Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 20:48

General

  • Target

    2024-05-29_4569f6d73b86c39437a773072b832149_cobalt-strike_cobaltstrike_xmrig.exe

  • Size

    11.1MB

  • MD5

    4569f6d73b86c39437a773072b832149

  • SHA1

    bf753c1418c9afecda74af7b28f04daf42a5a411

  • SHA256

    38f5f3610b1d2096cb763a074f9ce7fc9326846a8f06cb6d75f6b90a516ddd8c

  • SHA512

    d5827b33cad6086b5f725d789b2260c1763b5dd0f947c8d4425ee5658bbf450a7eb18df9641bed05460fe1724bfa282898ee4924c3de3fef1725f97a8455cd03

  • SSDEEP

    196608:hAfrMK0z50OJEzEuDTvnO5tQ3ovumrGXp66Xo:hYYKXS1uDaOZmry6B

Score
10/10

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects executables containing URLs to raw contents of a Github gist 5 IoCs
  • XMRig Miner payload 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer start page 1 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_4569f6d73b86c39437a773072b832149_cobalt-strike_cobaltstrike_xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_4569f6d73b86c39437a773072b832149_cobalt-strike_cobaltstrike_xmrig.exe"
    1⤵
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • memory/2476-0-0x00000000001E0000-0x00000000001F0000-memory.dmp

    Filesize

    64KB

  • memory/2476-16-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2476-19-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2476-22-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2476-27-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2476-28-0x0000000000060000-0x0000000000062000-memory.dmp

    Filesize

    8KB

  • memory/2476-34-0x00000000001F0000-0x0000000000200000-memory.dmp

    Filesize

    64KB

  • memory/2476-35-0x0000000008710000-0x0000000008711000-memory.dmp

    Filesize

    4KB

  • memory/2476-36-0x0000000000401000-0x0000000000A18000-memory.dmp

    Filesize

    6.1MB

  • memory/2476-37-0x0000000000400000-0x00000000010B2000-memory.dmp

    Filesize

    12.7MB

  • memory/2476-45-0x0000000000401000-0x0000000000A18000-memory.dmp

    Filesize

    6.1MB