Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 00:37

General

  • Target

    2024-05-25_5cf22f8052e2c6fada4777dfa7d8e216_cobalt-strike_cobaltstrike.exe

  • Size

    8.0MB

  • MD5

    5cf22f8052e2c6fada4777dfa7d8e216

  • SHA1

    6a7a7a6d5cf4d2a2e4916fccd508756bbba07d46

  • SHA256

    016fba26faf81c46a44a2795e9fcd854eae9226e57f0c313aacb046a6609e8da

  • SHA512

    286f8084aa2c78fff17efc34f0a4d880ceb6e29085041fb50f6b8548b9ee29133104172232a45dba6416b6467a159d3949d9ee25cd8deb1e31d4e19b58721406

  • SSDEEP

    98304:bGUjSb/X0Z3y/t2uDN8nsk/39999999999eEN3JjAUtw6MT4nR8CZqXebhnp3aJc:bGUGb/X0Zi/t2uDN8qurYmd08uDC

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 15 IoCs
  • XMRig Miner payload 15 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 19 IoCs
  • Modifies Internet Explorer start page 1 TTPs 16 IoCs
  • Modifies system certificate store 2 TTPs 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-25_5cf22f8052e2c6fada4777dfa7d8e216_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-25_5cf22f8052e2c6fada4777dfa7d8e216_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:4628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll.exe

    Filesize

    8.1MB

    MD5

    bb8d45716eeafc66ec586c6ffd1bc5de

    SHA1

    6300ebebfab6bafbd26ba80fd1fc192f0f140ffa

    SHA256

    d4029813b8361eee68ac9bbc09c047023741289db85410b85fef13dc4d878317

    SHA512

    67e40cb76cb80470c72edc15245561d2ed0e51fb8105cc0adbbf77a4cfd795b1b2fafaec23bbdcd0e3710e8bbc102bceb46dfc696c669d59164cf5dde5fca33f

  • F:\autorun.inf

    Filesize

    28B

    MD5

    8e994937ffb8479625c7f22aabaf5961

    SHA1

    7c9fe7fef3a211a4209024cbf3d8b66048251e76

    SHA256

    a31bf562b712e9f8566113f00d31db4338e817867126d98f10e4abfd1ecda4e5

    SHA512

    14935be5b42bcdff2d7286648adbed3c2c23846f0308907e837d96c61a462569cf8f8e80e5d9ae9ae17fc46a41fe2669ae3979751894ef264fe9e2c9ec782b78

  • memory/4628-50-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-53-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-40-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-43-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-46-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-47-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-0-0x00000000001E0000-0x00000000001F0000-memory.dmp

    Filesize

    64KB

  • memory/4628-37-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-54-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-61-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-64-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-65-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-68-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-36-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB

  • memory/4628-71-0x0000000000400000-0x0000000000DBD000-memory.dmp

    Filesize

    9.7MB