Overview

overview

10

Static

static

10

asdfgh.ps1

windows7_x64

10

asdfgh.ps1

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    19-10-2021 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    asdfgh.ps1

  • Size

    193KB

  • MD5

    7e1fdce1a506b0c19f231e4e55a5475a

  • SHA1

    446bdbfbaaf7de20eb6be6db5ac4e038710a5188

  • SHA256

    29c8c4ba356d546eecb0090fbc2f20047ae59dd9b8e8dd6f1165203823c89299

  • SHA512

    992169d1ae7bca9b56712e31df15dad70c8dab28cff5efcff7c4b6989675e175e62e2e5ad06fb1df2e350fe6bc3b898a3d07e7bb7e240178f26b211a3467b250

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\asdfgh.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2276
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    2cb3f528286df9feab019e0de2053b6a

    SHA1

    0d5835457f71fd6cdfa45e7280544142e35ad6fc

    SHA256

    bcdaef74a79cde95526e25c52de2623b0e2b2091a304e57db0cd7e640bb08943

    SHA512

    c466148cc9d282d02b5463c2ddd0d28c69a0e1715d4aae3bbf9874d39df6ffbc242f10be9d75b18c71d49626ae4f4bb6886f4955afced091e68590155a79e860

    Download Submit
  • memory/1876-151-0x0000000006C50000-0x0000000006C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-153-0x00000000075F0000-0x00000000075F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-164-0x0000000007F90000-0x0000000007FC3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1876-162-0x0000000008180000-0x0000000008181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-145-0x00000000006B0000-0x00000000006B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-161-0x0000000008A50000-0x0000000008A51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-157-0x00000000006B0000-0x00000000006B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-144-0x00000000006B0000-0x00000000006B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-156-0x0000000007CE0000-0x0000000007CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-146-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-155-0x0000000007F40000-0x0000000007F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-154-0x0000000007A20000-0x0000000007A21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-152-0x00000000073A0000-0x00000000073A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-150-0x0000000006AB0000-0x0000000006AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-149-0x0000000006D70000-0x0000000006D71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-143-0x0000000000000000-mapping.dmp
    Download
  • memory/1876-147-0x0000000000E50000-0x0000000000E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1876-148-0x0000000000E52000-0x0000000000E53000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2276-136-0x000001CB9B970000-0x000001CB9B971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2276-129-0x000001CB800B0000-0x000001CB800B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-120-0x000001CB800B0000-0x000001CB800B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-130-0x000001CB800B0000-0x000001CB800B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-125-0x000001CB800B0000-0x000001CB800B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-115-0x000001CB800B0000-0x000001CB800B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-117-0x000001CB800B0000-0x000001CB800B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-123-0x000001CB81983000-0x000001CB81985000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-135-0x000001CB9B5E0000-0x000001CB9B5E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2276-134-0x000001CB81986000-0x000001CB81988000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-124-0x000001CB9A4F0000-0x000001CB9A4F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2276-122-0x000001CB81980000-0x000001CB81982000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-121-0x000001CB800B0000-0x000001CB800B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-119-0x000001CB99FD0000-0x000001CB99FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2276-118-0x000001CB800B0000-0x000001CB800B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2276-116-0x000001CB800B0000-0x000001CB800B2000-memory.dmp
    Filesize

    8KB

    Download