cobaltstrike | fc1432f13e331a7b24963ca2e24276aefc6c9bbfcee4370122a0e357314dfd74

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Size

12.8MB
MD5

c1d129530d87fb97b08b0632a9f080cb
SHA1

5d0b9567dc5b4f32a308c6b33091d6a08fb1c35f
SHA256

fc1432f13e331a7b24963ca2e24276aefc6c9bbfcee4370122a0e357314dfd74
SHA512

82f8bc334562cba476e94ae42c51197f1cedb29791a5f75015f40741bcd1b12c16f37213fbabd680d867f33563db9a6c546c313e8d2059c940ea59dc6c83598c
SSDEEP

196608:u2XrSIqtPazmgL7uDbzVXUHXUXEOZmPOEDkfsLKi:uaWIPyquDBZtmPfkfe

Score

10^/10

cobaltstrike xmrig backdoor miner trojan

Malware Config

Signatures

Cobalt Strike reflective loader 1 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 1 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

Detects executables containing URLs to raw contents of a Github gist 7 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2364-819-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2364-1331-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2364-2071-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2364-2832-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2364-3350-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2364-3388-0x0000000000400000-0x00000000010B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.exe	xmrig
behavioral1/memory/2364-819-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2364-1331-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2364-2071-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2364-2832-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2364-3350-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig
behavioral1/memory/2364-3388-0x0000000000400000-0x00000000010B2000-memory.dmp	xmrig

Drops desktop.ini file(s) 11 IoCs

Processes:

2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Chess\desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
28	drive.google.com
29	drive.google.com
30	raw.githubusercontent.com
32	raw.githubusercontent.com
73	raw.githubusercontent.com
75	raw.githubusercontent.com
24	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File created	D:\autorun.inf	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	F:\autorun.inf	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	F:\autorun.inf	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00176_.GIF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232803.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Riga	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PREVIEW.GIF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106020.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00438_.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.jasper.glassfish_2.2.2.v201205150955.jar	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\msdasqlr.dll	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.PNG	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07761_.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\ja-JP\FreeCell.exe.mui	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ECLIPSE.ELM	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01162_.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.DLL	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.INF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Journal\es-ES\JNTFiltr.dll.mui	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\THMBNAIL.PNG	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01151_.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200183.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00247_.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00320_.WMF	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

Modifies Internet Explorer start page 1 TTPs 5 IoCs

stealer

Modify Registry

T1112

Processes:

2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.LTgaFBdwIr.com"	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.soLOxrcaoz.com"	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.eSZjaKdGlG.com"	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.XPIiZGUROQ.com"	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.MEcDxDfWbJ.com"	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

description	pid	process
Token: SeLockMemoryPrivilege	2364	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
Token: SeLockMemoryPrivilege	2364	2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_c1d129530d87fb97b08b0632a9f080cb_cobalt-strike_cobaltstrike_xmrig.exe"
1⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.exe
Filesize
13.0MB

MD5
b02f6cd28c1d56c4a67b71c3e76cb3cf

SHA1
53ad8eac77ecdbfe97d503ac1458da9989f52736

SHA256
75a078032ec0f00907eb9905aedb2e7be843ebc9b2c09c72d7c76f4be82d39f6

SHA512
971d103b77647bfaece25aaa1836d9ed5a593ad75e3377abea792b31b6170adca8ed3c1b0d4524a39e1b9f2781c8d6ab1451841c27f90f9e5733cd9e97f9eaa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
ee3c9b7c0507776eb670f2a018241982

SHA1
159701136bc7b3ebf337a9bdfabe7410d6c64a5f

SHA256
29e2efb4321eb9bb9e2c1e4b3af608f777caf9264cd769a5c4adeddac1d7bdf0

SHA512
57d4c6a57551be1eeadf78ed6d489f232957a489b7c5f92ca010f5376b6b5d044a3b06375888acedbe6a879400faac1591df4af700231cf99145aa506cea63ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cadadd7d0090faeca8ff41b3a72eb203

SHA1
0e09b7524c6460dfb686e0b3bfd29aaf574116f4

SHA256
e604c7faf738a5927883d7ce6d0b0e0a2841d30949d7b08da1d7730ff5b3600a

SHA512
14236cf40f1da3f253d9ab857f7b83469a4a27c3afbbbb4bee7ada428aed4431d66fc610bababaf45b2a9a93ee837ebc413cd219e2165ba01aedbd4a86c5ce88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
294110cb3c5dad86399fbaaf293030cc

SHA1
5b409c8ca276b596943fb30838210323623db357

SHA256
3aca0f6d7e09eab3519c5ad698a940f61bfa15a7c510678e2306ecd5dfa10c7d

SHA512
0e477343b693133c12ef602143ad8e2d890bd24982f013a425c50e549ac3867d8a45e611a24d0f891023b7d1bebf4aa61edff928aa81376b2b9d4b6d0e78a697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4a713834d0ee7b8138544aa462faa7cd

SHA1
752cd11263d59a0b1b10bced7fbb7493f3b8369f

SHA256
dc353d4b8afbe82299fa0f3e180761d94787c9b68e4a4b4b8b55d89311d97b37

SHA512
7be810298c95796e6f1585394e8645e6f7e91b561962a9c6c2fc6265acde795ec48447ce3cd950649cfb8aea41576234e9697945a79603ff1058521cd45ec94a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f922d31cf89c65930a23a6509ee81fe8

SHA1
ad73c67297636f1f006226986e729cea8b8bbf7c

SHA256
8eca7ef65a9399d09cf02d03b56ddd607ea33ce46601f9fc532e062b18fac4cf

SHA512
a7751721b8dbb0175ca2b814784b00a7e135885c2bdccb912162a504823478a0bb888885ba19b97f1a454b7290d1cd19bcbe9244affeb67a0777bdbae734690c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
da5799211277d5b227537ce105c53721

SHA1
8b3038e059bb2b78e58a37ce8607202900fa64a6

SHA256
8b2c957888f5cb3758f62043462a5c3e4ce90787b5a93babaa7b74d8535355bb

SHA512
52d26e2d0c079f5c791ad400f23bed15aa8939f3e5e118abf420f3268de6a88cacf3ee03ad1894d63680a69a9a9d49ca8d5e60229f2739d96d0545f277f51822

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB2.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF1.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2364-819-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2364-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2364-1331-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2364-2071-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2364-2832-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2364-3350-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download
memory/2364-3380-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2364-3381-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2364-3382-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2364-3384-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2364-3385-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2364-3386-0x00000000003C0000-0x00000000003E2000-memory.dmp

Filesize
136KB

Download
memory/2364-3387-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2364-3389-0x0000000000401000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/2364-3388-0x0000000000400000-0x00000000010B2000-memory.dmp

Filesize
12.7MB

Download