xmrig | 0f09a72d0ce0e8d5d4f5f716c19e341cb35b8e36144c29cbdb46aa704e84cb99

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 12:49

Target

2024-06-11_afae12cf3b4494c0ccebc41a34ff58d7_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

afae12cf3b4494c0ccebc41a34ff58d7
SHA1

4b79a9369c4f97c0b74ee71630698d0b2f8ad5f7
SHA256

0f09a72d0ce0e8d5d4f5f716c19e341cb35b8e36144c29cbdb46aa704e84cb99
SHA512

a23bed0a580f0ded32bc6533f9e71cf6943a2a7818b7b69137b040ecc42887ffc780991b66c50f97076d38561812207fffc4b07d4755897a84eb90273571c003
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUE:Q+856utgpPF8u/7E

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/636-0-0x00007FF61ECD0000-0x00007FF61F024000-memory.dmp	UPX
behavioral2/memory/636-2-0x00007FF61ECD0000-0x00007FF61F024000-memory.dmp	UPX

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/636-0-0x00007FF61ECD0000-0x00007FF61F024000-memory.dmp	xmrig
behavioral2/memory/636-2-0x00007FF61ECD0000-0x00007FF61F024000-memory.dmp	xmrig

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/636-0-0x00007FF61ECD0000-0x00007FF61F024000-memory.dmp	upx
behavioral2/memory/636-2-0x00007FF61ECD0000-0x00007FF61F024000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_afae12cf3b4494c0ccebc41a34ff58d7_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	636	2024-06-11_afae12cf3b4494c0ccebc41a34ff58d7_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	636	2024-06-11_afae12cf3b4494c0ccebc41a34ff58d7_cobalt-strike_cobaltstrike.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_afae12cf3b4494c0ccebc41a34ff58d7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_afae12cf3b4494c0ccebc41a34ff58d7_cobalt-strike_cobaltstrike.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4964

memory/636-0-0x00007FF61ECD0000-0x00007FF61F024000-memory.dmp

Filesize
3.3MB

Download
memory/636-1-0x000001A77E8E0000-0x000001A77E8F0000-memory.dmp

Filesize
64KB

Download
memory/636-2-0x00007FF61ECD0000-0x00007FF61F024000-memory.dmp

Filesize
3.3MB

Download