cobaltstrike | d6a8f5cf11e992ce94895e59cfa08a4b7d36d2552587c9db6c7f3b1a338e7d08

Analysis

max time kernel
1771s
max time network
1773s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
11-09-2022 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.ps1
Size

3KB
MD5

c4a04ce2d5a109cc76e7ffe5e2d4b124
SHA1

0466028fbec471f4f11d5995ccb17aff6cb6305f
SHA256

d6a8f5cf11e992ce94895e59cfa08a4b7d36d2552587c9db6c7f3b1a338e7d08
SHA512

4bd2f68f8b7aa022216d37856829cfd996aab0ae3755ae0da8d0308f5e76dbb45a1f8011bc70ce99b23d913dc9223dbb6bb5f552d5c92d2bbccf7c9bae9e647c

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 31 IoCs

Processes:

powershell.exe

flow	pid	process
3	4504	powershell.exe
4	4504	powershell.exe
9	4504	powershell.exe
10	4504	powershell.exe
11	4504	powershell.exe
12	4504	powershell.exe
17	4504	powershell.exe
20	4504	powershell.exe
21	4504	powershell.exe
22	4504	powershell.exe
23	4504	powershell.exe
24	4504	powershell.exe
25	4504	powershell.exe
26	4504	powershell.exe
27	4504	powershell.exe
28	4504	powershell.exe
29	4504	powershell.exe
30	4504	powershell.exe
31	4504	powershell.exe
32	4504	powershell.exe
33	4504	powershell.exe
34	4504	powershell.exe
35	4504	powershell.exe
36	4504	powershell.exe
37	4504	powershell.exe
38	4504	powershell.exe
39	4504	powershell.exe
40	4504	powershell.exe
41	4504	powershell.exe
42	4504	powershell.exe
43	4504	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2196 powershell.exe
2196 powershell.exe
2196 powershell.exe
4504 powershell.exe
4504 powershell.exe
4504 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2196 powershell.exe
Token: SeDebugPrivilege 4504 powershell.exe

pid	process
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
4504	powershell.exe
4504	powershell.exe
4504	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2196 wrote to memory of 4504	2196	powershell.exe	powershell.exe
PID 2196 wrote to memory of 4504	2196	powershell.exe	powershell.exe
PID 2196 wrote to memory of 4504	2196	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
50KB

MD5
2cb3f528286df9feab019e0de2053b6a

SHA1
0d5835457f71fd6cdfa45e7280544142e35ad6fc

SHA256
bcdaef74a79cde95526e25c52de2623b0e2b2091a304e57db0cd7e640bb08943

SHA512
c466148cc9d282d02b5463c2ddd0d28c69a0e1715d4aae3bbf9874d39df6ffbc242f10be9d75b18c71d49626ae4f4bb6886f4955afced091e68590155a79e860

Download Submit
memory/2196-122-0x000002587BC50000-0x000002587BC72000-memory.dmp

Filesize
136KB

Download
memory/2196-125-0x000002587BE00000-0x000002587BE76000-memory.dmp

Filesize
472KB

Download
memory/2196-133-0x000002587C420000-0x000002587C596000-memory.dmp

Filesize
1.5MB

Download
memory/2196-134-0x000002587C7B0000-0x000002587C9B8000-memory.dmp

Filesize
2.0MB

Download
memory/4504-145-0x0000000000000000-mapping.dmp

Download
memory/4504-146-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-147-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-148-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-149-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-150-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-151-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-152-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-153-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-154-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-155-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-156-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-157-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-158-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-159-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-160-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-161-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-162-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-163-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-164-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-165-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-166-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-167-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-168-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-169-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-170-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-171-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-172-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-173-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-174-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-175-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-177-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-178-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-180-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-181-0x0000000000E20000-0x0000000000E56000-memory.dmp

Filesize
216KB

Download
memory/4504-182-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-183-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-184-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-185-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-186-0x0000000006D70000-0x0000000007398000-memory.dmp

Filesize
6.2MB

Download
memory/4504-187-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-188-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-189-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-190-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-191-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-192-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-193-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-194-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-195-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-196-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-197-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-198-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-199-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-200-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-201-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-202-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-203-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-204-0x0000000006D40000-0x0000000006D62000-memory.dmp

Filesize
136KB

Download
memory/4504-205-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-206-0x0000000007410000-0x0000000007476000-memory.dmp

Filesize
408KB

Download
memory/4504-207-0x0000000007670000-0x00000000076D6000-memory.dmp

Filesize
408KB

Download
memory/4504-208-0x00000000076E0000-0x0000000007A30000-memory.dmp

Filesize
3.3MB

Download
memory/4504-209-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-210-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-211-0x0000000007490000-0x00000000074AC000-memory.dmp

Filesize
112KB

Download
memory/4504-213-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-212-0x0000000008080000-0x00000000080CB000-memory.dmp

Filesize
300KB

Download
memory/4504-214-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-215-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-216-0x0000000007DE0000-0x0000000007E56000-memory.dmp

Filesize
472KB

Download
memory/4504-217-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-218-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-222-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-223-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4504-228-0x0000000008CD0000-0x0000000009348000-memory.dmp

Filesize
6.5MB

Download
memory/4504-229-0x00000000083E0000-0x00000000083FA000-memory.dmp

Filesize
104KB

Download
memory/4504-251-0x0000000008650000-0x0000000008CC8000-memory.dmp

Filesize
6.5MB

Download
memory/4504-252-0x0000000007FE0000-0x0000000008021000-memory.dmp

Filesize
260KB

Download
memory/4504-253-0x0000000008650000-0x0000000008CC8000-memory.dmp

Filesize
6.5MB

Download