Overview

overview

10

Static

static

10

asdfgh.ps1

windows7_x64

10

asdfgh.ps1

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    09-11-2021 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    asdfgh.ps1

  • Size

    193KB

  • MD5

    cd2a788f43e405d4f2a445ce34a51414

  • SHA1

    1cb6125cda76b888b0f4a83c3a84670c15a4dfd8

  • SHA256

    b84666e011e1907db93871099c70d4d0ebca2f6118717ab2c465acd35d2006de

  • SHA512

    4868229f375f89a3f9e93f3dbfb12e9a350c8e53e8a04dc9d41a9d9709c66aa0b5e1919bae636c66129947ddf62cfc7397e68598a6b343b152958d0466e07f45

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\asdfgh.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:656
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    36bbdee588e0ee15996020823a5bc14a

    SHA1

    6f5c8e1ee90544269cfbe0c82bfa6d3c10616667

    SHA256

    3cf4b7f7c589a9b658ad279dc18fbf22e463835f44c7a23e0ccc711f766b1770

    SHA512

    73cba26dc404a93048d033405efe30a528b4d48c11f1f3add3f626844c79fc5f5bd3a4b08cf1f7aebc84797b6454ccb219dcf6d8ca54510661ccc7b5f68ac68f

    Download Submit
  • memory/656-143-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-128-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-121-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-120-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-123-0x0000029CB6410000-0x0000029CB6411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/656-124-0x0000029C9BF20000-0x0000029C9BF22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-125-0x0000029C9BF23000-0x0000029C9BF25000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-126-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-127-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-119-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-129-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-130-0x0000029CB65C0000-0x0000029CB65C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/656-131-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-139-0x0000029CB6B20000-0x0000029CB6B21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/656-140-0x0000029CB6EB0000-0x0000029CB6EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/656-141-0x0000029C9BF26000-0x0000029C9BF28000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-142-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-118-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/656-122-0x0000029C9A360000-0x0000029C9A362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1248-170-0x0000000008730000-0x0000000008763000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1248-152-0x0000000006BE0000-0x0000000006BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-151-0x0000000002F40000-0x0000000002F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-153-0x0000000007390000-0x0000000007391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-154-0x0000000006D50000-0x0000000006D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-155-0x0000000006D52000-0x0000000006D53000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-156-0x0000000007220000-0x0000000007221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-157-0x0000000007A30000-0x0000000007A31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-158-0x0000000007B80000-0x0000000007B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-159-0x0000000007DF0000-0x0000000007DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-160-0x0000000008180000-0x0000000008181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-161-0x00000000082A0000-0x00000000082A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-162-0x0000000008480000-0x0000000008481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-163-0x0000000002F40000-0x0000000002F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-167-0x0000000009130000-0x0000000009131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-168-0x0000000008880000-0x0000000008881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-150-0x0000000002F40000-0x0000000002F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1248-149-0x0000000000000000-mapping.dmp
    Download