xmrig | 191171d0cc40f98851e9aaf170565d5b0a4197ddf2e13704753eda553a09568a

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-28_162052c93882be2f394f4ea07c9637c5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

162052c93882be2f394f4ea07c9637c5
SHA1

3f976298175d0940efff6aca02a087f31b939f5e
SHA256

191171d0cc40f98851e9aaf170565d5b0a4197ddf2e13704753eda553a09568a
SHA512

c1d4cfa5fd4ec05702693d3afabead45f6370b6fd34468c838beb1b7646fcd5463d691e01ca5ecfa142b165648f7cc20a7d79959ae064f034699f6a21a708842
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibf56utgpPFotBER/mQ32lUC

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral2/memory/116-2-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-3-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-4-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-5-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-6-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-7-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-8-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-9-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-10-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-11-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-12-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-13-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-14-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-15-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig
behavioral2/memory/116-16-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	xmrig

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-2-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-3-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-4-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-5-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-6-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-7-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-8-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-9-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-10-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-11-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-12-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-13-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-14-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-15-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx
behavioral2/memory/116-16-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	116	2024-09-28_162052c93882be2f394f4ea07c9637c5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	116	2024-09-28_162052c93882be2f394f4ea07c9637c5_cobalt-strike_cobaltstrike_poet-rat.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-28_162052c93882be2f394f4ea07c9637c5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-28_162052c93882be2f394f4ea07c9637c5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/116-0-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-1-0x000001E0A8210000-0x000001E0A8220000-memory.dmp

Filesize
64KB

Download
memory/116-2-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-3-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-4-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-5-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-6-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-7-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-8-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-9-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-10-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-11-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-12-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-13-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-14-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-15-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download
memory/116-16-0x00007FF632AD0000-0x00007FF632E21000-memory.dmp

Filesize
3.3MB

Download