Analysis Overview
SHA256
0db514c278ce33edc92c89465960b9f80a2294a04561a437978ee1a99e747043
Threat Level: Known bad
The file 2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-21 01:29
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 01:29
Reported
2024-06-21 01:32
Platform
win7-20240221-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OtxkzXC.exe | N/A |
| N/A | N/A | C:\Windows\System\dbLqHJn.exe | N/A |
| N/A | N/A | C:\Windows\System\brAxUYb.exe | N/A |
| N/A | N/A | C:\Windows\System\NsTUXwS.exe | N/A |
| N/A | N/A | C:\Windows\System\bRxatSJ.exe | N/A |
| N/A | N/A | C:\Windows\System\GNqbaYA.exe | N/A |
| N/A | N/A | C:\Windows\System\SHSmUdj.exe | N/A |
| N/A | N/A | C:\Windows\System\sqhlyof.exe | N/A |
| N/A | N/A | C:\Windows\System\RMnvqFN.exe | N/A |
| N/A | N/A | C:\Windows\System\CHVvqVD.exe | N/A |
| N/A | N/A | C:\Windows\System\ssrgRUM.exe | N/A |
| N/A | N/A | C:\Windows\System\OltEWvF.exe | N/A |
| N/A | N/A | C:\Windows\System\lClYssN.exe | N/A |
| N/A | N/A | C:\Windows\System\pdFgWjN.exe | N/A |
| N/A | N/A | C:\Windows\System\uMbGIGy.exe | N/A |
| N/A | N/A | C:\Windows\System\zPHJAmj.exe | N/A |
| N/A | N/A | C:\Windows\System\UvXhigw.exe | N/A |
| N/A | N/A | C:\Windows\System\wMgvtTA.exe | N/A |
| N/A | N/A | C:\Windows\System\WJxkRXh.exe | N/A |
| N/A | N/A | C:\Windows\System\LiDGMeO.exe | N/A |
| N/A | N/A | C:\Windows\System\PiRSICm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dbLqHJn.exe
C:\Windows\System\dbLqHJn.exe
C:\Windows\System\OtxkzXC.exe
C:\Windows\System\OtxkzXC.exe
C:\Windows\System\brAxUYb.exe
C:\Windows\System\brAxUYb.exe
C:\Windows\System\NsTUXwS.exe
C:\Windows\System\NsTUXwS.exe
C:\Windows\System\GNqbaYA.exe
C:\Windows\System\GNqbaYA.exe
C:\Windows\System\bRxatSJ.exe
C:\Windows\System\bRxatSJ.exe
C:\Windows\System\SHSmUdj.exe
C:\Windows\System\SHSmUdj.exe
C:\Windows\System\sqhlyof.exe
C:\Windows\System\sqhlyof.exe
C:\Windows\System\RMnvqFN.exe
C:\Windows\System\RMnvqFN.exe
C:\Windows\System\CHVvqVD.exe
C:\Windows\System\CHVvqVD.exe
C:\Windows\System\ssrgRUM.exe
C:\Windows\System\ssrgRUM.exe
C:\Windows\System\OltEWvF.exe
C:\Windows\System\OltEWvF.exe
C:\Windows\System\pdFgWjN.exe
C:\Windows\System\pdFgWjN.exe
C:\Windows\System\lClYssN.exe
C:\Windows\System\lClYssN.exe
C:\Windows\System\uMbGIGy.exe
C:\Windows\System\uMbGIGy.exe
C:\Windows\System\zPHJAmj.exe
C:\Windows\System\zPHJAmj.exe
C:\Windows\System\UvXhigw.exe
C:\Windows\System\UvXhigw.exe
C:\Windows\System\wMgvtTA.exe
C:\Windows\System\wMgvtTA.exe
C:\Windows\System\WJxkRXh.exe
C:\Windows\System\WJxkRXh.exe
C:\Windows\System\LiDGMeO.exe
C:\Windows\System\LiDGMeO.exe
C:\Windows\System\PiRSICm.exe
C:\Windows\System\PiRSICm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2156-0-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2156-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\dbLqHJn.exe
| MD5 | dac80ffe36922f27168a5c6c409313e7 |
| SHA1 | 6775b3c2fd6c766fca84eba60aa52d2c41bba1da |
| SHA256 | 6b6aa4c2b057a31f3db63e29f78ee88cc6afc885a40b6378fd0066f3e14ddf98 |
| SHA512 | 0de27d68461371ee820d2faf2ac95dd69817d08edf052b4d8cfc95cc15ca25c8f7a8b1220d91199c1bf31f03f0997e9784a297f2c1cad93dfe25f2f5beebcbb0 |
memory/2156-7-0x0000000002500000-0x0000000002854000-memory.dmp
\Windows\system\OtxkzXC.exe
| MD5 | 9b2af408f7b304bba48d7b66b9965452 |
| SHA1 | 62069b4c54c11bd83ce28b13e8fc508bfa902795 |
| SHA256 | 8130c8e3d9261f3595a2fc4743a3ccf2c8911a50e8ddadbe976c2858a4e81e73 |
| SHA512 | f93537b13fb1071dbfc3183088fcd2ab5d00563a7d8406c301cb887e06b1c11a3abc3978c6ef7f90c19a7563a01bc628718474a12ec73ed031078b17e214e91e |
memory/2992-24-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\brAxUYb.exe
| MD5 | ed8d325217a084349a8611528ec3827f |
| SHA1 | 2ae6548851bb7055e2ffac4e1ffdb9ba7aac04fd |
| SHA256 | b93a26ec826a87ca80970a70eea717c6cbd4cdddb63c6540b9a1053f74133612 |
| SHA512 | b7a4cbb82ab311513d7a02015cfcfc2200b2b00015233bd7baa4722d191d4ad7057011f03a76fd32192ca39e6ec161b265bb29c09e1c1e02d4ee2b8848e56c24 |
memory/2572-39-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\GNqbaYA.exe
| MD5 | 4787397790ce2858035c4124a6b1b47b |
| SHA1 | 4a73268b0ff1928c53f61baa4f6598fcca55ccd7 |
| SHA256 | 947b0280d8869d15edd8be49fd1015ddf6706138fd6e196ca8ea66a647e5494b |
| SHA512 | eae658454d52b1b4a99bc48e919b5ab7ecbff8b37ca063a45b56213d47c7531458d8de13f909d5ae5c40f47538e142c0439c46c436ecd3f0f7bdf1d6cf1bad1d |
memory/2420-42-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2632-27-0x000000013F5D0000-0x000000013F924000-memory.dmp
C:\Windows\system\NsTUXwS.exe
| MD5 | 99537afb964f5eda63b93a520ad532d7 |
| SHA1 | 4f0fa1cc9bfa9743e620acecd97db249839aaa00 |
| SHA256 | c4b666560d012adf78d07b0b6f69a378b62816d47eb0910c3cf34c3b57cab014 |
| SHA512 | b2ac5f4cc8af2b2b804bcb922621da7e2e6ab587e0ab04aa0ad68ccc2075c5d6e49e1f420fcb914d0515cea183a43c1b080ed2501a3ff02b9d3ec1e8db440bd4 |
\Windows\system\SHSmUdj.exe
| MD5 | 657bbb8eb6dd69298619faab33709e9f |
| SHA1 | cb1ed71aa508c7a0cf9d6b7f4a2a08b6e6a8fd11 |
| SHA256 | 6ba5398f2cb659aea1267e5bef1d401c9796ffe51e28c50ee9cdbdbe553c20dc |
| SHA512 | 62c158c58e3e591ac40c76c2a283632bfccdf630c158b1b725d0576eb0f734619fe03181588926c1fd0fd8938d14edcc21616d79eaad63ac071f6dc174289b62 |
C:\Windows\system\sqhlyof.exe
| MD5 | 24e5c49970fe885b6937ad70518bb890 |
| SHA1 | 9bb686c711695a230f8acfb8b901f72e264d959b |
| SHA256 | ffb1e143e7b21f23203da3c1a905c7950e2d6ae980565188c96f1167b8b81083 |
| SHA512 | bfd8d4035814282b5f03346d195127141426a827a9595fd961e886fc74e76e102d9bd162bfc3602efe79d9948c8a69a01c83594c38f1840d8a8e0c42f594560d |
memory/2576-51-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2424-57-0x000000013FFB0000-0x0000000140304000-memory.dmp
C:\Windows\system\RMnvqFN.exe
| MD5 | 81df26cb4ce904a2a6a01ee8fc6c61ed |
| SHA1 | 7cb40f900d81e823f005559550f623320425bd27 |
| SHA256 | d5229fb39197b9b513151c039142dec07bd3ce1698d95343b90a366490b92704 |
| SHA512 | e0e0f74e05c9d3cedd87c52e26299225c2b3ffac009f126d277a81d73de1f9c7987b4e17d573dbd68ad4f5b8e1b22185b86a638aede3eae6acf760b0bbc8d446 |
memory/1184-72-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2156-71-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2992-86-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2296-80-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2780-88-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2156-79-0x0000000002500000-0x0000000002854000-memory.dmp
memory/2156-87-0x0000000002500000-0x0000000002854000-memory.dmp
memory/2552-78-0x000000013F360000-0x000000013F6B4000-memory.dmp
C:\Windows\system\OltEWvF.exe
| MD5 | 8cbecfc63e4bbc3173721a050d615a71 |
| SHA1 | 9d4092e5ec7144a8205ce656977f1c7195cd25cb |
| SHA256 | 770edf0cc923a7d259a638ce2a9a40f68f05625e38d7839831cb7a8ac228f1ee |
| SHA512 | fa0c3ece3108ebde863872e2c0bdeda220adf24385f55e0cc797e5cde5163c38c0420dfc3040aa89a94b3c41cf40cfa52679501b36ea8ab8c1263b3edd70ae69 |
C:\Windows\system\ssrgRUM.exe
| MD5 | c657dfb8b8382fe0751d8a84e1178c37 |
| SHA1 | 3766553f58d0dcd17b8b0c90967d8fee2cd867f2 |
| SHA256 | 9556bb09e72de010f111d0258df2b534209421af057b2cc4b35f211dc62cdfb5 |
| SHA512 | f561864f2992404286f25361e8ae327ddeb271774f5ecfd2bd0cdaec57f2c2853542a30497110fa3556c2eed0848ef867aec1cda31af070973d732ec18743abf |
memory/2532-63-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2156-62-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\CHVvqVD.exe
| MD5 | 585cb515c12711ecaf91c34ab4aa8b32 |
| SHA1 | 5038e7fc4350f0aa77acd86cc74d5912a1b5ae5d |
| SHA256 | 8acda6e29b35aeaeb79b871e58d51568772f2240d07a057f44927cdd572d9569 |
| SHA512 | cb15c7790f0bad024e2fec149386da02134cd5aba3f152193c4033e46316e0540f1a241eaf11398e5dfc9d82bd29cc92e87896666f36dcf99b5ad0e32cfe0d56 |
memory/2156-50-0x0000000002500000-0x0000000002854000-memory.dmp
memory/2156-49-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2156-44-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2156-38-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2552-16-0x000000013F360000-0x000000013F6B4000-memory.dmp
C:\Windows\system\bRxatSJ.exe
| MD5 | cdcbf62b4a780cfdad009703098b5f8f |
| SHA1 | 243b93a498126130227d7bf624bc1805d150b7da |
| SHA256 | 115e11384521fcb0d88c6f448eb9ba4630d2d8d199e86c9029c7cd5d82a39cfe |
| SHA512 | 09ff0227232dd8626be0b13b7dd03202bdba117b4d325e3187d8162aa21b52cbcd97e1b9aa5cc772b2d6940e84834f032ec7c4e3502b9d35afaa0e3a723f6452 |
memory/2156-36-0x0000000002500000-0x0000000002854000-memory.dmp
memory/2516-35-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2156-33-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2156-11-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2572-89-0x000000013F050000-0x000000013F3A4000-memory.dmp
\Windows\system\pdFgWjN.exe
| MD5 | 25a85ce80a8a7761f24e804e629bbee8 |
| SHA1 | e445d7ddd8151c087b4b2d45fad175838abb3b85 |
| SHA256 | a92f99abaa0b85a0799c33e10027bcfba835e63eee5dc328d68afdb3f37955c5 |
| SHA512 | 6c0c38d953d8799d8798eb8c2ef156ced1b24bddc6eaf39d3a2ee8a79ee5c917868d978fb09c0a520cdda3a28fdd78801f5fbe8bb4f37b0c77016603f922b39a |
C:\Windows\system\lClYssN.exe
| MD5 | f944d658ae93f9c4871b67baa3157efb |
| SHA1 | ff14bf431abefdc338b1140cc4a55937c3e08c17 |
| SHA256 | e779611578a7eb05cbc68196dab58317629596278c64cebd34a2cea84270e30f |
| SHA512 | 15e125e530ef7fc073b75c114eb6a912e3699c52e8efe99dc0ac32cef4b117680535afd259313f0a724944c35c8edc22a9ec7db109361112224f2640e0be121f |
memory/1928-101-0x000000013FAC0000-0x000000013FE14000-memory.dmp
\Windows\system\uMbGIGy.exe
| MD5 | 6bf7dd45b0f4c2cc4478ed680195d394 |
| SHA1 | 6a904b262bef0f4808f98692ff589a7ae71356d4 |
| SHA256 | 850c66d3f36aacd356b71f875e994c8261e7651127799206961bc8ba72e1de54 |
| SHA512 | 553a8f6af5e96897f23ae24ebf4c01f5e7e2145c6f918dbe3c6b7a57230f07b6aa99f3e48840ba3f7e963bd34b33b0dd7a90fe286aefaa855f70f342123ef9a3 |
memory/2424-110-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1908-107-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2576-106-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2156-99-0x0000000002500000-0x0000000002854000-memory.dmp
memory/2420-93-0x000000013F900000-0x000000013FC54000-memory.dmp
C:\Windows\system\zPHJAmj.exe
| MD5 | 41fd275e9511855c914ed40ce95fecc5 |
| SHA1 | c6afb011ec7cd9b12138f57ded67f25b3b9addee |
| SHA256 | 9feb019df5ba6f79dec35dfa58228cb986a3a25ce3c2d8e8aae2b121f8894253 |
| SHA512 | 44502df8c3fe7f0994ed6027d4acfefeb2857c9f9492307b8194c6d21ecd368c6da67cbf2dfd8d08cf2b822ae247d87c3e0e29ad81b539ac7f2420897ba6090f |
C:\Windows\system\UvXhigw.exe
| MD5 | ad0e29f106787b947ae22da6e6855407 |
| SHA1 | 05f4ca518966b0969bfef39c7755040c52ca59f0 |
| SHA256 | a2dc14bd61664c5c155985dd6e7a7a3e83739a277858465152e2883c3b78b32c |
| SHA512 | e9e3dfb9124bb8ece97b1ee6c8839ecf5f49b5894de74c7daf3722f184766c5e6439f8d15021d75d589cfdc8cedbfa9fa75b778ad945a78a4133ce523ddcad4f |
\Windows\system\wMgvtTA.exe
| MD5 | 35f1bf06da6fd9eb4d3466d1bfcb6cf2 |
| SHA1 | 6d18a36a107ceb73f6969875cdaadd4311aa8e93 |
| SHA256 | f0df65c2f79275b2b4986c40696929aba98f203bddf52c59e1357c76a5df603e |
| SHA512 | e08f4462983c8b06d489d3c4d279b9543bf2360c12097a6f0a9f4709c8144d073bfb8d62d8438f1c69e7fa1e1ef74e0586685f0fdad55970beae9fc44b6e465f |
\Windows\system\PiRSICm.exe
| MD5 | e767501f6b569b2e000ac322d47371f2 |
| SHA1 | 63cb77fdaa5c1d001627bb64f5b955507d8130ab |
| SHA256 | 85278d4af18695127da4e0435caa97e006334026627360919ddb7a24646d0a46 |
| SHA512 | 09179da5b9922c9d2c5715074e288982216c0a545c6f6412181d93e96d80620017e9d2bca55b978671075375b9982677446e647b6c24d596ed6827bd9474aed0 |
\Windows\system\LiDGMeO.exe
| MD5 | 30682e0ccdf7a24b521873f876338102 |
| SHA1 | cb28ae9157644fa03ada50cbd95db0c1129291b9 |
| SHA256 | b2513cc42dc53f846feb9afcf11bcc4f9a9f3fc78d164a6467e03c4675bd9046 |
| SHA512 | 9daec8775f386587c9b59add75781a8d954f015ff794810fc5cdb85b57543c3411ff0024ecd0c9c5ad48fb9ddc121332fe9be3eeb7680c4a9adc63d0e8932114 |
memory/2532-141-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2156-139-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\WJxkRXh.exe
| MD5 | 825db4e9cf71b474a0a7afaf007c3955 |
| SHA1 | 9eccb922d94f71c52819744697edfc5fd00a44a0 |
| SHA256 | af710d4f784c5740a57883621ff81b2375c253a4f99c7dda9786094425ad579a |
| SHA512 | 093c2a7dd2354c30086fe1dc0fa86704e7e0fdbff1612f2de55102620aa0f5f05a206176ccaa825e98a31aea4e71bfd5aa5de0a929c5ac644689b358654adf51 |
memory/2156-142-0x0000000002500000-0x0000000002854000-memory.dmp
memory/2156-143-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2552-144-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2632-145-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2992-146-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2516-147-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2572-148-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2420-149-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2576-150-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2532-151-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/1184-152-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2296-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2780-155-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2424-154-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1928-156-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1908-157-0x000000013F0D0000-0x000000013F424000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 01:29
Reported
2024-06-21 01:32
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-21_3ad1ba5c4d6f051a02d63d55a98a3d71_cobalt-strike_cobaltstrike_poet-rat.exe"
Network
Files
memory/2256-0-0x00007FF616720000-0x00007FF616A74000-memory.dmp