xmrig | 73e2c1ec1c1567c3e8423c2c3f8423cad31230616f424fb6a7ea23d0cb13879e

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 09:01

Target

2024-06-24_9b74fbe3315030749197fd69fa0188e6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

9b74fbe3315030749197fd69fa0188e6
SHA1

ea9c972eb49e8327b4460fb693c8f63d4aa5389c
SHA256

73e2c1ec1c1567c3e8423c2c3f8423cad31230616f424fb6a7ea23d0cb13879e
SHA512

e49ce0e95841a56a89d228e07a4e8329edcd31027fa3ed6a966936f618719e0ae9312e368ecdeb4b713447726f68ff666bc50c2697de403a3a05607c7c9dee66
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUJ:Q+856utgpPF8u/7J

Score

10^/10

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
XMRig Miner payload 2 IoCs
miner

Processes:

resource yara_rule

behavioral2/memory/5068-0-0x00007FF781B30000-0x00007FF781E84000-memory.dmp xmrig
behavioral2/memory/5068-2-0x00007FF781B30000-0x00007FF781E84000-memory.dmp xmrig
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral2/memory/5068-0-0x00007FF781B30000-0x00007FF781E84000-memory.dmp upx
behavioral2/memory/5068-2-0x00007FF781B30000-0x00007FF781E84000-memory.dmp upx

resource	yara_rule
behavioral2/memory/5068-0-0x00007FF781B30000-0x00007FF781E84000-memory.dmp	xmrig
behavioral2/memory/5068-2-0x00007FF781B30000-0x00007FF781E84000-memory.dmp	xmrig

resource	yara_rule
behavioral2/memory/5068-0-0x00007FF781B30000-0x00007FF781E84000-memory.dmp	upx
behavioral2/memory/5068-2-0x00007FF781B30000-0x00007FF781E84000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_9b74fbe3315030749197fd69fa0188e6_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	5068	2024-06-24_9b74fbe3315030749197fd69fa0188e6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5068	2024-06-24_9b74fbe3315030749197fd69fa0188e6_cobalt-strike_cobaltstrike_poet-rat.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_9b74fbe3315030749197fd69fa0188e6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_9b74fbe3315030749197fd69fa0188e6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

memory/5068-0-0x00007FF781B30000-0x00007FF781E84000-memory.dmp

Filesize
3.3MB

Download
memory/5068-1-0x000001A7248C0000-0x000001A7248D0000-memory.dmp

Filesize
64KB

Download
memory/5068-2-0x00007FF781B30000-0x00007FF781E84000-memory.dmp

Filesize
3.3MB

Download