Analysis
-
max time kernel
133s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
19-10-2021 14:50
Static task
static1
Behavioral task
behavioral1
Sample
asdfgh.ps1
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
asdfgh.ps1
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
asdfgh.ps1
-
Size
193KB
-
MD5
7e1fdce1a506b0c19f231e4e55a5475a
-
SHA1
446bdbfbaaf7de20eb6be6db5ac4e038710a5188
-
SHA256
29c8c4ba356d546eecb0090fbc2f20047ae59dd9b8e8dd6f1165203823c89299
-
SHA512
992169d1ae7bca9b56712e31df15dad70c8dab28cff5efcff7c4b6989675e175e62e2e5ad06fb1df2e350fe6bc3b898a3d07e7bb7e240178f26b211a3467b250
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 4 1196 powershell.exe 5 1196 powershell.exe 6 1196 powershell.exe 7 1196 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1376 powershell.exe 1196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.exedescription pid process target process PID 1376 wrote to memory of 1196 1376 powershell.exe powershell.exe PID 1376 wrote to memory of 1196 1376 powershell.exe powershell.exe PID 1376 wrote to memory of 1196 1376 powershell.exe powershell.exe PID 1376 wrote to memory of 1196 1376 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\asdfgh.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1196-63-0x00000000024C1000-0x00000000024C2000-memory.dmpFilesize
4KB
-
memory/1196-59-0x0000000000000000-mapping.dmp
-
memory/1196-60-0x0000000076A81000-0x0000000076A83000-memory.dmpFilesize
8KB
-
memory/1196-62-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/1196-64-0x00000000024C2000-0x00000000024C4000-memory.dmpFilesize
8KB
-
memory/1196-65-0x0000000004BF0000-0x0000000004C23000-memory.dmpFilesize
204KB
-
memory/1376-54-0x000007FEF2C90000-0x000007FEF37ED000-memory.dmpFilesize
11.4MB
-
memory/1376-55-0x00000000027D0000-0x00000000027D2000-memory.dmpFilesize
8KB
-
memory/1376-56-0x00000000027D2000-0x00000000027D4000-memory.dmpFilesize
8KB
-
memory/1376-57-0x00000000027D4000-0x00000000027D7000-memory.dmpFilesize
12KB
-
memory/1376-58-0x000000001B7B0000-0x000000001BAAF000-memory.dmpFilesize
3.0MB
-
memory/1376-61-0x00000000027DB000-0x00000000027FA000-memory.dmpFilesize
124KB
-
memory/1376-53-0x000007FEFC271000-0x000007FEFC273000-memory.dmpFilesize
8KB