Analysis
-
max time kernel
132s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 00:28
Behavioral task
behavioral1
Sample
2024-06-01_19ec5de92be2ec8099077bfba2bad311_cobalt-strike_cobaltstrike.exe
Resource
win7-20240508-en
5 signatures
150 seconds
General
-
Target
2024-06-01_19ec5de92be2ec8099077bfba2bad311_cobalt-strike_cobaltstrike.exe
-
Size
6.0MB
-
MD5
19ec5de92be2ec8099077bfba2bad311
-
SHA1
cba35aaf3101ff5c4fba746c0f46826ff1a4136e
-
SHA256
b27fcf8e9e306811c5364ae1b845266b8e47df7c9fc4c12fe1be74a8816ccd36
-
SHA512
a57765e5108331a308d6251b9dd985733f231261f87b18add05941044efb885246e1295be1fc0432a4c95a0dce9d09db9901a6dcbe8fab7feb4e56c2cede147d
-
SSDEEP
98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUC:T+856utgpPF8u/7C
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 2 IoCs
resource yara_rule behavioral2/memory/2020-0-0x00007FF72F670000-0x00007FF72F9C4000-memory.dmp UPX behavioral2/memory/2020-2-0x00007FF72F670000-0x00007FF72F9C4000-memory.dmp UPX -
XMRig Miner payload 2 IoCs
resource yara_rule behavioral2/memory/2020-0-0x00007FF72F670000-0x00007FF72F9C4000-memory.dmp xmrig behavioral2/memory/2020-2-0x00007FF72F670000-0x00007FF72F9C4000-memory.dmp xmrig -
resource yara_rule behavioral2/memory/2020-0-0x00007FF72F670000-0x00007FF72F9C4000-memory.dmp upx behavioral2/memory/2020-2-0x00007FF72F670000-0x00007FF72F9C4000-memory.dmp upx -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeLockMemoryPrivilege 2020 2024-06-01_19ec5de92be2ec8099077bfba2bad311_cobalt-strike_cobaltstrike.exe Token: SeLockMemoryPrivilege 2020 2024-06-01_19ec5de92be2ec8099077bfba2bad311_cobalt-strike_cobaltstrike.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_19ec5de92be2ec8099077bfba2bad311_cobalt-strike_cobaltstrike.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_19ec5de92be2ec8099077bfba2bad311_cobalt-strike_cobaltstrike.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3744,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=1028 /prefetch:81⤵PID:1860