xmrig | d7b9836659d2919287bb7148ce3ae95ddd5cc93b50389f56f5b127c24a93e6d3

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409079349ed21cc9972fdb78a6ba60429b7c2cobaltstrikecobaltstrikepoetrat.exe
Size

5.2MB
MD5

9349ed21cc9972fdb78a6ba60429b7c2
SHA1

6d20bc689c3d5c92224a7f71e401a0e16d8421c0
SHA256

d7b9836659d2919287bb7148ce3ae95ddd5cc93b50389f56f5b127c24a93e6d3
SHA512

63664a39b77a8a2aae84357b1199e609bbf52ff43008957b2de72f4053fca0cb3d2e7e251fe6b3cc1b8d78f3a6d9c2d12c4788f9805dd7bbfa7dcd99419de253
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibd56utgpPFotBER/mQ32lUE

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral2/memory/1320-2-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-3-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-4-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-5-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-6-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-7-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-8-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-9-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-10-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-11-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-12-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-13-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-14-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-15-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig
behavioral2/memory/1320-16-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	xmrig

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1320-0-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-2-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-3-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-4-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-5-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-6-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-7-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-8-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-9-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-10-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-11-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-12-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-13-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-14-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-15-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx
behavioral2/memory/1320-16-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1320	202409079349ed21cc9972fdb78a6ba60429b7c2cobaltstrikecobaltstrikepoetrat.exe
Token: SeLockMemoryPrivilege	1320	202409079349ed21cc9972fdb78a6ba60429b7c2cobaltstrikecobaltstrikepoetrat.exe

C:\Users\Admin\AppData\Local\Temp\202409079349ed21cc9972fdb78a6ba60429b7c2cobaltstrikecobaltstrikepoetrat.exe
"C:\Users\Admin\AppData\Local\Temp\202409079349ed21cc9972fdb78a6ba60429b7c2cobaltstrikecobaltstrikepoetrat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-0-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-1-0x00000199424F0000-0x0000019942500000-memory.dmp

Filesize
64KB

Download
memory/1320-2-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-3-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-4-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-5-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-6-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-7-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-8-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-9-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-10-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-11-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-12-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-13-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-14-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-15-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-16-0x00007FF63B950000-0x00007FF63BCA1000-memory.dmp

Filesize
3.3MB

Download