Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 05:53
Static task
static1
Behavioral task
behavioral1
Sample
1.ps1
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1.ps1
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
1.ps1
-
Size
342KB
-
MD5
59e827239f2392b954d985c77c9d5835
-
SHA1
9cee71df4d3b630c13b105aa2a93ed26d49db908
-
SHA256
0748c90ba4f1fcf603134cd9f98aafad3298d4fb859b189cfdf0523f63aa85bf
-
SHA512
15bd39e114f6b5041c5dd820a0b1b8cc02b4f72d4f5b6c0754a1fa511cb79707973114d5ba0bb4f25b8db1168769cc57b512e487f24af3126ba3e2bdd5f10a7d
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 10 672 powershell.exe 12 672 powershell.exe 17 672 powershell.exe 18 672 powershell.exe 19 672 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 672 powershell.exe 672 powershell.exe 672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 672 powershell.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/672-117-0x0000029F20C40000-0x0000029F20C42000-memory.dmpFilesize
8KB
-
memory/672-120-0x0000029F3B130000-0x0000029F3B131000-memory.dmpFilesize
4KB
-
memory/672-125-0x0000029F3B3E0000-0x0000029F3B3E1000-memory.dmpFilesize
4KB
-
memory/672-126-0x0000029F20C43000-0x0000029F20C45000-memory.dmpFilesize
8KB
-
memory/672-131-0x0000029F20C46000-0x0000029F20C48000-memory.dmpFilesize
8KB
-
memory/672-132-0x0000029F3B390000-0x0000029F3B3D0000-memory.dmpFilesize
256KB