773f20efed2294f34a5c83fd19d4eeb4c717c0b55b2ec91cef3bcbe43095bb747e17258b69fee2a268719b780cc495366ebd9 |
memory/2236-137-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2348-138-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2236-139-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2936-140-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2236-141-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2236-142-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2024-143-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2800-145-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/1828-144-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/3060-146-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2628-147-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2788-148-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2532-149-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2640-150-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2548-151-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2348-153-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2536-152-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2460-155-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2936-154-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2116-156-0x000000013FDD0000-0x0000000140124000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 01:28
Reported
2024-06-21 01:31
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
129s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_1952b5c1d0dd210224c1abeaf899ee54_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=1008 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3404-0-0x00007FF794A80000-0x00007FF794DD4000-memory.dmp