Analysis

  • max time kernel
    117s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 13:19

General

  • Target

    2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe

  • Size

    11.0MB

  • MD5

    ade75299613aba7d25361511c0b843ac

  • SHA1

    ac08eda01ad7395085f45ef84b4202432a292f70

  • SHA256

    8baf52bcf6bba53df5088d137614c655b569f2ba866d0b0ab4ab797a92c110a8

  • SHA512

    eb9d34c7818fd15ec94e441fa3d2debb48579fd6eccade5a89fd2057cf13f611e1cfd1d14e8947ef5c3c727936a62e28398c48d27a0bd98ed24c47c71e818fa0

  • SSDEEP

    196608:u2XrSIqtPazmgL7uDbzVXUHXUXEOZmPOEDkfsLws:uaWIPyquDBZtmPfkfW

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 6 IoCs
  • XMRig Miner payload 6 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-25_ade75299613aba7d25361511c0b843ac_cobalt-strike_cobaltstrike_xmrig.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.exe

    Filesize

    11.3MB

    MD5

    21cfaa83a9f2ab0b37cee96d67b35bda

    SHA1

    4cae240bf50524eefaa268b24f906611154a00c9

    SHA256

    46307f3b5e8d8b949626cd6fbc4b2849deb6db809d2180d0e4577c2375bb246f

    SHA512

    57438ad8c15d34c7a29650a777d31baaf1dca0a8fcf694f70a0526bd4e50966f707931d54c07882cbaa6bb2896a9cda2138c96a8a00ac31a2a1eadc5ff423710

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

    Filesize

    230B

    MD5

    fbaa4d0d3c603f3041deccafc1e93ff5

    SHA1

    7a1e7c0470a5fa5306791e76a3cc6a75d488cb05

    SHA256

    86b37f9fa1c12cce0994b8fbab15a144ee9bcc79d300b49c3405cfcd572bbb47

    SHA512

    914bd7fb497bc99c88050f7d0dc4063b50f0de9fff79349c99ec8432deda50853d4458710975d2ab4ae5a34f68f50ae3145a9dc874eafac5c1d890058d03e4d9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

    Filesize

    252B

    MD5

    424fc95c8c18cd77efd3facdb4ee0795

    SHA1

    ab39e4d1fca6bd0677a51e44d824e142f7a35286

    SHA256

    4e92402814b1cf05a5309729cf0192636b8e70d86605ff886431b4a1ecc4aa99

    SHA512

    3a8d4b29b0196a718bd9f9b69b8e24bcac103ef6e0f32b7b67db1ae2465a0873f1347c6bdcf44e74e63267aad28e38d038e52f057ff812dfb967b2149caa0fb0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    5b5e9c157f896a75e0fc1fad1f66860b

    SHA1

    1233e650503ca338caa1a7a3cc2c4f835915922c

    SHA256

    253529bfa9deed28fb568e0ad7cc6cc3f13230d1188e497fcfd0b6c2da4887e2

    SHA512

    9ae823c431619e001cdd3f8cd83bf3a2d7dfc7f57aab008a90f42cfefebbf258881c65dda612b2491de03e1759f1eac94e5e10803aecb3edf4c16d1e4853ab1f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    2a1d301df62d91711119a9ceb03658af

    SHA1

    304b48c10075ae796a371e1f2660a11ace702707

    SHA256

    4e74cb3e37ce68e535290c8cd136645ffb390029e42f519706769fc918d6e45e

    SHA512

    48436fe13fd6b6f0cae0a318145a7ea39fd55a2421d85217467d3c05c9be5fbe9f4655ff4cf8a28ff41c7fe4b9ccbc7eb99066a1ae989cb8166db64852ef17a9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    046fe4539d3d11fa0a72eda692920c2c

    SHA1

    f3f0bf735b64af5c1357ee864cd6873cf6d50b6e

    SHA256

    0414987414cff294d0613f151005cad2715413da72cb9321a570f1f63408d136

    SHA512

    50ff90680c56fff199540a8dc1e1ff12b70c246594f5795a719fd18a353baaadf10d25070f50b441d2d3d544d1b71a0df56887aa871217badd669eaca7bebd36

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    ed8534e9b970869668986b2451a424fa

    SHA1

    693e2b80a177961341b386e8a63c152414d931e2

    SHA256

    8eed136d95f690d34832ad82ba9c20015b7244b1fcf602c4e70773256221c979

    SHA512

    b9075fdac2ca701b17bcabfeb4d7437ed43fed6334fc5e605220de3c675756a013ec1a9eb673a25cc74ab58341bebc1a6afaad9ff67947ccffe980d822a025e2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    c30abaf7bb9d848db5447701e07fc38c

    SHA1

    c47ee49f773f048bb4431de0c3898e9652dfdc32

    SHA256

    3cce0a6bd9a68119842209b580a15cb299a639c34403890300717cb6b386f0c8

    SHA512

    42c73ebb10bc994a8b37d0c7b53ef3e2ee6aff65d0855091d4851434db157e4a3592cb5cbcc348f37d288b11fc39df989af2c96d67a2663d90465066a81e4316

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    f04fb155396af49acbdc8f101cfdea52

    SHA1

    8a052980f4d599036fa31aa158fcc6fe1c77cced

    SHA256

    0391f27f976dc0e89b5e8324b189c77665113ba2355f9a6adeec2b6d4941ebe0

    SHA512

    327ab270d27323bdbcf8d305c3e378d752bec124a95f7f800a1faa868b5455c846b4eb9c933b11f31c7ff2510be85f05e9fcd6815ec9be9bcfe0dac3807e5891

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    3e7d1529a5d512886286eff2f7b1c7a0

    SHA1

    e94f0bce3323c9601fc4ade93669453636708cac

    SHA256

    7ae71475b28b780e5cd62dc4b9c7b45abe4d556f2da250fa9c75fcb32bea7380

    SHA512

    947b44a5b200954e692f7054ca35332045df5f63fbf8e43b182ab70c3bff45aa7687e02c14eb1c505bc1931bf440e4bfb36af0df468a26c347c3d07c552afbd4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    7d01296bd3f57b939a1035e34a4417fd

    SHA1

    678d92c0df2321b58cde0314f9e8505f841c0890

    SHA256

    b831b354f1f1931c7d8eb7213299dec6505d011f21cdaa4f353733eb43fe2d15

    SHA512

    b12b1b1bfd7f2ebad946b4478888e0ef2a84fba186f004b75e8af9cae845065c9917a72e0e3aab94ad7d7c2d6e2e9d0c730e832822e7433671548acf42671f58

  • C:\Users\Admin\AppData\Local\Temp\Cab11EB.tmp

    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\Tar1357.tmp

    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • memory/2884-2104-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2884-906-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2884-1619-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2884-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

    Filesize

    64KB

  • memory/2884-2678-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2884-3292-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2884-3306-0x00000000003C0000-0x00000000003C1000-memory.dmp

    Filesize

    4KB

  • memory/2884-3310-0x00000000003D0000-0x00000000003D1000-memory.dmp

    Filesize

    4KB

  • memory/2884-3314-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

  • memory/2884-3317-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2884-3319-0x0000000000401000-0x0000000000A18000-memory.dmp

    Filesize

    6.1MB