Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

cs.ps1

windows7-x64

10

cs.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2023, 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cs.ps1

  • Size

    6KB

  • MD5

    2d14fc0abc9432b32d79353b89b9c294

  • SHA1

    726b03c1667004bebd77f20d7090fa7b3954721a

  • SHA256

    da69111d0ba32fa46dfcf6dbb30d672d39bf5794951f5c4d69fb378eda4bd1ff

  • SHA512

    182f9a7fd862f67c1146309c59e72ab634be64c6d3dcd532efd9ac07b0eba100c90d3ea1b4dd51f0902e4c9d14f51620baa03208e23a66a4a97027f773a4cb5a

  • SSDEEP

    192:+9iMvwGTCLLmuq3WoR8XycmA4gMrxYjxs+wA9zzL:+YMvNCLeWuUycmA4gMrxYVs+wA9zzL

Score
10/10
cobaltstrikemetasploit987654321backdoortrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://45.83.122.166:8080/4YWx

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://hpsj.firewall-gateway.net:8080/j.ad

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    hpsj.firewall-gateway.net,/j.ad

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    8080

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA7XmfBGIqxq0ZAjbo1mvjRrLTz1kqnx3Y0IdHHMDbn1WD7VJz+lCRpWJ2OlsANQC9jVg0eiyxn6I+ZU0r0zFSOcMytDQLVzvia73nfDGwly091GLmpYfmC8ChGLu+bGPDvpLPRM0vXtR6Xo64j4Fy8OwpVtmjxJTL/Zgnp3IriwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP06)

  • watermark

    987654321

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Blocklisted process makes network request 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cs.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1916
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    93678e82d776686aa54c42b8a98e6cbc

    SHA1

    802939dfed99ac74814c4371388b204c5810241d

    SHA256

    da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

    SHA512

    0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdzy351z.ssa.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1304-164-0x0000000004700000-0x0000000004710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1304-177-0x0000000006620000-0x0000000006A20000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1304-178-0x0000000005BC0000-0x0000000005C01000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1304-176-0x0000000005C20000-0x0000000005C22000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1304-175-0x0000000006490000-0x0000000006491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1304-148-0x0000000002200000-0x0000000002236000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1304-149-0x0000000004700000-0x0000000004710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1304-150-0x0000000004700000-0x0000000004710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1304-151-0x0000000004D40000-0x0000000005368000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1304-152-0x0000000004C80000-0x0000000004CA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1304-158-0x00000000053E0000-0x0000000005446000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1304-174-0x0000000006150000-0x000000000616A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1304-173-0x0000000006A70000-0x00000000070EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1304-172-0x0000000004700000-0x0000000004710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1304-159-0x0000000005500000-0x0000000005566000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1304-170-0x0000000004700000-0x0000000004710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1304-168-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1304-169-0x0000000004700000-0x0000000004710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-167-0x00000214EACB0000-0x00000214EACC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-143-0x00000214EACB0000-0x00000214EACC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-144-0x00000214EACB0000-0x00000214EACC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-166-0x00000214EACB0000-0x00000214EACC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-147-0x00000214ECC60000-0x00000214ECE6A000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1916-146-0x00000214EC8D0000-0x00000214ECA46000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1916-165-0x00000214EACB0000-0x00000214EACC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-145-0x00000214EACB0000-0x00000214EACC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1916-142-0x00000214EA780000-0x00000214EA7A2000-memory.dmp

    Filesize

    136KB

    Download