Analysis

  • max time kernel
    119s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 13:47

General

  • Target

    2024-05-25_f709278e0893345107ffd00787438a21_cobalt-strike_cobaltstrike.exe

  • Size

    5.1MB

  • MD5

    f709278e0893345107ffd00787438a21

  • SHA1

    85bbba8d3a1090013c190aec072b2688e1e4afee

  • SHA256

    ebc6637dc30bfbb83700b59754fc9a99cc9de855db0ba3dead180cf770d01555

  • SHA512

    17ad10eb0bac2d7955376a328f65fd5d06c60bf8f450e645779cfed4f1357bc38c2e24a43578dd705a9e95c7130666217b4bd1f3c6ec89e5e34ffce94b24fe36

  • SSDEEP

    98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxjUC:53EnsxxDt73DdKrwapwbkC

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 7 IoCs
  • UPX dump on OEP (original entry point) 9 IoCs
  • XMRig Miner payload 9 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-25_f709278e0893345107ffd00787438a21_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-25_f709278e0893345107ffd00787438a21_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:1644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip32.dll.exe

    Filesize

    5.3MB

    MD5

    a68695f1ea6eba2c8d0c9b95af0410a2

    SHA1

    5b71dc93e20afa6be0c21822dded1c9a0eff1775

    SHA256

    5fc2f5c62106e73b3543511d8e719b252c8f39a3e6ee5ddcacbe70546bba9071

    SHA512

    5fec8a8ccd22e2bffcad969ff64af0fa5ad6e26b9600aae78993df54f2e07b66a1425e6aea544f090fed1d042718502c9b4877ee4f27d7100caf8e8932a9fbb2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

    Filesize

    230B

    MD5

    97ea77feaced67d94e52ff8971a1c3e9

    SHA1

    c1ae08fd8d9f10b91f6900fe4aeff6a79d1488ef

    SHA256

    5f06170d1c354af5696f08621bedddf611a9451c0c5def2d4a35850fcb46dea1

    SHA512

    ee1a53ac14f7f308aeae832258e0a90d1201d079c4ef8a0b8980da4f9ff51fed8d9e62dbc18be622e7d403080fd2f6e88cb91e1c1fcd471612717f5124bc7332

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    3be76bb7bf815c950f7f6d263dbf9362

    SHA1

    a86f83f6c7918d99cb43badc5008d42f9148c1e4

    SHA256

    c8f7b7e872bc72004aec99cc8332d1df3efe5d08d7be615f8443d1aee5914d05

    SHA512

    73f676132e169aa8a7efcb4191f9054790c3470ef5114eec2cef9534889ea3522897d1e0f32c9e199fbd2657f616354e699ccdcc2bf6ae7e8fab129b52f5d310

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    9d06ff94eca222b406c7aa7fce4ac1d7

    SHA1

    e5953dfef14d5696a8b7b0b39b8fe32747f6be76

    SHA256

    d964b5c043fcd9768a4e4e7d49a9322f7193e9f9ded3c26640d3a2f02d927621

    SHA512

    6763211f27546613e9131d03f5f13bd37d26c48724d551448ee1169e8b4ea8ac6b0a1b2b696cf54522e36a0e0233e3e5a171d5b8e3b609b960d8e8e36823f0a9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    768457fd5fd0662b92ee05dcd7f9259d

    SHA1

    98c222389039e6f932772571f05b4c8fa43cf9ff

    SHA256

    fd17b9d39106d2b228a42b7e26c30af189b38d1252cc29be306008d77c875698

    SHA512

    db7fdf6218ee49ae9514c84f3339e0a5759d0117b75d958813d28997adddca9360a6407f5d51a0920818258615d11b7063b384ee4945e4cbb090aff323142994

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    22240290b2561a3e9e15dbd078331605

    SHA1

    711e034a05469f8103cdc8cc648f3866c1d7b2f7

    SHA256

    e582bbf5e5d810d7674d437c7ec5e72e2486e7b0e3f81fb0f833c558d0d2a494

    SHA512

    bd4cde704f1dc4a8e07be1b97addd4806e46e78a4e7001ac4d10509f6eae36d16068f331b0d3c9e27cf97c95cdf7653b55350f37e213aa3f5464beebba605c1c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    4a9b4f733c23041694e229269916b17e

    SHA1

    8299e7eeb62945f00a33d025f1b169900e50bab8

    SHA256

    bbb21c04482e2e19d95b5f091f885e2219d5304bbf29073d3d0ea8ae13efeafc

    SHA512

    3206f68b236b1db85af629cd1ea0fd479cc5a5a2b11860101ef1109409d5fb61daa34ec0600f28c5971d88e8f3da5a9baa8545ab9799d8fce5030ecbbaf75a89

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    3c4f916bc29c913bf5cc77f331e818d6

    SHA1

    6639825e581da7f9f8203c2f001f9aaf9be30d76

    SHA256

    f63d0b4cfc85dbb870b3bb756ede3e20bb95288b4a17d692da6e8908300c8413

    SHA512

    08f663364f633bfc991bce8bbc5ead95ac4fe8681f686ad19d830256bdbdcb8bd151d473d444f3ba045cdc5f8e5b7dc85606ca87e4bd94c5bf3051679dce7de3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    9829fef0cda0848e23e740cfdc244e48

    SHA1

    03abd5e15b0f021875219bd1c6fd7e2ca8fd6971

    SHA256

    7a8be62979cfc6fb04c6419c5966fa7aeff5f628948baecaf687289c77e3f56f

    SHA512

    67e4905434faa53742989050ad220cfbd256c7b542733918f0002341dd918ddada4661d6adfa0c3070e07e0b83200945f3a9f66211b18c23704950cc979115a8

  • C:\Users\Admin\AppData\Local\Temp\Cab1A94.tmp

    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\Tar1AD6.tmp

    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • memory/1644-1221-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/1644-3047-0x0000000000330000-0x0000000000340000-memory.dmp

    Filesize

    64KB

  • memory/1644-569-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/1644-667-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/1644-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

    Filesize

    64KB

  • memory/1644-2068-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/1644-2727-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/1644-3034-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/1644-3042-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

  • memory/1644-3044-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

  • memory/1644-3046-0x00000000002F0000-0x0000000000330000-memory.dmp

    Filesize

    256KB

  • memory/1644-1-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/1644-3050-0x0000000000340000-0x0000000000350000-memory.dmp

    Filesize

    64KB

  • memory/1644-3053-0x0000000000350000-0x0000000000372000-memory.dmp

    Filesize

    136KB

  • memory/1644-3054-0x0000000000380000-0x0000000000390000-memory.dmp

    Filesize

    64KB

  • memory/1644-3057-0x00000000003B0000-0x00000000003F0000-memory.dmp

    Filesize

    256KB

  • memory/1644-3059-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

  • memory/1644-3063-0x0000000000401000-0x00000000010B5000-memory.dmp

    Filesize

    12.7MB

  • memory/1644-3061-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/1644-3067-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

    Filesize

    4KB

  • memory/1644-3069-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/1644-3070-0x0000000000401000-0x00000000010B5000-memory.dmp

    Filesize

    12.7MB