Analysis
-
max time kernel
116s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-02-2023 11:00
Static task
static1
Behavioral task
behavioral1
Sample
6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.ps1
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.ps1
Resource
win10v2004-20220812-en
General
-
Target
6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.ps1
-
Size
734KB
-
MD5
47d0a7d95e4e561dd8d46a60f55f7f8d
-
SHA1
c285d3db58476c46aae8be6b731356ff13b6a478
-
SHA256
6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837
-
SHA512
633b877b579024e5e36b99d133adde5c966d4d01915263be295456390ae523c5db4717359c1735d6fd73e3f84c3401bc7e67b414219cd6afb25d3bab23cc3917
-
SSDEEP
12288:FU1VYwPkT4LbcArB+rVqLq25s+tLsCN/FUaZ9kC2XmaKxNxhsY/4QI1IRm6SEWO7:rYIqcSd
Malware Config
Extracted
cobaltstrike
305419896
http://117.50.189.147:90/ca
-
access_type
512
-
host
117.50.189.147,/ca
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
maxdns
255
-
polling_time
60000
-
port_number
90
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYND7NsiktPrD/uDMM5S6C7cvFGmqR8iuKLt8lVUUU//Yoobu08NzywlsJ2hsGbs14VHXGUifaQr+gqRANCApl4tQxjmG6C9cZJVfB3y9WToeDqwczyuRTQi046lKr777YiiPYsNUC3aQriPMwKT/xCzs3AteG7fYZQ2TcrFRvewIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
-
watermark
305419896
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1516 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1260 powershell.exe 1516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.exedescription pid process target process PID 1260 wrote to memory of 1516 1260 powershell.exe powershell.exe PID 1260 wrote to memory of 1516 1260 powershell.exe powershell.exe PID 1260 wrote to memory of 1516 1260 powershell.exe powershell.exe PID 1260 wrote to memory of 1516 1260 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1260-54-0x000007FEFC001000-0x000007FEFC003000-memory.dmpFilesize
8KB
-
memory/1260-55-0x000007FEF4640000-0x000007FEF5063000-memory.dmpFilesize
10.1MB
-
memory/1260-57-0x0000000002914000-0x0000000002917000-memory.dmpFilesize
12KB
-
memory/1260-56-0x000007FEF38F0000-0x000007FEF444D000-memory.dmpFilesize
11.4MB
-
memory/1260-58-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/1260-59-0x000000000291B000-0x000000000293A000-memory.dmpFilesize
124KB
-
memory/1260-60-0x0000000002914000-0x0000000002917000-memory.dmpFilesize
12KB
-
memory/1516-61-0x0000000000000000-mapping.dmp
-
memory/1516-62-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1516-63-0x00000000737C0000-0x0000000073D6B000-memory.dmpFilesize
5.7MB
-
memory/1516-64-0x00000000737C0000-0x0000000073D6B000-memory.dmpFilesize
5.7MB
-
memory/1516-65-0x0000000004CA0000-0x0000000004CD3000-memory.dmpFilesize
204KB
-
memory/1516-66-0x0000000004CE0000-0x0000000004D1D000-memory.dmpFilesize
244KB
-
memory/1516-67-0x0000000004CE0000-0x0000000004D1D000-memory.dmpFilesize
244KB