Overview

overview

10

Static

static

10

Inis.txt.ps1

windows7_x64

10

Inis.txt.ps1

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    05-01-2022 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inis.txt.ps1

  • Size

    220KB

  • MD5

    d170dc71a6a37a1f0fa2174879eb6d58

  • SHA1

    acd2d9132cfeaa4925076caebcff9f7d1f3e5784

  • SHA256

    6e6d3f1224e9c5cb5fc392b292c3def7c585346bde8c7f7b2173677a4a0068b0

  • SHA512

    036392ed22dc7aefd5acd6615b1f9ad015ff46d27c89bf41f34fde66e0008dd5e114b7888cde40698899032e96dcbce24eb37004c7ebf5b8823fe2c33cf4e391

Score
10/10
cobaltstrike0backdoorsuricatatrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://customsecurityusa.com:787/fam_calendar

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    customsecurityusa.com,/fam_calendar

  • http_header1

    AAAAEAAAABtIb3N0OiBjdXN0b21zZWN1cml0eXVzYS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABNBY2NlcHQtRW5jb2Rpbmc6IGJyAAAABwAAAAAAAAAIAAAAAwAAAAIAAAAMcmVnX2ZiX2dhdGU9AAAABgAAAAZDb29raWUAAAAJAAAACmZuYW1lPXRydWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABtIb3N0OiBjdXN0b21zZWN1cml0eXVzYS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAACAAAAAMAAAACAAAABWRvaXQ9AAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    9472

  • polling_time

    61655

  • port_number

    787

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu+k6TVmSi20ZwCbVLBWVeUCBfLJKbTLQFx5TNMpJpPeXmok8PUd/LgP99COChiYYeYyZiLxRl1MCKsit82cRb2VHplkwKQIBcNe7icJLWG6XI+nX6yvAbrfjM3CZ2+14J7KVbSlvSepdezHWfJKUQxD2kRVPRSldPLvyYl8OcqwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    7.8457344e+07

  • unknown2

    AAAABAAAAAIAAAJYAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /tab_shop

  • user_agent

    Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0

  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)

    suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)

    suricata
  • Blocklisted process makes network request 34 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 1 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:572
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Inis.txt.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/572-136-0x000001DF03AA0000-0x000001DF03AE1000-memory.dmp
    Filesize

    260KB

    Download
  • memory/572-138-0x000001DF03AF0000-0x000001DF03B73000-memory.dmp
    Filesize

    524KB

    Download
  • memory/572-137-0x000001DF03AF0000-0x000001DF03B73000-memory.dmp
    Filesize

    524KB

    Download
  • memory/3760-121-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-134-0x000001DAA2406000-0x000001DAA2408000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-120-0x000001DAA2360000-0x000001DAA2382000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3760-115-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-122-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-123-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-124-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-125-0x000001DAA2400000-0x000001DAA2402000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-126-0x000001DAA2403000-0x000001DAA2405000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-127-0x000001DAA4660000-0x000001DAA46D6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3760-128-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-119-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-135-0x000001DAA45E0000-0x000001DAA4621000-memory.dmp
    Filesize

    260KB

    Download
  • memory/3760-118-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-117-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-116-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-139-0x000001DAA4650000-0x000001DAA465A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3760-140-0x000001DAA4650000-0x000001DAA465A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3760-141-0x000001DAA2408000-0x000001DAA2409000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-142-0x000001DAA240A000-0x000001DAA240F000-memory.dmp
    Filesize

    20KB

    Download
  • memory/3760-143-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-144-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-160-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3760-161-0x000001DA89D20000-0x000001DA89D22000-memory.dmp
    Filesize

    8KB

    Download