Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
favicon.ps1
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
favicon.ps1
Resource
win10v2004-20220414-en
General
-
Target
favicon.ps1
-
Size
190KB
-
MD5
471601a24b16ed8f14f68967eac8d64e
-
SHA1
fdecb788ba7cd9c855686b0598d4953af85ab399
-
SHA256
4109d17d439e425d24e9d11956adcc63ff8e24ccfffe21dd8c5431fe969d2783
-
SHA512
a45a7932e678cac7a117a2a5b7f1598ebd2dbb7dd0cd7151f4956b440384323d659d40a713491ded9f72052ae0c568dee6a39219ba99da81c6a5e3e534c07699
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
-
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
-
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exeflow pid process 3 1272 powershell.exe 5 1272 powershell.exe 7 1272 powershell.exe 9 1272 powershell.exe 10 1272 powershell.exe 11 1272 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1672 powershell.exe 1272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.exedescription pid process target process PID 1672 wrote to memory of 1272 1672 powershell.exe powershell.exe PID 1672 wrote to memory of 1272 1672 powershell.exe powershell.exe PID 1672 wrote to memory of 1272 1672 powershell.exe powershell.exe PID 1672 wrote to memory of 1272 1672 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\favicon.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1272-63-0x0000000004D40000-0x0000000004D74000-memory.dmpFilesize
208KB
-
memory/1272-64-0x00000000052B0000-0x00000000052EE000-memory.dmpFilesize
248KB
-
memory/1272-68-0x00000000052B0000-0x00000000052EE000-memory.dmpFilesize
248KB
-
memory/1272-67-0x00000000736E0000-0x0000000073C8B000-memory.dmpFilesize
5.7MB
-
memory/1272-61-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB
-
memory/1272-59-0x0000000000000000-mapping.dmp
-
memory/1272-62-0x00000000736E0000-0x0000000073C8B000-memory.dmpFilesize
5.7MB
-
memory/1672-55-0x000007FEF4A20000-0x000007FEF5443000-memory.dmpFilesize
10.1MB
-
memory/1672-60-0x000000000243B000-0x000000000245A000-memory.dmpFilesize
124KB
-
memory/1672-54-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmpFilesize
8KB
-
memory/1672-58-0x000000001B750000-0x000000001BA4F000-memory.dmpFilesize
3.0MB
-
memory/1672-65-0x0000000002434000-0x0000000002437000-memory.dmpFilesize
12KB
-
memory/1672-66-0x000000000243B000-0x000000000245A000-memory.dmpFilesize
124KB
-
memory/1672-57-0x0000000002434000-0x0000000002437000-memory.dmpFilesize
12KB
-
memory/1672-56-0x000007FEF3EC0000-0x000007FEF4A1D000-memory.dmpFilesize
11.4MB