Overview

overview

10

Static

static

10

cobalt2.ps1

windows7-x64

8

cobalt2.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    54s
  • max time network
    60s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2022 10:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cobalt2.ps1

  • Size

    3KB

  • MD5

    5816bf8947b292fd5837d340fae832d0

  • SHA1

    030b8d8abf08be5d099d8a522d3011963fd84246

  • SHA256

    b9dc6cb759631733b4911dff24e61a73d56e47e01d218c7f219b2811cb93e249

  • SHA512

    3968e37b2156ffa1f02681d117719670084bf1444dd09e65d2da62ae8740b1c3d040cbbf0c05c6596e281d564ebb0d392e64b644482ef49764abd7b85fd87370

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cobalt2.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4908
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/852-139-0x0000000005650000-0x00000000056B6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/852-136-0x0000000004F40000-0x0000000005568000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/852-142-0x0000000006400000-0x000000000641A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/852-141-0x0000000006D00000-0x000000000737A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/852-134-0x0000000000000000-mapping.dmp
    Download
  • memory/852-135-0x00000000024B0000-0x00000000024E6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/852-138-0x00000000055E0000-0x0000000005646000-memory.dmp
    Filesize

    408KB

    Download
  • memory/852-137-0x0000000004ED0000-0x0000000004EF2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/852-140-0x0000000005EE0000-0x0000000005EFE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4908-130-0x000001CA7C3B0000-0x000001CA7C3D2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4908-132-0x00007FFADD9E0000-0x00007FFADE4A1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4908-133-0x000001CA7CD50000-0x000001CA7CF5A000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4908-131-0x000001CA7C9C0000-0x000001CA7CB36000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/4908-143-0x00007FFADD9E0000-0x00007FFADE4A1000-memory.dmp
    Filesize

    10.8MB

    Download