Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
16/05/2024, 12:34
General
-
Target
2024-05-16_617a0d0ba9dc250d2ed41df90b562537_cobalt-strike_cobaltstrike.exe
-
Size
5.9MB
-
MD5
617a0d0ba9dc250d2ed41df90b562537
-
SHA1
11e6a830e33f0cdfc38c3db29b30e351ee7bc622
-
SHA256
864426a7545d9c4858759cff23139f4ef9e7e76ba57cfee4920da1a20bbea634
-
SHA512
001b1b2b858a04b73b5347279d6d94ae2b32737795c5b0d327b500450d494ffd2a430c1aded2440c3749b40448132088f26e8dc3de7b0ebe3a761c465f687684
-
SSDEEP
98304:demTLkNdfE0pZ3r56utgpPFotBER/mQ32lUC:E+K56utgpPF8u/7C
Malware Config
Extracted
cobaltstrike
0
http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
access_type
512
-
beacon_type
256
-
create_remote_thread
768
-
crypto_scheme
256
-
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
-
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
pipe_name
\\%s\pipe\msagent_%x
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/N4215/adj/amzn.us.sr.aps
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
-
watermark
0
Signatures
-
Cobalt Strike reflective loader 21 IoCs
Detects the reflective loader used by Cobalt Strike.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Detects Reflective DLL injection artifacts 21 IoCs
-
UPX dump on OEP (original entry point) 52 IoCs
-
XMRig Miner payload 54 IoCs
-
Executes dropped EXE 21 IoCs
-
Loads dropped DLL 21 IoCs
-
UPX packed file 52 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-16_617a0d0ba9dc250d2ed41df90b562537_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-16_617a0d0ba9dc250d2ed41df90b562537_cobalt-strike_cobaltstrike.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System\LirBjVu.exeC:\Windows\System\LirBjVu.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\qkDOger.exeC:\Windows\System\qkDOger.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\sKlNefk.exeC:\Windows\System\sKlNefk.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\bKZrgWM.exeC:\Windows\System\bKZrgWM.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\MMUESzj.exeC:\Windows\System\MMUESzj.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\ElbQWOl.exeC:\Windows\System\ElbQWOl.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\SCYrYci.exeC:\Windows\System\SCYrYci.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\MkqvASy.exeC:\Windows\System\MkqvASy.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\uNOaySn.exeC:\Windows\System\uNOaySn.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\MEiIQoh.exeC:\Windows\System\MEiIQoh.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\iHewXNM.exeC:\Windows\System\iHewXNM.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\gHxVgSq.exeC:\Windows\System\gHxVgSq.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\PKnJuwf.exeC:\Windows\System\PKnJuwf.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\ZALTAfa.exeC:\Windows\System\ZALTAfa.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\dJcuCsd.exeC:\Windows\System\dJcuCsd.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\QuawdKX.exeC:\Windows\System\QuawdKX.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\AvIHCyo.exeC:\Windows\System\AvIHCyo.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\ijNUxUD.exeC:\Windows\System\ijNUxUD.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\uQDHNIo.exeC:\Windows\System\uQDHNIo.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\onTtYuT.exeC:\Windows\System\onTtYuT.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System\ZwAEVKy.exeC:\Windows\System\ZwAEVKy.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD576dfd5e12e54effccdbf72d7b8a6db28
SHA16e1dc8f3e1a0ab88048018159cb3ac08e9979804
SHA256847bed7ac080bfcaf1eefd7ee9c676d64f5ecd5b5e97f7c6d4e7ab8143e2a9c2
SHA512f8c13663c06cc6ef41d8c7564259f7411e0c770908d2ea1ddb5cd8bc7319b0e4c0ee616a3401d61c11c1987babc136b26df4c76fc883c9710dc22d0872243496
-
Filesize
5.9MB
MD5773319a2e3251ef6de9378ad1d3a4999
SHA1b25bf4e0c6b9d5b9314100d4b1b93fe6241ffd91
SHA256bedc7491e324c509d1626cca899836b00ab72bbfbe2f6be176b5c58b728241c3
SHA512e28bf9cd5cac152bac72864d96325de10eec05126e1aeaf81dc1d31e1210286fa831096c9e1009b49be9fe958ff8ae4d36192d120c13e4ec309b5812cc3aeddc
-
Filesize
5.9MB
MD5f79522e736f37de000b59e2103f5289d
SHA11b477e24f53087f3674eefb2a476d5172aa5e3aa
SHA256fc47f0bba6f90c566bf0ce6e4d9509945be2d344f2e354d922b7f99538082474
SHA512dba7dc56ac5826e9d9806258154b12170f84b458297f93bc30586f1b926b0f1c438f028c2006e496512b6b16eea41255290fe73ee76340892d30920934103df6
-
Filesize
5.9MB
MD5b8046c7c3de8628d7adc1615b2341bb7
SHA1972645fb4eaae6c4b1e5f2da2ee167add80f38c2
SHA256bbb8fd58d136b862ab3e17304fef4ba7a6582c1754dda60ab02127d826c1ae40
SHA5126d7bece02289917d3cca5ff8e9193f3afb92961b090af70873c138d7671a76c6bc15679298ba5d5eb9970b838054e9c5eb5b96bc49b848768986469d499a2af2
-
Filesize
5.9MB
MD52fd589ba6892fec1368d40186a646c1b
SHA1ffd102a4f8d5246a33256baa2433af6d5d925132
SHA2563802e6bb9d619c8a2e8fc18d3ec36d8e61a8e9037045dcd0bdf200621ea8d1b4
SHA512cc1aa296b23216057b3e6a592a3c561ea0bd410677fe806333ac5d7fbb97e26e6bbe45e3bf0f533f2bbefb61417cb62b2f987557eeae65100cd72a54a3e40453
-
Filesize
5.9MB
MD52b5f2913850456f6df6b1806b32ed009
SHA1540085aebf20c7b7057850458b1118917f4a84c6
SHA256fa9895eca27ca98e0586c66cc57ca595f44ea6798709f5da63e11e27305cdc6b
SHA51280249bd7c0998d9e4d059189350a1dcaba9d71b028050e8cd7f134c6189b25fd36105e6f55f00ffa35ebc294996600c7fc3113ab86a516cdf635ab4e027f1bf1
-
Filesize
5.9MB
MD5a2b99eaef5487dc4e61db1bf308b282f
SHA1548bf7a539de1b9e62e9a79d449a4c9d4e348822
SHA256aa2138e41426f2eddde20ef8b7b03aadb1376dc2176d3127a36c4089295cd9f9
SHA51224a550fa4e2c75b713fb37819fe72e19775b40ecf70b083f542450ca36360a9d347fea8e3126e7b587b6e9b40df3cdcee89b7724a36d379fc119d7444f2e2e67
-
Filesize
5.9MB
MD565111ea7ae6b1d10bb0c1006292136e7
SHA132e2c88d2592a219884566c808fc950982d3184c
SHA256e84012da88942b7415558918f5cc9cb44d15c7c274624a5b3adcce04f77184d3
SHA512a1c37b71bf30758efa3836cd744ededa42eb877105b40db0fac09887b37d29d8daed45ec9f86a3444ebbfe4c890912c4799eea57cb6206d592eae1389fc1546c
-
Filesize
5.9MB
MD553ccd4f54961c36a340badf80194d00f
SHA10294f6ff0995baa37565cb7a56e056ccb7fc2a93
SHA2565d475ef20583e547ebb7d731bd97df8919c3f44316d8d8c88c41f088981b1683
SHA512561f7e3adaffb86c0a63a38fcf6e06d831222c4b4366b00443734dcb0cff39f40387f4566a31161d847ad672b6df190717082b969cefe31e610464b0b29aa9cf
-
Filesize
5.9MB
MD55db53161a9cc4b16b7b089b88fd93d30
SHA190f5485713065b5b1ccfaf992d801125102bf5eb
SHA256b9f6db6fe9764209a7f0b2302cf1bf2e7a457a0d7cf8e5c2e3a0aaeb216cd1d2
SHA512e460857316c073373af419a9762431d970f120381488fae285266b1981d1f3ba66dc7fc14a7bd51fe67368ced60484b6d1af085c54b10ee6ff94ed984af2c251
-
Filesize
5.9MB
MD597d4d598bf4dd90c17ababfcb1811e85
SHA1930e9e364595b08d283756df0b6057e6a3e0de64
SHA2563c588151317493813a7dd00e2c337c34a5f8b228f81b5a81799e6a1a817b1396
SHA5123d188f4ad940fb2b93bdf27e844d1396523f951094f17ce96842f1ccc88e8339d9a9b3ade16380d8d146657cb044549296ca817b9bd2cf8c25dd34f2252e5761
-
Filesize
5.9MB
MD5b7d7da0fbc9fcea3e36f4a9d990ab9d5
SHA1bfc322c97f64c4b408e803b2c37404c9f54b0533
SHA2568f41bc4e75d1f034bdaa40060e3798aa09efbbb9b493982f1cb648efbfb22b79
SHA512acb6eade00fec79c036b9317e5c53eb7a125f1e057be6e0db292fd45c228b2e558462a40c115af1bec90c90a64d67d1e7d15b1c5e8790e2fa8f5624ea3408fa6
-
Filesize
6.0MB
MD5355410f151f7441078ce8d4c43733654
SHA11eb1129df9a035b4e12cacc64afa1dae2c2221cf
SHA2568c677148be9f281f5f2981d77e94c91eefaa92667244ab666961cb90cc463999
SHA512bdfb5b68bc60257b94d874e87ca6608d629eaa1318aaec098ead47ed1c9fcdeb61724b10162a78e8defa84433cd6568148a16c016feb2f017dc53a4fdaaa07d3
-
Filesize
6.0MB
MD558bda5204fd80911fee65d8ff38b2a93
SHA178bf30b4b1e7765e207037ad415962a89d930b37
SHA25676369afb35e2dcdafc324f7b403c79c3d657c7b223fe41d2bfa31f93f379803a
SHA5127992d6fbcaebda67c07cf66c3888591149357279c55494cf34fffead1a294593978e6b0fdc8fb125a77875c99b0032418fe89a226b498a3b1ed4b839fa3c08c0
-
Filesize
5.9MB
MD5470cecf4b9d0a57f4d97b028efd1397f
SHA1baf9bc5a2296b8ffe54221cc5b5ab19274b4f91d
SHA25631b4caf6d3f9c068818a7fa91e20739569a6f8beb9064d1d18796ab7c6d77448
SHA51201d2128a12459ea720b1436bc23ee988cfb42be382230a2ee8516f6b47686a718f19d05922a240a04af0b4983f7234299792fbd79527b8fd072bd6359650872c
-
Filesize
5.9MB
MD5286682f58234c9e2990fa58e4e3162a4
SHA13bbd51a58d201c172f9bd5035006dd5536da5845
SHA2563f906d5ebbb449432e1fd40cb1e4928b0510cde0b14616e08d1df8765b05fbaf
SHA5125ea7b2f6f0253fef545b484d3d72824adfc29de50c579c1629b7a1f0e4364ce67434020506ba957743250ef0e5b0cb3c1eaccc57f890a3322ab02c28cba41ca9
-
Filesize
5.9MB
MD5c986aca58e09e7cad765190ff2c84cb1
SHA1828fb34c9bb3d88c74dd202ba9c1a8513c7f6dde
SHA256851e8ef9db42f2c1ced79957af288f8751e24f351c3fab9efe3495c515035bdd
SHA512058dae591bc6b4641ad79a8ec98898ed790c9a8e3af868827a10d9755947830f369591fa3877b336e09fe4ea028ec16493296eb58dcddf5c40feadd2e4733be0
-
Filesize
6.0MB
MD5f0cabd6ba102899a11f9e1ffbd2d0590
SHA15e34e53ae3a7751fd2f58c19ef40c2241f4d1c69
SHA256b45f912cb86abc1f1df88abf1bc554fa51b80a27a3d6c46be1d8cd9a4c5da165
SHA512a6ba4382c13d6cea97207f97d24bf1cfba30a39f69df1bab1f741184d3e82440ac236bfcae1604fa2ea61b94dce616be070cef1e9e0ee7249b923ad2aaaca2af
-
Filesize
5.9MB
MD5bdf90671c3a8593584ecec191255ee30
SHA16b0449f12335eb22171bf47d0822177c6d03d157
SHA2562b03d0d9007274e3b88e53630e336eec42c481a24e41fe4c5c7fd2f4e4092ae9
SHA512ff31e683ef0f0d6f0266602bc2523c5bf28c3c29a456856da6a050b35ed7ddf23777aa8f019fcab00fa44c0be90e65248f85296317a5cc531eb970a0ece94543
-
Filesize
5.9MB
MD51811e5f3e43937350eeca72137b782d3
SHA111259a2111bd0e0746bb96a506688d6a47692a15
SHA256da303da4bd40a2614e98aac5c343bea152f6f3fa5e1c46bb7b2ad4e44f6807fa
SHA512fe0197cbdf17a236c024361fd7824534b280d93f947f27c6dfbd24b8014931625804fd8a68c99cfa3353c6549735012c2d83e1e47a4954d467b6e19d5949b11a
-
Filesize
6.0MB
MD5ee54c049a1ae38ad72798669129498eb
SHA11e12bc19deac55c8e4d23de49bc85c43e2d9881e
SHA2566c683bd1f7aa0fa50f09e4fc9b9b7c1be69533ef3ebaa2ba83faef82a14010b2
SHA5122a254829308b2d79dda312db902beaf846534d7db6d1642cf8f09d1f008460cc308d2b599cf44cd9e2bb26eccbf0d0516c67e200f6807e9dfc03e92ff965d58a
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB