Overview

overview

10

Static

static

10

asdfgh.ps1

windows7_x64

10

asdfgh.ps1

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    09-11-2021 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    asdfgh.ps1

  • Size

    193KB

  • MD5

    cd2a788f43e405d4f2a445ce34a51414

  • SHA1

    1cb6125cda76b888b0f4a83c3a84670c15a4dfd8

  • SHA256

    b84666e011e1907db93871099c70d4d0ebca2f6118717ab2c465acd35d2006de

  • SHA512

    4868229f375f89a3f9e93f3dbfb12e9a350c8e53e8a04dc9d41a9d9709c66aa0b5e1919bae636c66129947ddf62cfc7397e68598a6b343b152958d0466e07f45

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\asdfgh.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:372
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/372-55-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/372-56-0x000007FEF2780000-0x000007FEF32DD000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/372-58-0x00000000022F2000-0x00000000022F4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/372-59-0x00000000022F4000-0x00000000022F7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/372-57-0x00000000022F0000-0x00000000022F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/372-60-0x000000001B6E0000-0x000000001B9DF000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/372-61-0x00000000022FB000-0x000000000231A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1948-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1948-63-0x00000000757E1000-0x00000000757E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1948-64-0x00000000024B0000-0x00000000024B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1948-65-0x00000000024B1000-0x00000000024B2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1948-66-0x00000000024B2000-0x00000000024B4000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1948-67-0x0000000005100000-0x0000000005133000-memory.dmp
    Filesize

    204KB

    Download