Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 16:06

General

  • Target

    2024-05-29_4ea8f3a654fd35f246a77a75ffc77b4c_cobalt-strike_cobaltstrike_xmrig.exe

  • Size

    11.1MB

  • MD5

    4ea8f3a654fd35f246a77a75ffc77b4c

  • SHA1

    937a4293e32dbb529ef8dbd8a16480b95915d90c

  • SHA256

    b2c8ccd201b4f6e1e858ce60af89bb507b9cd487edcfa411f31f081409924e2a

  • SHA512

    1085aad73ea4c088d58f2412e5f6e02b08444f886c08026d6ae5dbede0db1f988624952447a196292bbb9145e89a6d5d507304c210656d10ba8b58c863a42093

  • SSDEEP

    196608:dvg6YpjCa8BMHwNuD7PKUNwabNJvmrMQwHEFoW3Y:dYXpkG6uDBuQjmrOHX

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 8 IoCs
  • XMRig Miner payload 8 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 5 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ea8f3a654fd35f246a77a75ffc77b4c_cobalt-strike_cobaltstrike_xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_4ea8f3a654fd35f246a77a75ffc77b4c_cobalt-strike_cobaltstrike_xmrig.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:1368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip32.dll

    Filesize

    11.3MB

    MD5

    9856181605ba50f4a5d52d30ae747906

    SHA1

    b5077203ad49657c1d42b6bd44c954443c6fba4f

    SHA256

    914c20bc9b1a4bc09a3525b3a49518f6dc76dbf4dd56a1a15520c309d1dbc236

    SHA512

    3c31dcdb7a11ac8851e2071ea9dfdf7a201e1d01891d802d6708a75b350e85a0c80c2d640123a576d3e12405407b92692ce1ffb349fb2a5b1421a98816840de4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

    Filesize

    230B

    MD5

    a214c40378266353f693c0693f17a45f

    SHA1

    7840275d23b40298c9cf155a9eae3b38afb8f17e

    SHA256

    166d7f6ed406f33dec7a0c32dee60812093e3b4fab4b276a991be8b39ebf80d3

    SHA512

    2abef430df03abec82117428e1689735e4045b3872e417d1c24bf8ad5241f0b14cd764d83356baeacbbd9c01e79bbf92e6a33d5e73b13e3208cba56313a6b489

  • memory/1368-1974-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/1368-494-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/1368-1204-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/1368-0-0x00000000001F0000-0x0000000000200000-memory.dmp

    Filesize

    64KB

  • memory/1368-2199-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/1368-2207-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/1368-2208-0x0000000000060000-0x0000000000062000-memory.dmp

    Filesize

    8KB

  • memory/1368-2211-0x0000000000401000-0x0000000000A18000-memory.dmp

    Filesize

    6.1MB

  • memory/1368-2212-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/1368-2213-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB