Overview

overview

10

Static

static

10

2024-05-24...ke.exe

windows7-x64

10

2024-05-24...ke.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-24_6982d0bc08c42d7cb462347b3fb2d61a_cobalt-strike_cobaltstrike.exe

  • Size

    7.4MB

  • MD5

    6982d0bc08c42d7cb462347b3fb2d61a

  • SHA1

    3a222804dc931aa4d2f8aab9a2b6b679a7f40bc2

  • SHA256

    e1307090db4f72c4027ce54e7e1ab50d934b5e0384cecf2399f60e0cdd4ae319

  • SHA512

    8edf79d023341a05f5ee966071cacf278db9af476deed5103725a5862323613cea3a31a00a7f7ddab2f5609b72debeaf93f8c4faa336220130841f6ea71cf553

  • SSDEEP

    98304:bGUjSb/X0Z3y/t2uDN8nsk/39999999999eEN3JjAUtw6MT4nR8CZqXebhnp3aJT:bGUGb/X0Zi/t2uDN8qurYmd08uDB

Score
10/10
cobaltstrikexmrigbackdoorminertrojan

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detects Reflective DLL injection artifacts 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 15 IoCs
  • XMRig Miner payload 15 IoCs
    miner
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 55 IoCs
  • Modifies Internet Explorer start page 1 TTPs 21 IoCs
    stealer
  • Modifies system certificate store 2 TTPs 17 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-24_6982d0bc08c42d7cb462347b3fb2d61a_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-24_6982d0bc08c42d7cb462347b3fb2d61a_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll.exe
    Filesize

    7.4MB

    MD5

    b7877a0e7d795c20d102c3c97dbcb5f5

    SHA1

    e332d47f62b9fd99a8a919575171ea24a5d2500f

    SHA256

    12115642b2897a77147b5b0f024682d5cc4046b6b0e91d075433fa1404eaddda

    SHA512

    00bf4672c645c91b699cbba22631818b5336ed9fc45f5fb93fb4b158af345f1d343b97c3de9710ff6fac4f747810bf7d11acf7d395ac667fbb54ef3e38a41461

    Download Submit

  • F:\autorun.inf
    Filesize

    30B

    MD5

    889582a1f03237bcdb184835adc90cfe

    SHA1

    126f1a62951d5841365323609eec048df5054224

    SHA256

    4cfc1d1cf149df6f4f27d1d34842adc2e79cef413ca76d92928ee9b6709d7518

    SHA512

    debab66dab530f5ff7143dff5375c07aa6b9d8747184909c842752d14f6eb8b72a90b8cd02f62a81382a85a4a7c4d16ebbce50f579b99df073535ea64cce2194

    Download Submit

  • memory/2420-96-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-122-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-0-0x00000000001E0000-0x00000000001F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2420-107-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-112-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-115-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-88-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-91-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-123-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-124-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-125-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-126-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-127-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-128-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/2420-131-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

    Download