Overview

overview

10

Static

static

p.ps1

windows7-x64

8

p.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    p.ps1

  • Size

    363KB

  • MD5

    e8597763909e2378145645b86f0db4fe

  • SHA1

    a57a6a754675d3f16d4bedf8a9a535d25f7e21d6

  • SHA256

    30690dc89f08908c0587d010cbdbfd5689d7896c0599488987f4a9b1893b5e12

  • SHA512

    b32c073e351816d05a00c7aefe2326501d23394d76ddfeb1165510c55cf5f33618894a19c1438cfe9cc8d1380c6c7f03457c4613583a65b949d6aa32abbcd92b

  • SSDEEP

    6144:jxnYL4aKM8mJDjpkm7Rk0Lc6O22Da2ib6lzlkBb:jxgVNJDjum9kr6iuC8

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\p.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3268-135-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3268-136-0x0000027BEA3F0000-0x0000027BEA412000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3268-137-0x0000027BEA620000-0x0000027BEA664000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3268-138-0x0000027BEA6B0000-0x0000027BEA73B000-memory.dmp
    Filesize

    556KB

    Download
  • memory/3268-139-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3268-140-0x0000027BEA620000-0x0000027BEA664000-memory.dmp
    Filesize

    272KB

    Download