Overview

overview

10

Static

static

10

asdfgh.ps.ps1

windows7_x64

10

asdfgh.ps.ps1

windows10_x64

10

Analysis

  • max time kernel
    111s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    26-11-2021 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    asdfgh.ps.ps1

  • Size

    193KB

  • MD5

    f9279a34baa5c3563096e9455a3e7be0

  • SHA1

    52556ead53f70cfa566cb735a3e31d2d2dfeea2c

  • SHA256

    6b58cfc97235c7e05efb6a826ae50614e3392caa778e9bfcb59056f36ae0e7b1

  • SHA512

    a9687b93ec56c7a5b85f874626bf9c86d6b942c7b30f9209f267fc036d8b155f66538e90f20e29b6634576af41fb3fcf668d967f0a4201a99078e7515d5fd54e

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\asdfgh.ps.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2468
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/2468-148-0x000001F15BB36000-0x000001F15BB38000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-128-0x000001F15DD90000-0x000001F15DD91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2468-121-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-118-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-123-0x000001F1435F0000-0x000001F1435F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2468-124-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-125-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-126-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-127-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-120-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-129-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-131-0x000001F15BB30000-0x000001F15BB32000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-133-0x000001F15BB33000-0x000001F15BB35000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-139-0x000001F15E270000-0x000001F15E271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2468-140-0x000001F15E600000-0x000001F15E601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2468-141-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-142-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-119-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2468-122-0x000001F141CC0000-0x000001F141CC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2924-170-0x0000000007FA0000-0x0000000007FD3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/2924-152-0x00000000069C0000-0x00000000069C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-151-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-153-0x0000000007180000-0x0000000007181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-154-0x0000000006CD0000-0x0000000006CD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-155-0x0000000006E70000-0x0000000006E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-156-0x00000000070C0000-0x00000000070C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-157-0x0000000006B40000-0x0000000006B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-158-0x0000000006B42000-0x0000000006B43000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-159-0x00000000077B0000-0x00000000077B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-160-0x0000000001200000-0x0000000001201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-161-0x0000000007B40000-0x0000000007B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-162-0x0000000007C90000-0x0000000007C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-163-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-167-0x0000000008980000-0x0000000008981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-168-0x00000000080B0000-0x00000000080B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-150-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2924-149-0x0000000000000000-mapping.dmp
    Download