Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 21:44

General

  • Target

    2024-05-29_fd9a14af909f5c5b03257a4c10acf2b3_cobalt-strike_cobaltstrike_xmrig.exe

  • Size

    10.8MB

  • MD5

    fd9a14af909f5c5b03257a4c10acf2b3

  • SHA1

    568715a6c61824328645aa7db88418c6c9964b02

  • SHA256

    1f59a3106bd65fdbb4c3bcf697cd993e930ba45cba217363852b97e5aa8af864

  • SHA512

    c56b621f353743add9d423154379ab532a34fc7c8579bb0887279efac03d866fe9c1aadbfa0e5315cb35d5b15a28841a4135aea99a4cee1a790e92f9837aeff5

  • SSDEEP

    196608:dvg6YpjCa8BMHwNuD7PKUNwabNJvmrMQwHEFoWlY:dYXpkG6uDBuQjmrOHV

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 8 IoCs
  • XMRig Miner payload 8 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 5 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_fd9a14af909f5c5b03257a4c10acf2b3_cobalt-strike_cobaltstrike_xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_fd9a14af909f5c5b03257a4c10acf2b3_cobalt-strike_cobaltstrike_xmrig.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:4772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip32.dll

    Filesize

    11.0MB

    MD5

    694406d0427e08efa02f6427f0afe6b6

    SHA1

    d91cbc0409aa57546d2a0290ee4bc6267d76d730

    SHA256

    cd8bc4a7ae6f45953f414c6699d46a8ce03ef81aca1c4dac6a2cc569287e02a6

    SHA512

    1a23569144ca3cf1f3e55985fc409b0a59757d4cf8a0cfc8c926530da76611f77b88628fe1a3b186cc435b20ab8f50ff98877cbe181e507f73a494323580c91f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

    Filesize

    230B

    MD5

    88e1db4687472714ee6b7559d1876bc9

    SHA1

    31e4aa1c1c86b1e853476ae7549a743611cce440

    SHA256

    79ea343a9d6ca60e7a10713f0fccb9cb62eef6873e6309ec7d0fd4188c970764

    SHA512

    2a28de945e89717fe239e5c1522577e0bddfbfd23f7501a1e281b702e63c6378ac0ad2d642341d0a0bfe7588ac69f434a05119611f3b1994037a5ec15e48edc0

  • memory/4772-1815-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/4772-394-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/4772-1008-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/4772-0-0x00000000001E0000-0x00000000001F0000-memory.dmp

    Filesize

    64KB

  • memory/4772-2128-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/4772-2279-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/4772-2280-0x0000000000060000-0x0000000000062000-memory.dmp

    Filesize

    8KB

  • memory/4772-2284-0x00000000001F0000-0x0000000000200000-memory.dmp

    Filesize

    64KB

  • memory/4772-2285-0x0000000000401000-0x0000000000A18000-memory.dmp

    Filesize

    6.1MB

  • memory/4772-2286-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/4772-2287-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB