Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
05-01-2022 16:58
Static task
static1
Behavioral task
behavioral1
Sample
Inis.txt.ps1
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Inis.txt.ps1
Resource
win10-en-20211208
General
-
Target
Inis.txt.ps1
-
Size
220KB
-
MD5
d170dc71a6a37a1f0fa2174879eb6d58
-
SHA1
acd2d9132cfeaa4925076caebcff9f7d1f3e5784
-
SHA256
6e6d3f1224e9c5cb5fc392b292c3def7c585346bde8c7f7b2173677a4a0068b0
-
SHA512
036392ed22dc7aefd5acd6615b1f9ad015ff46d27c89bf41f34fde66e0008dd5e114b7888cde40698899032e96dcbce24eb37004c7ebf5b8823fe2c33cf4e391
Malware Config
Extracted
cobaltstrike
0
http://customsecurityusa.com:787/fam_calendar
-
access_type
512
-
beacon_type
2048
-
host
customsecurityusa.com,/fam_calendar
-
http_header1
AAAAEAAAABtIb3N0OiBjdXN0b21zZWN1cml0eXVzYS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABNBY2NlcHQtRW5jb2Rpbmc6IGJyAAAABwAAAAAAAAAIAAAAAwAAAAIAAAAMcmVnX2ZiX2dhdGU9AAAABgAAAAZDb29raWUAAAAJAAAACmZuYW1lPXRydWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABtIb3N0OiBjdXN0b21zZWN1cml0eXVzYS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAAC9Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZAAAAAcAAAABAAAACAAAAAMAAAACAAAABWRvaXQ9AAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
61655
-
port_number
787
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCu+k6TVmSi20ZwCbVLBWVeUCBfLJKbTLQFx5TNMpJpPeXmok8PUd/LgP99COChiYYeYyZiLxRl1MCKsit82cRb2VHplkwKQIBcNe7icJLWG6XI+nX6yvAbrfjM3CZ2+14J7KVbSlvSepdezHWfJKUQxD2kRVPRSldPLvyYl8OcqwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
7.8457344e+07
-
unknown2
AAAABAAAAAIAAAJYAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/tab_shop
-
user_agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)
suricata: ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)
-
Blocklisted process makes network request 34 IoCs
Processes:
powershell.exeflow pid process 17 3760 powershell.exe 19 3760 powershell.exe 27 3760 powershell.exe 28 3760 powershell.exe 29 3760 powershell.exe 30 3760 powershell.exe 31 3760 powershell.exe 32 3760 powershell.exe 36 3760 powershell.exe 37 3760 powershell.exe 38 3760 powershell.exe 39 3760 powershell.exe 40 3760 powershell.exe 41 3760 powershell.exe 42 3760 powershell.exe 43 3760 powershell.exe 44 3760 powershell.exe 45 3760 powershell.exe 46 3760 powershell.exe 47 3760 powershell.exe 48 3760 powershell.exe 49 3760 powershell.exe 50 3760 powershell.exe 51 3760 powershell.exe 52 3760 powershell.exe 53 3760 powershell.exe 57 3760 powershell.exe 58 3760 powershell.exe 59 3760 powershell.exe 60 3760 powershell.exe 61 3760 powershell.exe 62 3760 powershell.exe 63 3760 powershell.exe 64 3760 powershell.exe -
Drops file in System32 directory 3 IoCs
Processes:
winlogon.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat winlogon.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8408FE5CA4467EE4DA84A76EF238FE3 winlogon.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8408FE5CA4467EE4DA84A76EF238FE3 winlogon.exe -
Modifies data under HKEY_USERS 45 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs winlogon.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2 winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405 winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates winlogon.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates winlogon.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3760 powershell.exe 3760 powershell.exe 3760 powershell.exe 3760 powershell.exe 3760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3760 powershell.exe -
Suspicious use of WriteProcessMemory 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3760 wrote to memory of 572 3760 powershell.exe winlogon.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Inis.txt.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/572-136-0x000001DF03AA0000-0x000001DF03AE1000-memory.dmpFilesize
260KB
-
memory/572-138-0x000001DF03AF0000-0x000001DF03B73000-memory.dmpFilesize
524KB
-
memory/572-137-0x000001DF03AF0000-0x000001DF03B73000-memory.dmpFilesize
524KB
-
memory/3760-121-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-134-0x000001DAA2406000-0x000001DAA2408000-memory.dmpFilesize
8KB
-
memory/3760-120-0x000001DAA2360000-0x000001DAA2382000-memory.dmpFilesize
136KB
-
memory/3760-115-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-122-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-123-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-124-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-125-0x000001DAA2400000-0x000001DAA2402000-memory.dmpFilesize
8KB
-
memory/3760-126-0x000001DAA2403000-0x000001DAA2405000-memory.dmpFilesize
8KB
-
memory/3760-127-0x000001DAA4660000-0x000001DAA46D6000-memory.dmpFilesize
472KB
-
memory/3760-128-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-119-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-135-0x000001DAA45E0000-0x000001DAA4621000-memory.dmpFilesize
260KB
-
memory/3760-118-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-117-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-116-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-139-0x000001DAA4650000-0x000001DAA465A000-memory.dmpFilesize
40KB
-
memory/3760-140-0x000001DAA4650000-0x000001DAA465A000-memory.dmpFilesize
40KB
-
memory/3760-141-0x000001DAA2408000-0x000001DAA2409000-memory.dmpFilesize
4KB
-
memory/3760-142-0x000001DAA240A000-0x000001DAA240F000-memory.dmpFilesize
20KB
-
memory/3760-143-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-144-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-160-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB
-
memory/3760-161-0x000001DA89D20000-0x000001DA89D22000-memory.dmpFilesize
8KB