Overview

overview

10

Static

static

10

Inis.txt.ps1

windows7_x64

10

Inis.txt.ps1

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-01-2022 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inis.txt.ps1

  • Size

    220KB

  • MD5

    d170dc71a6a37a1f0fa2174879eb6d58

  • SHA1

    acd2d9132cfeaa4925076caebcff9f7d1f3e5784

  • SHA256

    6e6d3f1224e9c5cb5fc392b292c3def7c585346bde8c7f7b2173677a4a0068b0

  • SHA512

    036392ed22dc7aefd5acd6615b1f9ad015ff46d27c89bf41f34fde66e0008dd5e114b7888cde40698899032e96dcbce24eb37004c7ebf5b8823fe2c33cf4e391

Score
10/10
cobaltstrike0backdoorsuricatatrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://customsecurityusa.com:787/search

http://customsecurityusa.com:787/ab
Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    customsecurityusa.com,/search

  • http_header1

    AAAAEAAAABtIb3N0OiBjdXN0b21zZWN1cml0eXVzYS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABNBY2NlcHQtRW5jb2Rpbmc6IGJyAAAABwAAAAAAAAAIAAAAAwAAAAIAAAAMcmVnX2ZiX2dhdGU9AAAABgAAAAZDb29raWUAAAAJAAAACmZuYW1lPXRydWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABtIb3N0OiBjdXN0b21zZWN1cml0eXVzYS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAACAAAAAMAAAACAAAABWRvaXQ9AAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    61655

  • port_number

    787

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu+k6TVmSi20ZwCbVLBWVeUCBfLJKbTLQFx5TNMpJpPeXmok8PUd/LgP99COChiYYeYyZiLxRl1MCKsit82cRb2VHplkwKQIBcNe7icJLWG6XI+nX6yvAbrfjM3CZ2+14J7KVbSlvSepdezHWfJKUQxD2kRVPRSldPLvyYl8OcqwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    7.8457344e+07

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /dhl

  • user_agent

    Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0

  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)

    suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)

    suricata
  • Blocklisted process makes network request 37 IoCs
  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:420
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Inis.txt.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1144
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/420-62-0x0000000000810000-0x0000000000851000-memory.dmp
    Filesize

    260KB

    Download
  • memory/420-66-0x0000000000930000-0x00000000009B3000-memory.dmp
    Filesize

    524KB

    Download
  • memory/420-64-0x0000000000930000-0x00000000009B3000-memory.dmp
    Filesize

    524KB

    Download
  • memory/420-63-0x0000000000810000-0x0000000000851000-memory.dmp
    Filesize

    260KB

    Download
  • memory/808-71-0x0000000000E70000-0x0000000000EF3000-memory.dmp
    Filesize

    524KB

    Download
  • memory/808-69-0x0000000000E70000-0x0000000000EF3000-memory.dmp
    Filesize

    524KB

    Download
  • memory/808-68-0x0000000000360000-0x00000000003A1000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1144-57-0x0000000002972000-0x0000000002974000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1144-61-0x000000001B130000-0x000000001B171000-memory.dmp
    Filesize

    260KB

    Download
  • memory/1144-60-0x000000000297B000-0x000000000299A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1144-59-0x000000001B720000-0x000000001BA1F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1144-58-0x0000000002974000-0x0000000002977000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1144-54-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1144-56-0x0000000002970000-0x0000000002972000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1144-55-0x000007FEF2B40000-0x000007FEF369D000-memory.dmp
    Filesize

    11.4MB

    Download