Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 22:44

General

  • Target

    2024-05-29_44b96558fe90d7e3c1a8201bcfe0d585_cobalt-strike_cobaltstrike.exe

  • Size

    6.1MB

  • MD5

    44b96558fe90d7e3c1a8201bcfe0d585

  • SHA1

    115723a4f7e48b934f10cceb3bd64956ef378042

  • SHA256

    3f01646754d950e5cf3e901519365123608abb2a93e9bf24aced47b5df70852a

  • SHA512

    526f4bf9f347d3914f4a4439be7a82a82f0d2d15350be0fdff979505e6cd1f828e322ecd2e3828c0ca5bb6a5281a462d0743f8e37120a9c6b64ef49e5c4fcfea

  • SSDEEP

    98304:nVidQWbsgvS6gpSTWmjlKjAyljgkuF1fqL1enHzbpUg:ViXbrS6gIWoKFGkkiL0+g

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 7 IoCs
  • UPX dump on OEP (original entry point) 9 IoCs
  • XMRig Miner payload 8 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_44b96558fe90d7e3c1a8201bcfe0d585_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_44b96558fe90d7e3c1a8201bcfe0d585_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip.dll.exe

    Filesize

    6.4MB

    MD5

    abed7867c768ed1d947dc5ba4597ee8a

    SHA1

    6418bb2344d74c929ce86fd7a4c41f7770147f07

    SHA256

    e132e68e7c4161d2a1c8ee1744441b35e66dd97b9e02158d0a5b0f9f90f2c5d1

    SHA512

    af1ee82ae1d6fdaa96e019c3770f510b6aeaf7ab0837d387675e98bab974100b6ae0b05773c75dae474ac91095f284ab8535bdd435bc76b9442bb3e6ee20c4d4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

    Filesize

    230B

    MD5

    5a411789db363b894fda116ef0691832

    SHA1

    5bc7225afdde81f3a7ed3dfe1bdd34cc0d0e5e82

    SHA256

    dce5b0e94165c5fc92f72d1413ba99842ffa4228a3634af5f46b5177698f24db

    SHA512

    f64aac7424fc5e5773d3060d38f54d7b8d8c78d1b4274eb3825eccddde86e75e85e1f5d50d8888380886475047a17ea4d875b1463b0d6584affaa6a26ebbfdd0

  • memory/2588-2234-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-3912-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-626-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-1649-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-0-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-2746-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-3399-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-1-0x00000000001E0000-0x00000000001F0000-memory.dmp

    Filesize

    64KB

  • memory/2588-3913-0x0000000000060000-0x0000000000062000-memory.dmp

    Filesize

    8KB

  • memory/2588-3920-0x00000000001F0000-0x0000000000200000-memory.dmp

    Filesize

    64KB

  • memory/2588-3922-0x0000000000401000-0x00000000010B5000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-3921-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-3923-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2588-3924-0x0000000000401000-0x00000000010B5000-memory.dmp

    Filesize

    12.7MB