Analysis Overview
SHA256
d1d6c78b34c977692ff8dbf99314a2aa7eeba7540b65ad06f61b1f9f0bb8db2a
Threat Level: Known bad
The file 2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike family
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-21 01:29
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 01:29
Reported
2024-06-21 01:31
Platform
win7-20240611-en
Max time kernel
136s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wGAqGSY.exe | N/A |
| N/A | N/A | C:\Windows\System\sdzlDsg.exe | N/A |
| N/A | N/A | C:\Windows\System\YFFnWDC.exe | N/A |
| N/A | N/A | C:\Windows\System\cGEuAol.exe | N/A |
| N/A | N/A | C:\Windows\System\BbQwlQI.exe | N/A |
| N/A | N/A | C:\Windows\System\WZNKtys.exe | N/A |
| N/A | N/A | C:\Windows\System\ySVJWRc.exe | N/A |
| N/A | N/A | C:\Windows\System\JkJXiYj.exe | N/A |
| N/A | N/A | C:\Windows\System\vCjykyK.exe | N/A |
| N/A | N/A | C:\Windows\System\borPMtu.exe | N/A |
| N/A | N/A | C:\Windows\System\oxhLHSY.exe | N/A |
| N/A | N/A | C:\Windows\System\VrZyPDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\cVLaSPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qdZqRok.exe | N/A |
| N/A | N/A | C:\Windows\System\QgJnyKv.exe | N/A |
| N/A | N/A | C:\Windows\System\vMYgkmo.exe | N/A |
| N/A | N/A | C:\Windows\System\UpZlHRf.exe | N/A |
| N/A | N/A | C:\Windows\System\pbYLTAV.exe | N/A |
| N/A | N/A | C:\Windows\System\viDnTWx.exe | N/A |
| N/A | N/A | C:\Windows\System\EHeJnIV.exe | N/A |
| N/A | N/A | C:\Windows\System\cdoNxdH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wGAqGSY.exe
C:\Windows\System\wGAqGSY.exe
C:\Windows\System\sdzlDsg.exe
C:\Windows\System\sdzlDsg.exe
C:\Windows\System\YFFnWDC.exe
C:\Windows\System\YFFnWDC.exe
C:\Windows\System\cGEuAol.exe
C:\Windows\System\cGEuAol.exe
C:\Windows\System\BbQwlQI.exe
C:\Windows\System\BbQwlQI.exe
C:\Windows\System\WZNKtys.exe
C:\Windows\System\WZNKtys.exe
C:\Windows\System\ySVJWRc.exe
C:\Windows\System\ySVJWRc.exe
C:\Windows\System\JkJXiYj.exe
C:\Windows\System\JkJXiYj.exe
C:\Windows\System\vCjykyK.exe
C:\Windows\System\vCjykyK.exe
C:\Windows\System\borPMtu.exe
C:\Windows\System\borPMtu.exe
C:\Windows\System\oxhLHSY.exe
C:\Windows\System\oxhLHSY.exe
C:\Windows\System\VrZyPDZ.exe
C:\Windows\System\VrZyPDZ.exe
C:\Windows\System\cVLaSPQ.exe
C:\Windows\System\cVLaSPQ.exe
C:\Windows\System\qdZqRok.exe
C:\Windows\System\qdZqRok.exe
C:\Windows\System\QgJnyKv.exe
C:\Windows\System\QgJnyKv.exe
C:\Windows\System\vMYgkmo.exe
C:\Windows\System\vMYgkmo.exe
C:\Windows\System\UpZlHRf.exe
C:\Windows\System\UpZlHRf.exe
C:\Windows\System\pbYLTAV.exe
C:\Windows\System\pbYLTAV.exe
C:\Windows\System\viDnTWx.exe
C:\Windows\System\viDnTWx.exe
C:\Windows\System\EHeJnIV.exe
C:\Windows\System\EHeJnIV.exe
C:\Windows\System\cdoNxdH.exe
C:\Windows\System\cdoNxdH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1672-0-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/1672-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\wGAqGSY.exe
| MD5 | 3c59e5d52c5103c6a6cb57f4532b30b8 |
| SHA1 | 99845df034d01451c8fe0f4217df5477c522e8de |
| SHA256 | bfa6ebf325e9764216d2f4abb931cf5a92e4a213d9a93f94175227a935e48d6f |
| SHA512 | 464f59c44dbd8b6a51d959b455cf82fd92cc46d8fb55ba3e9fe77143bb4eb20fb445221bfd2eee20e35599fecea68021701320634e8bbdcef49c11caaeff724e |
memory/2404-7-0x000000013F420000-0x000000013F774000-memory.dmp
\Windows\system\sdzlDsg.exe
| MD5 | 32596b4ee0b0095361cdc421281e4fec |
| SHA1 | f99476eee51553dac6367e56277ccc6ea5325d7b |
| SHA256 | 0593c6fdbb7e1c9c9c07f043efb3ffa366d6f5bcbc95626b594055c57669825e |
| SHA512 | 53dc82952e43b034f2bb114f2c59079046f583e96c68a38e8f93e935b1fa92fdbb625501f9e67316b3ab1dac8c74db234c27b2127483fe4c6b123784860a9c99 |
C:\Windows\system\YFFnWDC.exe
| MD5 | ee543fce0cdea78eab668eefc4dff79c |
| SHA1 | acb4ca68b60db1d3972f4856714d4e17ac10f2ae |
| SHA256 | 45ff12458a816f91e8eb599b413f456de1d3dc63f994257cb6725ef737014718 |
| SHA512 | 1b17ed1dfd87155afd7d3985807fbd62e14c9d02bb31a8ea3dcefc7e987c9040ea1703f6939010035c9a314cedd762be10d66502792fdeb3c415766feab15206 |
memory/1672-13-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2608-21-0x000000013FEB0000-0x0000000140204000-memory.dmp
\Windows\system\cGEuAol.exe
| MD5 | 366512aee1cb9854a327c841b8daaef2 |
| SHA1 | 46a4c7fdd802cdbe34fd17b0c7b9cccf3ba651a9 |
| SHA256 | 4463b9407d0316f80a73674bdce42ac5d67114b5ed6cf10f0ddd74a7f68120c1 |
| SHA512 | 3d854b34cff10459ecc725fc24d5869cb79ada64e5ccbef239b5cc90adc4a8460e7885a1d0d34d4bee8f6196001913a349a70f7a0f6138360c5bc744c89267de |
memory/2636-27-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/1672-24-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1672-19-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2088-15-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1672-29-0x000000013FB30000-0x000000013FE84000-memory.dmp
\Windows\system\BbQwlQI.exe
| MD5 | df8f5492f42c8b066cca50365baeb91c |
| SHA1 | 627ee6dd27e486e2f005196b3ae044431a708a00 |
| SHA256 | b569388442696d9d99228acb0bff2bb3d9883675acb47f8946c39bb26a6e3378 |
| SHA512 | d6f7848a339ec71d19c9f4d7a01a9bf1d7f4a445e35a713dfdcf42eacddbf1888ae8a7a57fadff15d399c2cf153417b622b21412fcff3c857de239f087c11019 |
memory/2596-38-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1672-36-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2404-35-0x000000013F420000-0x000000013F774000-memory.dmp
\Windows\system\WZNKtys.exe
| MD5 | 81cc69ac52c4f757571d6623a9f94905 |
| SHA1 | d851704004b557ebbe083ac80f056bd8f3476a9a |
| SHA256 | c80a80566f64fa4db814084eba33ccf1424411588691cb883ac6108e9f0d9ae2 |
| SHA512 | d0c51ff8b526225d2272642f730911a07eeac79f9f0a01d31225aba4f5ae2c9977dde8a4aa18d585cb1796171a9b7d8d0e74284a64d427af93c4a58ea6825d7b |
memory/1672-44-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2896-45-0x000000013FE00000-0x0000000140154000-memory.dmp
C:\Windows\system\ySVJWRc.exe
| MD5 | 464f35c074519465792d27513a59e5c7 |
| SHA1 | 13ee519f84507f6dd7ee50c597147faaac07e228 |
| SHA256 | 1df910be5d17a72540afae9692879e6658910a229a88e4709d4be29c499e192a |
| SHA512 | ce9040260c00360bd7745730fbada666d1bbc9ed4db7508e5d1e1b759d8bf242a29fa47d5a24cb0c3d4687713b80e9455c4c54a9c9068e517449276be3592452 |
memory/2652-50-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2608-51-0x000000013FEB0000-0x0000000140204000-memory.dmp
\Windows\system\JkJXiYj.exe
| MD5 | 15ac002e83af25a0f2a3a905d1df6780 |
| SHA1 | 89cad02e76e373738ff4d30a961215d5ed066603 |
| SHA256 | 4a76704d948377fe87d7294b0ac0cde6e909a85bb993a537440552860bef0f72 |
| SHA512 | 1eaccadfd64cc35c7dd24bd4c16b4c773641b87f03aa3da2ed7f76408e5b96fdd7afcf69641a5aa2a65ae520e745f424bacd4fe3015c27337c509545438da127 |
\Windows\system\vCjykyK.exe
| MD5 | a4ac12137c6b73cd0b63db27e49f470a |
| SHA1 | c9f8aded023af3880a020c7b4742db9c26323970 |
| SHA256 | 49537dc05d2592e543e2e881771353d299347ff9ed0ba693ebac4dea765291e5 |
| SHA512 | c5a3dd3582e37758befcb526bb63ac614803970ddc6b04f98a77b96cff87c314914b10008bc321cc006d2e0e26db99fe53c427b3d6c65f74c0d87306f0ff2179 |
\Windows\system\borPMtu.exe
| MD5 | 3adb4225a28c6dcd5c4ae4e76f091927 |
| SHA1 | 632784a9c791ea31abd42898f0f5cecbcbafc7bc |
| SHA256 | 99757655053a54fca48f997324cb39a301ca7c9e3bf315f293446b5af9d20835 |
| SHA512 | 0e3e7497572bbb8d604bbb45c61abccf8a00ccc6d56d167c40b0f352772043c277c6807831e4410613bea533d197af44ebef0cead3c973ecb569bc1d26e783de |
memory/1672-69-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2396-71-0x000000013F540000-0x000000013F894000-memory.dmp
memory/1672-72-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2340-73-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2636-63-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2508-61-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\oxhLHSY.exe
| MD5 | 97815a8ac2d3059f7379432337752a88 |
| SHA1 | 5db0681066b1f917a06af83b1889862970e62ed0 |
| SHA256 | c889f95c2415e265bc5a412acd64a62e253668330577e80542d725313a517569 |
| SHA512 | ef36f6aea744c3347c093452ca8827447d0747f14312190763d0a993967b488c6368bdf9b0dad5213dc42b521d877c58922a881db93bd6bacdb2f778bd77d059 |
memory/680-78-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\VrZyPDZ.exe
| MD5 | 90014b4d653d5e1196ceb256254db594 |
| SHA1 | 086abf31574ebc638432d04c12076eb3c5b8aa90 |
| SHA256 | c132ba42a18c1115c338d5fe3c127e25fa024aa8fd13c1f5c4e130c754d39547 |
| SHA512 | c3c6c2e89094c22d5522c6b3131931a81d761d6c1db11588456f9f90254f23ff9df808b58d6445683add13b8402d6c928aa96c77ba83acb4c354544e6bfbff97 |
\Windows\system\cVLaSPQ.exe
| MD5 | 556fb14bda8f2f957d7b1d5cf879cdaa |
| SHA1 | 8a0bb0777ba364d495ec29da9cc6e85a4c404ace |
| SHA256 | c522ab2a38d891b5637fb6157c952b48e08a82bad937f5aa124ec834b4c23fa1 |
| SHA512 | bb7a0933a5e4122f932228e09d5d793c657ab3f1acf649931dc5e4f39efb827ded812afed348765a04e1a1527003caada6347bfb4a446ca66ae079e4b27c1657 |
memory/1672-88-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2652-95-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2856-94-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/1672-93-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2800-92-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1672-91-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\qdZqRok.exe
| MD5 | 423457b9dcfefe3ede0e7b4aeeb10bc3 |
| SHA1 | cf96f4cb799537e7e142aecb4e879749cb58a2b1 |
| SHA256 | 8a0c97180710646d1bdd2e456b4dbd3a083eda4a2afcff860c13491696da5b18 |
| SHA512 | 48d47ada5bc7d0227cbce99ffe53a349542432189db8445ebbb6fd51c124068e4fd3c89ff79f063a254af585ef588b36dabaf86ae1b27c582216186cc34b9e9a |
memory/1672-101-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2548-102-0x000000013FC60000-0x000000013FFB4000-memory.dmp
\Windows\system\QgJnyKv.exe
| MD5 | c2e7e6d041d6bb57dd815a5fc07d710c |
| SHA1 | 5f546d32f1fbc631abdee0195dd0ff5dd92ac72d |
| SHA256 | db0e7cb2d6182e805612a1161066faa329e78bca7165932341379f8c939a46e1 |
| SHA512 | 7cbeb2f8e02f968e33efacc3ce734164e781d0d8b399a8838cde2482c03d3698d57a1f71851de10bf285c009a22a1b25bab236dba713d4735ab49cc19cd8445d |
C:\Windows\system\vMYgkmo.exe
| MD5 | 79d09c9c339d65660218f2ea74f0542b |
| SHA1 | ba94d55d596c528bd2c1b8c6809337d601720ece |
| SHA256 | 828e5e1b640c64f9ca12950549d5f1fc3258ef809fd6e5cae26d1523ba9af65a |
| SHA512 | 76b1cecfb83a9c01e3dba6672476c00c8942b4532a3beab9006519e606fae46adfba50b7c8c2bd094e7acb012e75e0c3df50822cb670767fcf7064e0cfa1d8e8 |
\Windows\system\UpZlHRf.exe
| MD5 | e49a6a5ae7b2ab3eaab0215642aaad24 |
| SHA1 | 6c21336da9fbf96d13a6289b9f696f4cb2256aee |
| SHA256 | 958a860f14eae46f3498f77ae643eb4a2ca17dbccfe50ba06fc96e0219b126aa |
| SHA512 | f76344473e3b5141eabe4530931a6d7a0c246de85bf73e76d2451744847a75d02545490364169cd9c2744643333cfefa61a51c98795170e13224066bd2485c7a |
C:\Windows\system\EHeJnIV.exe
| MD5 | 7eacbbf4c4568f2acf358bb641e6b07e |
| SHA1 | e62ea949feb412e65413bbcedb22305e93df4eac |
| SHA256 | 9c9f285beb2b30bc69babc0ea7be58302df559632601dbbc041ebd00cc11f44f |
| SHA512 | 9757a73d6f486ad8170019ebf69608b08ec0c9a9aa7b3e0bd5bb6a995cd3996a9b48ce19160102cc93db9cbf216ebd63c8d488e891377c00fbb14d2ec0660e24 |
\Windows\system\cdoNxdH.exe
| MD5 | 92722e20dd79a47bed1833f7dc52cbc3 |
| SHA1 | 66e63ddac1063a5485087dadf7030d69df64328f |
| SHA256 | e99860bcfecaa3bdeeac0a2feeab6b532e9d53db605276a42a22fd20a1d7db61 |
| SHA512 | 98ed7c0d1544f52dd3493905dc1ee0b8b245ae02ca4eddfcf394df6d64a52e55192f1cbf4ff52982aa3325d6d0d7bed364f936708b7694818bc83afd095f5b44 |
C:\Windows\system\viDnTWx.exe
| MD5 | feee2935e1da0228f68bb4d842ba2d8e |
| SHA1 | 77f8d473cbe2cfa224131cf3dc0799c298cec996 |
| SHA256 | 52240336ad8316c7419ff99b4ce35c2c766ac89bd13950caf00b8aad2074d149 |
| SHA512 | d2be827f5b1c690c0af25139c2fa987847e8403e62303965e45c233ac47454bb5d3c6196c7849d0c3ec8d4f08010eecc86da3c93ff018f0552f61a20057aa2c4 |
C:\Windows\system\pbYLTAV.exe
| MD5 | 445fc4e8a26d8718ea6cbfb68dfa7553 |
| SHA1 | bd74ba57e3c0ad1188accd3119d6ff67659b22b2 |
| SHA256 | 3d183f709caeff539029a3789fa3121c9b5154696ad885f0289176f27584043a |
| SHA512 | 7723174b9ea9e12a7710bc5fa697a564563be6676304a6bd1657577ac912413bb9bb000e7a0e7f0075ccfbda58014625b3fa0ec3199eba334b19cd02403929af |
memory/1672-136-0x000000013F540000-0x000000013F894000-memory.dmp
memory/680-138-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/1672-139-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2404-140-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2088-141-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2608-142-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2636-143-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/1672-144-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1672-145-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2596-146-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2896-147-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2652-148-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2508-149-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2340-150-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2396-151-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2800-152-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/680-153-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2856-154-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2548-155-0x000000013FC60000-0x000000013FFB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 01:29
Reported
2024-06-21 01:31
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_28538e635f7ad6431bc37fae18f597f8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4696,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/400-0-0x00007FF736EC0000-0x00007FF737214000-memory.dmp