Analysis
-
max time kernel
140s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 07:06
Static task
static1
Behavioral task
behavioral1
Sample
p.ps1
Resource
win7-20220901-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
p.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
p.ps1
-
Size
363KB
-
MD5
e8597763909e2378145645b86f0db4fe
-
SHA1
a57a6a754675d3f16d4bedf8a9a535d25f7e21d6
-
SHA256
30690dc89f08908c0587d010cbdbfd5689d7896c0599488987f4a9b1893b5e12
-
SHA512
b32c073e351816d05a00c7aefe2326501d23394d76ddfeb1165510c55cf5f33618894a19c1438cfe9cc8d1380c6c7f03457c4613583a65b949d6aa32abbcd92b
-
SSDEEP
6144:jxnYL4aKM8mJDjpkm7Rk0Lc6O22Da2ib6lzlkBb:jxgVNJDjum9kr6iuC8
Score
10/10
Malware Config
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 10 3268 powershell.exe 39 3268 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3268 powershell.exe 3268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3268 powershell.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3268-135-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/3268-136-0x0000027BEA3F0000-0x0000027BEA412000-memory.dmpFilesize
136KB
-
memory/3268-137-0x0000027BEA620000-0x0000027BEA664000-memory.dmpFilesize
272KB
-
memory/3268-138-0x0000027BEA6B0000-0x0000027BEA73B000-memory.dmpFilesize
556KB
-
memory/3268-139-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmpFilesize
10.8MB
-
memory/3268-140-0x0000027BEA620000-0x0000027BEA664000-memory.dmpFilesize
272KB