Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
09-11-2021 21:39
Static task
static1
Behavioral task
behavioral1
Sample
asdfgh.ps1
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
asdfgh.ps1
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
asdfgh.ps1
-
Size
193KB
-
MD5
cd2a788f43e405d4f2a445ce34a51414
-
SHA1
1cb6125cda76b888b0f4a83c3a84670c15a4dfd8
-
SHA256
b84666e011e1907db93871099c70d4d0ebca2f6118717ab2c465acd35d2006de
-
SHA512
4868229f375f89a3f9e93f3dbfb12e9a350c8e53e8a04dc9d41a9d9709c66aa0b5e1919bae636c66129947ddf62cfc7397e68598a6b343b152958d0466e07f45
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 4 1948 powershell.exe 5 1948 powershell.exe 6 1948 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 372 powershell.exe 1948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 1948 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.exedescription pid process target process PID 372 wrote to memory of 1948 372 powershell.exe powershell.exe PID 372 wrote to memory of 1948 372 powershell.exe powershell.exe PID 372 wrote to memory of 1948 372 powershell.exe powershell.exe PID 372 wrote to memory of 1948 372 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\asdfgh.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/372-55-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmpFilesize
8KB
-
memory/372-56-0x000007FEF2780000-0x000007FEF32DD000-memory.dmpFilesize
11.4MB
-
memory/372-58-0x00000000022F2000-0x00000000022F4000-memory.dmpFilesize
8KB
-
memory/372-59-0x00000000022F4000-0x00000000022F7000-memory.dmpFilesize
12KB
-
memory/372-57-0x00000000022F0000-0x00000000022F2000-memory.dmpFilesize
8KB
-
memory/372-60-0x000000001B6E0000-0x000000001B9DF000-memory.dmpFilesize
3.0MB
-
memory/372-61-0x00000000022FB000-0x000000000231A000-memory.dmpFilesize
124KB
-
memory/1948-62-0x0000000000000000-mapping.dmp
-
memory/1948-63-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1948-64-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/1948-65-0x00000000024B1000-0x00000000024B2000-memory.dmpFilesize
4KB
-
memory/1948-66-0x00000000024B2000-0x00000000024B4000-memory.dmpFilesize
8KB
-
memory/1948-67-0x0000000005100000-0x0000000005133000-memory.dmpFilesize
204KB