cobaltstrike | c1d4c69433dac5faf2886a5a1f8b1a55295d28ce7fde2451de7c3d0f19f5fc97

Resubmissions

09/12/2022, 19:51

max time kernel
99s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2022, 19:51

Target

wnjvejahaimreqt.ps1
Size

442KB
MD5

eeccb5f802dbc544e0b1031c0c6eda5d
SHA1

910e73ebafc8b9aa64086e7af85dc4602f5d5b81
SHA256

7cdf0263c3ce42e3ff3ea3c0a376e1aa1b0340dfc1e373f3c765a51a3a639be8
SHA512

94e5a372635db23de73a33140476dd4763142933b954c4bb40f9c64d5a9f0c4a899a47ec5ee649cb99b8a0d20bd89f38deb3f6cce6a3a8ca8cbb1fc1ae2836ae
SSDEEP

12288:kAV3T28nmgMkPGI4MpPBrCi1g05XlSTPg:kcTNnmspki1hx

Score

10^/10

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 3 IoCs

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	powershell.exe
2544	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4988	2544	powershell.exe	79
PID 2544 wrote to memory of 4988	2544	powershell.exe	79

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\wnjvejahaimreqt.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xtsdcux\5xtsdcux.cmdline"
  2⤵
  PID:4988

\??\c:\Users\Admin\AppData\Local\Temp\5xtsdcux\5xtsdcux.0.cs

Filesize
4KB

MD5
6485290f47c89045bd65ba6bb08dac02

SHA1
806f134a8da700eefd95ac582e8818a6d81c0e77

SHA256
9676a1ca833df6c21cad0f17d6bb9a28fa2d0abb8eed346a8c8f0e8a13ac61f6

SHA512
e6959d0cd42492d3c3376d9786db041330fefd2098f40588d7a379ccba8947491c71ffdcc7b09ccb2e2cb480d8d1b5bc3781f3620304af534f888664783fd4ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xtsdcux\5xtsdcux.cmdline

Filesize
369B

MD5
b3646f1b003b4089ecfff91981b1e2ef

SHA1
260bc7fba433c9446114b192d21a2ab735b08887

SHA256
1c541d32a74db33aa6749de5e8af0a0bf36628629de34c33e51424d47b34abf1

SHA512
a54e175a5c576fb847beab21b9279474ccb5c2c976e86c45cfb2fbcc2bd2c0dc698ba038f7b061fb7a454a797bc89e0a4e0cd38036287cf07e0722e3540baab4

Download Submit
memory/2544-135-0x0000016EED230000-0x0000016EED252000-memory.dmp

Filesize
136KB

Download
memory/2544-139-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2544-140-0x0000016EEFBC0000-0x0000016EEFC00000-memory.dmp

Filesize
256KB

Download
memory/2544-141-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2544-142-0x0000016EEFBC0000-0x0000016EEFC00000-memory.dmp

Filesize
256KB

Download