cobaltstrike | d6a8f5cf11e992ce94895e59cfa08a4b7d36d2552587c9db6c7f3b1a338e7d08

Analysis

max time kernel
53s
max time network
61s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
11-09-2022 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

3KB
MD5

c4a04ce2d5a109cc76e7ffe5e2d4b124
SHA1

0466028fbec471f4f11d5995ccb17aff6cb6305f
SHA256

d6a8f5cf11e992ce94895e59cfa08a4b7d36d2552587c9db6c7f3b1a338e7d08
SHA512

4bd2f68f8b7aa022216d37856829cfd996aab0ae3755ae0da8d0308f5e76dbb45a1f8011bc70ce99b23d913dc9223dbb6bb5f552d5c92d2bbccf7c9bae9e647c

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

2 4780 powershell.exe
3 4780 powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3724 powershell.exe
3724 powershell.exe
3724 powershell.exe
4780 powershell.exe
4780 powershell.exe
4780 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3724 powershell.exe
Token: SeDebugPrivilege 4780 powershell.exe

flow	pid	process
2	4780	powershell.exe
3	4780	powershell.exe

pid	process
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 3724 wrote to memory of 4780	3724	powershell.exe	powershell.exe
PID 3724 wrote to memory of 4780	3724	powershell.exe	powershell.exe
PID 3724 wrote to memory of 4780	3724	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
50KB

MD5
2cb3f528286df9feab019e0de2053b6a

SHA1
0d5835457f71fd6cdfa45e7280544142e35ad6fc

SHA256
bcdaef74a79cde95526e25c52de2623b0e2b2091a304e57db0cd7e640bb08943

SHA512
c466148cc9d282d02b5463c2ddd0d28c69a0e1715d4aae3bbf9874d39df6ffbc242f10be9d75b18c71d49626ae4f4bb6886f4955afced091e68590155a79e860

Download Submit
memory/3724-123-0x000001FA3FDD0000-0x000001FA3FE52000-memory.dmp

Filesize
520KB

Download
memory/3724-124-0x000001FA279C0000-0x000001FA279D0000-memory.dmp

Filesize
64KB

Download
memory/3724-125-0x000001FA3FD70000-0x000001FA3FD92000-memory.dmp

Filesize
136KB

Download
memory/3724-126-0x000001FA40070000-0x000001FA40172000-memory.dmp

Filesize
1.0MB

Download
memory/3724-129-0x000001FA40200000-0x000001FA40276000-memory.dmp

Filesize
472KB

Download
memory/3724-136-0x000001FA40910000-0x000001FA40A86000-memory.dmp

Filesize
1.5MB

Download
memory/3724-137-0x000001FA40CA0000-0x000001FA40EA8000-memory.dmp

Filesize
2.0MB

Download
memory/3724-142-0x000001FA40180000-0x000001FA40194000-memory.dmp

Filesize
80KB

Download
memory/4780-149-0x0000000000000000-mapping.dmp

Download
memory/4780-150-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-153-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-152-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-155-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-157-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-159-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-160-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-161-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-162-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-164-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-169-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-171-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-170-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-168-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-172-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-173-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-167-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-166-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-165-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-163-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-158-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-156-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-154-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-151-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-174-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-175-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-176-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-177-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-178-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-179-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-181-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-184-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-182-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-185-0x0000000006FC0000-0x0000000006FF6000-memory.dmp

Filesize
216KB

Download
memory/4780-187-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-188-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-189-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-186-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-190-0x0000000007730000-0x0000000007D58000-memory.dmp

Filesize
6.2MB

Download
memory/4780-191-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-192-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-193-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-194-0x00000000074E0000-0x0000000007562000-memory.dmp

Filesize
520KB

Download
memory/4780-195-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-196-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-198-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-199-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-200-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-202-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-201-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-197-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-203-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-204-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-205-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-206-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-207-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-210-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-209-0x0000000007DB0000-0x0000000007DD2000-memory.dmp

Filesize
136KB

Download
memory/4780-213-0x0000000007D70000-0x0000000007D80000-memory.dmp

Filesize
64KB

Download
memory/4780-212-0x0000000007E80000-0x0000000007EE6000-memory.dmp

Filesize
408KB

Download
memory/4780-211-0x0000000007F50000-0x0000000007FB6000-memory.dmp

Filesize
408KB

Download
memory/4780-208-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-214-0x0000000008140000-0x0000000008490000-memory.dmp

Filesize
3.3MB

Download
memory/4780-216-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-215-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-217-0x00000000085C0000-0x00000000086C2000-memory.dmp

Filesize
1.0MB

Download
memory/4780-218-0x0000000007300000-0x000000000731C000-memory.dmp

Filesize
112KB

Download
memory/4780-219-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-221-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-222-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-220-0x0000000008820000-0x000000000886B000-memory.dmp

Filesize
300KB

Download
memory/4780-223-0x0000000008A70000-0x0000000008AE6000-memory.dmp

Filesize
472KB

Download
memory/4780-224-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-225-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-229-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-228-0x0000000077210000-0x000000007739E000-memory.dmp

Filesize
1.6MB

Download
memory/4780-235-0x0000000008F50000-0x0000000008F6A000-memory.dmp

Filesize
104KB

Download
memory/4780-234-0x0000000009840000-0x0000000009EB8000-memory.dmp

Filesize
6.5MB

Download
memory/4780-258-0x00000000086E0000-0x0000000008721000-memory.dmp

Filesize
260KB

Download
memory/4780-257-0x00000000091C0000-0x0000000009838000-memory.dmp

Filesize
6.5MB

Download
memory/4780-260-0x00000000091C0000-0x0000000009838000-memory.dmp

Filesize
6.5MB

Download