Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 19:05

General

  • Target

    2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe

  • Size

    5.0MB

  • MD5

    cf40c54d65daaa6e2a46449b70facbdd

  • SHA1

    0079078911651943cc00f2b29fc1cea8ecf26b4b

  • SHA256

    1a0143debf12deec42c507272f51498fc613b68cc800f6acbc96031861caee50

  • SHA512

    c87c30a1a048dd81bb2d693bd0ddf9cf44fba80d7a209f3292507a860b364d171b9e7a4400e67dd18bfe78559e6d45920f5e73a1e7a051d9264e94f21471d937

  • SSDEEP

    98304:SW1qiPgxn+cuSuxx8Svt73qq36IdKtVxNw6pUkp3bkbRxcUV:53EnsxxDt73DdKrwapwbzV

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 8 IoCs
  • UPX dump on OEP (original entry point) 10 IoCs
  • XMRig Miner payload 10 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies system certificate store 2 TTPs 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_cf40c54d65daaa6e2a46449b70facbdd_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\7-zip32.dll.exe

    Filesize

    5.3MB

    MD5

    839e6201004422bd950a5f1f7e2d28ca

    SHA1

    ba12e30f3568fcc756998c12db0e59c57d303678

    SHA256

    be4554e6f370f5994c6b5d7cafb2cb7758969579a6c0a83f66b8f4fb27885a2a

    SHA512

    4d9639b0274c504fe8e156b635200cb47f32fa177a87290c198bf0fd0a917e09ca9b7d7af3d4ab529d834111fb575ce2c491925f4e0d2077311d8c1a80ad4843

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

    Filesize

    230B

    MD5

    c5806cbfa94aef364a1c4577b0ebba61

    SHA1

    16dc093ccba2f13ecfe0c0d96c4b72013d0ea581

    SHA256

    2cd34782b4a895a6cd123f7d21464c4a8ee6ab573a5e0c1dcaaf8c4afb106990

    SHA512

    bfd7e1e3e85e7cd8d7b349354ba21d4af29e3c1978301dee96fb8cce7241d28c90113e14a8789068282f803084548a50cc4de194b9ee06017601d4f9f7e6fbca

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8f0ceff61d596fcebd2806ca989c9d89

    SHA1

    3f05f4a5333a4391326d4a4fb5dd6f111a85ff5a

    SHA256

    ee92aa51efa1a4570bc12deecef149acae2f40dc201dd8274d4f053e1686ded8

    SHA512

    c4a45518f2c964c45cbd29340112f01d005669df53ff5d81e64e1b09f38139b6b690de664a03d7d58220568487e11e558db430480327545ff06195cffafda139

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    697a0d889020c511c2a1ed5fb77a3f2c

    SHA1

    485812176eb24fe36b47f82cf4e396976d606811

    SHA256

    b109ed3469ed405d5680a12c06581e6524dc08db24593e854cf3ca3af62e5544

    SHA512

    eae760b0512cb27f53a9bc798ea9d69638e422ac9d3d30acfa6b70dd417f8c4b9b852aea9f9c445d70f3ad4c76d7e3a3826e3a389fa7197304c5b7fbeb40dcb7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ad4628bd6937b13f2847f30baa3f7034

    SHA1

    9a225d443acb5e65af74b22546a22138f9696769

    SHA256

    9b5172030435ce52ae513e3a749552125ff4d6c3aa75072cb3e7fac22aef41ff

    SHA512

    dc36546bc9f226b5cccf1ee5a5690ff779ee9f4e798ca640be51d112568da5d2da1abd767b2f903160702d2d9e599a8676979d6f93c596a5dd08ddad618fbf83

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    867307b4441e2678e3911fc3baac8210

    SHA1

    1ddb85260d44cdc7be55cddb50f7454d51b97bf5

    SHA256

    c0d3e5ceeea4c7e8f52d56e92a20ddf9abec52241e659b91578fd2f41c820f90

    SHA512

    9c35fab948af9352531c96a085ee50abdf54f0126193d68b47d62319c875c880304dd05feda7dd8208d549bd222fee6a3d52468d9452454ab3749927495c322b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2f8cba65843934074279025b577a8d00

    SHA1

    50f3e4563a797f2452171987cefc9c931c51794b

    SHA256

    e5441a1fe2a6565368c02236db15bcd7bcfe064be5f4d7b3be8747ec5d097bd5

    SHA512

    7ea2e2a0260b57e969b79f55948ccf12afbdcf86ff7c9304190e8c50df3208d5685b1821bfa974448387bc2e98a1d23a0f8345e2b30ca27e12b6250cce8217ce

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    88dbed960f71592ec472465f3875f869

    SHA1

    a4e55535d1638b37e6b9718cdab19816f6b3bf90

    SHA256

    a60de8059a16f82be928a0e200e6f4b1e3634f464ce28e141ef6affb91a4de55

    SHA512

    fe4861f663784853a202db1e54709866f73c132760bdffe9bb9a4e3e3aeed6f673576f1b0bb1601808a713a47c19dbf2e59eb2138b84176c723197b654570ee7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d9f69348b9b689903178d67372c67321

    SHA1

    87b6e361fc58fd010df776d2f3b97c62636a0a5a

    SHA256

    382dbd6baec93eddb269652367533db397fa535a75addad4c021890d9340b0b5

    SHA512

    cd1364d1859c2b0e47c5e01872498fc751beca30813f28c93cf2d8b0c82ad831e40eaeada81bc1d6f7944670cb087080217ee8edbd1eb6e37ff033649494f5fa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    29190c7157663709fd64a8f3f955a4a6

    SHA1

    e55b5befead5b6ccd94248c3df4f291b5ebf2dc2

    SHA256

    f216699baec7164ead03e1b17ca068394232fc1a7d87a754be5f18d9e6f1f774

    SHA512

    654ee82315d0fcb23e721c48e6a2f1797392e2acc725d0352d021ac81693da264aff7612105f4b529632feaa41544484af3851aece9242163c5f5a9e2b36c0e7

  • C:\Users\Admin\AppData\Local\Temp\Tar94B.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2248-1133-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-4611-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

  • memory/2248-1128-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-1-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-2178-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-3282-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-4239-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-4607-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-4610-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/2248-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

    Filesize

    64KB

  • memory/2248-4612-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

  • memory/2248-4614-0x0000000000370000-0x0000000000380000-memory.dmp

    Filesize

    64KB

  • memory/2248-4615-0x0000000000380000-0x0000000000390000-memory.dmp

    Filesize

    64KB

  • memory/2248-4616-0x0000000000390000-0x00000000003D0000-memory.dmp

    Filesize

    256KB

  • memory/2248-4617-0x00000000003D0000-0x00000000003F2000-memory.dmp

    Filesize

    136KB

  • memory/2248-4618-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-4619-0x0000000000401000-0x00000000010B5000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-4620-0x00000000046A0000-0x00000000046A1000-memory.dmp

    Filesize

    4KB

  • memory/2248-4623-0x0000000000400000-0x00000000010B6000-memory.dmp

    Filesize

    12.7MB

  • memory/2248-4624-0x0000000000401000-0x00000000010B5000-memory.dmp

    Filesize

    12.7MB