Analysis
-
max time kernel
115s -
max time network
162s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 05:53
Static task
static1
Behavioral task
behavioral1
Sample
1.ps1
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1.ps1
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
1.ps1
-
Size
342KB
-
MD5
59e827239f2392b954d985c77c9d5835
-
SHA1
9cee71df4d3b630c13b105aa2a93ed26d49db908
-
SHA256
0748c90ba4f1fcf603134cd9f98aafad3298d4fb859b189cfdf0523f63aa85bf
-
SHA512
15bd39e114f6b5041c5dd820a0b1b8cc02b4f72d4f5b6c0754a1fa511cb79707973114d5ba0bb4f25b8db1168769cc57b512e487f24af3126ba3e2bdd5f10a7d
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 6 1908 powershell.exe 8 1908 powershell.exe 9 1908 powershell.exe 10 1908 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1908 powershell.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1908-59-0x000007FEFB741000-0x000007FEFB743000-memory.dmpFilesize
8KB
-
memory/1908-60-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/1908-61-0x000000001AC20000-0x000000001AC21000-memory.dmpFilesize
4KB
-
memory/1908-62-0x0000000002680000-0x0000000002681000-memory.dmpFilesize
4KB
-
memory/1908-63-0x00000000022D0000-0x00000000022D1000-memory.dmpFilesize
4KB
-
memory/1908-64-0x000000001ABA0000-0x000000001ABA2000-memory.dmpFilesize
8KB
-
memory/1908-65-0x000000001ABA4000-0x000000001ABA6000-memory.dmpFilesize
8KB
-
memory/1908-66-0x000000001C620000-0x000000001C621000-memory.dmpFilesize
4KB
-
memory/1908-67-0x00000000026B0000-0x00000000026F0000-memory.dmpFilesize
256KB