Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 12:05

General

  • Target

    2024-06-04_b0af12dde04abd203ed6ae5e85c72080_cobalt-strike_cobaltstrike_xmrig.exe

  • Size

    10.8MB

  • MD5

    b0af12dde04abd203ed6ae5e85c72080

  • SHA1

    b891ffc4e2f22f62bb7619b0c1d1f374d5019a2a

  • SHA256

    7a9d8ed156e2647c20f66933e59ed4fb73c180c33670a6bcb9a33cf79f8b3de8

  • SHA512

    14aa2efc4fb851591d7cf12ed1bfed199f7c0c3b3220861a8cd8e5c258beec48242cd3e2d6136be6e69bed270fa85a218121a4ce69104257ec51f47f9384f641

  • SSDEEP

    196608:dvg6YpjCa8BMHwNuD7PKUNwabNJvmrMQwHEFoWZg:dYXpkG6uDBuQjmrOH9

Malware Config

Signatures

  • Cobalt Strike reflective loader 1 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 1 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 7 IoCs
  • XMRig Miner payload 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 5 IoCs
  • Modifies system certificate store 2 TTPs 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-04_b0af12dde04abd203ed6ae5e85c72080_cobalt-strike_cobaltstrike_xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-04_b0af12dde04abd203ed6ae5e85c72080_cobalt-strike_cobaltstrike_xmrig.exe"
    1⤵
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Modifies Internet Explorer start page
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:2332
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\7-Zip\7-zip32.dll

      Filesize

      11.0MB

      MD5

      a0f495bf393d36c670da526617769215

      SHA1

      2c140d9ac127021060256e14865d59884d0d1d12

      SHA256

      c4109f52a6484fe0fb050349f23948e493dccafbd32857e90c89fa4164989b08

      SHA512

      865dbf759dc0d0577f09b4e98dc6f430266b883c0e1c18e874390b9251091ea34257ef80783b56b8a47e5b5fc1b88802caf2b73be28113ba048c5159612512b8

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

      Filesize

      1KB

      MD5

      55540a230bdab55187a841cfe1aa1545

      SHA1

      363e4734f757bdeb89868efe94907774a327695e

      SHA256

      d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

      SHA512

      c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

      Filesize

      230B

      MD5

      8f7c2885788cbdf5bfb3e4f7a61857e6

      SHA1

      534dab949743c9f50a9fb67bb18c3135dfef1916

      SHA256

      8058d856247df85b7e3c3b5ff6de80f77bc7fcf08c31560f46dfbf6118ae045a

      SHA512

      7eac2577c7fef7de0016ac54e09c8f8802336b4c8b28bb57c42bff9ca63bcc26ce97efe2ddc451db8116ff89a25a8ff32a515135731ddd7c3e5504a4f4078eb1

    • memory/2332-355-0x0000000000400000-0x00000000010B2000-memory.dmp

      Filesize

      12.7MB

    • memory/2332-179-0x0000000000400000-0x00000000010B2000-memory.dmp

      Filesize

      12.7MB

    • memory/2332-244-0x0000000000400000-0x00000000010B2000-memory.dmp

      Filesize

      12.7MB

    • memory/2332-0-0x00000000001F0000-0x0000000000200000-memory.dmp

      Filesize

      64KB

    • memory/2332-405-0x0000000000400000-0x00000000010B2000-memory.dmp

      Filesize

      12.7MB

    • memory/2332-452-0x0000000000400000-0x00000000010B2000-memory.dmp

      Filesize

      12.7MB

    • memory/2332-490-0x0000000000060000-0x0000000000062000-memory.dmp

      Filesize

      8KB

    • memory/2332-496-0x00000000016A0000-0x00000000016A1000-memory.dmp

      Filesize

      4KB

    • memory/2332-497-0x0000000000401000-0x0000000000A18000-memory.dmp

      Filesize

      6.1MB

    • memory/2332-498-0x0000000000400000-0x00000000010B2000-memory.dmp

      Filesize

      12.7MB