xmrig | ad4f58602aa73b20c17420ad7bacd34253a8c9b7cda49eb679dcfc0ae8c57fcf

Analysis

max time kernel
136s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 23:49

Target

2024-06-01_2dd820a0817eace3477f2519f3713290_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

2dd820a0817eace3477f2519f3713290
SHA1

191d3eb7f5c162708557b89f3d6a7e38d096d3c9
SHA256

ad4f58602aa73b20c17420ad7bacd34253a8c9b7cda49eb679dcfc0ae8c57fcf
SHA512

f58f10df8ae6556b1599c0d68f89e15fb0185cc9999a617720074b9201737b68a580e8310326c3e73349ba1f5c983a7902de4a4f3f2bffa7359627cbfe688ed4
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUx:Q+856utgpPF8u/7x

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral2/memory/6084-0-0x00007FF742F90000-0x00007FF7432E4000-memory.dmp	UPX
behavioral2/memory/6084-2-0x00007FF742F90000-0x00007FF7432E4000-memory.dmp	UPX

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/6084-0-0x00007FF742F90000-0x00007FF7432E4000-memory.dmp	xmrig
behavioral2/memory/6084-2-0x00007FF742F90000-0x00007FF7432E4000-memory.dmp	xmrig

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/6084-0-0x00007FF742F90000-0x00007FF7432E4000-memory.dmp	upx
behavioral2/memory/6084-2-0x00007FF742F90000-0x00007FF7432E4000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	6084	2024-06-01_2dd820a0817eace3477f2519f3713290_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	6084	2024-06-01_2dd820a0817eace3477f2519f3713290_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-01_2dd820a0817eace3477f2519f3713290_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2dd820a0817eace3477f2519f3713290_cobalt-strike_cobaltstrike.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6084

memory/6084-0-0x00007FF742F90000-0x00007FF7432E4000-memory.dmp

Filesize
3.3MB

Download
memory/6084-1-0x000001C9C2BE0000-0x000001C9C2BF0000-memory.dmp

Filesize
64KB

Download
memory/6084-2-0x00007FF742F90000-0x00007FF7432E4000-memory.dmp

Filesize
3.3MB

Download