Overview

overview

10

Static

static

10

cobalt2.ps1

windows7-x64

8

cobalt2.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    44s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • resource tags

    arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2022 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cobalt2.ps1

  • Size

    3KB

  • MD5

    5816bf8947b292fd5837d340fae832d0

  • SHA1

    030b8d8abf08be5d099d8a522d3011963fd84246

  • SHA256

    b9dc6cb759631733b4911dff24e61a73d56e47e01d218c7f219b2811cb93e249

  • SHA512

    3968e37b2156ffa1f02681d117719670084bf1444dd09e65d2da62ae8740b1c3d040cbbf0c05c6596e281d564ebb0d392e64b644482ef49764abd7b85fd87370

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cobalt2.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1452
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1004-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1004-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1004-62-0x0000000073180000-0x000000007372B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1004-63-0x0000000073180000-0x000000007372B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1452-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1452-55-0x000007FEF4110000-0x000007FEF4B33000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1452-56-0x000007FEF35B0000-0x000007FEF410D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/1452-57-0x0000000002934000-0x0000000002937000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1452-58-0x000000001B790000-0x000000001BA8F000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1452-61-0x000000000293B000-0x000000000295A000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1452-64-0x0000000002934000-0x0000000002937000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1452-65-0x000000000293B000-0x000000000295A000-memory.dmp
    Filesize

    124KB

    Download