xmrig | 09adb7e36169239512fe790fef6a29ca27a863d55d6390273b9b8c84f9ef355a

Analysis

max time kernel
132s
max time network
142s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 08:27

Target

2024-06-11_24a9351b6ce35d93813f42a4aeacd679_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

24a9351b6ce35d93813f42a4aeacd679
SHA1

d465146ee3729fe03d4c3a67a2a0445048853a68
SHA256

09adb7e36169239512fe790fef6a29ca27a863d55d6390273b9b8c84f9ef355a
SHA512

e654e9fb555162186b36896a6417c705515052a437e9a3d8b71fe444900b028c92de58e1da275834e2c8745ae8f4fe3933f7c37bb61fd4138b38961741e42aa1
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU9:Q+856utgpPF8u/79

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral1/memory/2388-0-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX
behavioral1/memory/2388-2-0x000000013FA30000-0x000000013FD84000-memory.dmp	UPX

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2388-0-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2388-2-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2388-0-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2388-2-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2388	2024-06-11_24a9351b6ce35d93813f42a4aeacd679_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2388	2024-06-11_24a9351b6ce35d93813f42a4aeacd679_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_24a9351b6ce35d93813f42a4aeacd679_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_24a9351b6ce35d93813f42a4aeacd679_cobalt-strike_cobaltstrike.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

memory/2388-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2388-0-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2388-2-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download