xmrig | 16a1482b821a2b7336fcd44c43e0eaa8aa00efd41dad7d78ff2e00463a3f1f5f

Analysis

max time kernel
132s
max time network
143s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 03:53

Target

2024-06-04_5af69f6ca8a62038fd202373d1e5f7b7_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

5af69f6ca8a62038fd202373d1e5f7b7
SHA1

984e00da4bcc050850354649f70fc00602d2e5a4
SHA256

16a1482b821a2b7336fcd44c43e0eaa8aa00efd41dad7d78ff2e00463a3f1f5f
SHA512

8e43362206ab7cb6ea8f63d72557070ea661233763be80f0a22c88004e84cc09f8a54b16f2078928787d795195d23bfa86b4e79557f1fb071263087b98673780
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUy:Q+856utgpPF8u/7y

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral1/memory/1240-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/1240-2-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/1240-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/1240-2-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1240-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/1240-2-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1240	2024-06-04_5af69f6ca8a62038fd202373d1e5f7b7_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1240	2024-06-04_5af69f6ca8a62038fd202373d1e5f7b7_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-04_5af69f6ca8a62038fd202373d1e5f7b7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5af69f6ca8a62038fd202373d1e5f7b7_cobalt-strike_cobaltstrike.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

memory/1240-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/1240-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1240-2-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download