cobaltstrike | 6b58cfc97235c7e05efb6a826ae50614e3392caa778e9bfcb59056f36ae0e7b1

General

Target

asdfgh.ps.ps1
Size

193KB
MD5

f9279a34baa5c3563096e9455a3e7be0
SHA1

52556ead53f70cfa566cb735a3e31d2d2dfeea2c
SHA256

6b58cfc97235c7e05efb6a826ae50614e3392caa778e9bfcb59056f36ae0e7b1
SHA512

a9687b93ec56c7a5b85f874626bf9c86d6b942c7b30f9209f267fc036d8b155f66538e90f20e29b6634576af41fb3fcf668d967f0a4201a99078e7515d5fd54e

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

4 1544 powershell.exe
5 1544 powershell.exe
6 1544 powershell.exe

flow	pid	process
4	1544	powershell.exe
5	1544	powershell.exe
6	1544	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetaskmgr.exe

pid	process
2032	powershell.exe
1544	powershell.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

952 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exeAUDIODG.EXEtaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: 33	1980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1980	AUDIODG.EXE
Token: SeDebugPrivilege	952	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe
952	taskmgr.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2032 wrote to memory of 1544	2032	powershell.exe	powershell.exe
PID 2032 wrote to memory of 1544	2032	powershell.exe	powershell.exe
PID 2032 wrote to memory of 1544	2032	powershell.exe	powershell.exe
PID 2032 wrote to memory of 1544	2032	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\asdfgh.ps.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1544-61-0x0000000000000000-mapping.dmp

Download
memory/1544-62-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/1544-64-0x00000000025F1000-0x00000000025F2000-memory.dmp

Filesize
4KB

Download
memory/1544-63-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1544-65-0x00000000025F2000-0x00000000025F4000-memory.dmp

Filesize
8KB

Download
memory/1544-66-0x00000000050B0000-0x00000000050E3000-memory.dmp

Filesize
204KB

Download
memory/2032-55-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x0000000002640000-0x0000000002642000-memory.dmp

Filesize
8KB

Download
memory/2032-58-0x0000000002642000-0x0000000002644000-memory.dmp

Filesize
8KB

Download
memory/2032-59-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/2032-56-0x000007FEF28B0000-0x000007FEF340D000-memory.dmp

Filesize
11.4MB

Download
memory/2032-60-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads