Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 14:33
Static task
static1
Behavioral task
behavioral1
Sample
09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9.ps1
Resource
win10v2004-20230220-en
General
-
Target
09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9.ps1
-
Size
363KB
-
MD5
80e2da1c20715a24e2cffda025879bb2
-
SHA1
886a5a3f2a375458e332b7f667a4cc2c36f6a989
-
SHA256
09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9
-
SHA512
69b973d54cdfc842f32fa184211113c3ae93f5a5eb163c6d4997148998077d94add60d96243c1dd18a5e6bdbb858da50481e2ef866082d7ea5398dadbd4cb1a7
-
SSDEEP
6144:8Znnz2AHVD16Sn+KlfYY07hFo8jcNHKIS0MNd1re83NXsaly5q6LAV:8Rn6KPfvATzaKIS0TKNXT56LAV
Malware Config
Extracted
cobaltstrike
987654321
http://kihurij.com:443/Demo/Internet/FT2F740QMYJ
-
access_type
512
-
beacon_type
2048
-
host
kihurij.com,/Demo/Internet/FT2F740QMYJ
-
http_header1
AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIGFwcGxpY2F0aW9uL3hodG1sK3htbCwgaW1hZ2UvKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1pZQAAAAoAAAAfQWNjZXB0LUVuY29kaW5nOiBnemlwLCBpZGVudGl0eQAAAAcAAAAAAAAADwAAAAsAAAACAAAAI1NFU1NJT05JRF82QlBTMjFJOUZLSFJXMlFZRlhMMkZGMDU9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAADhBY2NlcHQ6IGFwcGxpY2F0aW9uL3hodG1sK3htbCwgaW1hZ2UvKiwgYXBwbGljYXRpb24vanNvbgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBydS1tZAAAAAoAAAAjQWNjZXB0LUVuY29kaW5nOiBpZGVudGl0eSwgY29tcHJlc3MAAAAHAAAAAAAAAA8AAAANAAAABQAAAAlfQ1BLUEtTVFkAAAAHAAAAAQAAAA8AAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
12544
-
polling_time
5000
-
port_number
443
-
sc_process32
%windir%\syswow64\getmac.exe /V
-
sc_process64
%windir%\sysnative\getmac.exe /V
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFpKj6wjeTv+jkvV2oKPV4oxmMWb/goJlnmx050yZrWRDPbb7kmST84pjx2qmD4N240vuPpIy3JzjfximH+OiBDmz1q6T2WrjeDJT9gcSbsyE857XflDEK73pqcmWPQyTLE4d2TaoqjExNiH0fG4h1aChr1NBa4bBCRyb4TsurxQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
8.72947712e+08
-
unknown2
AAAABAAAAAEAAASeAAAAAgAAA44AAAAIAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/Put/2003/WAIV922G69FS
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
-
watermark
987654321
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 19 IoCs
Processes:
powershell.exeflow pid process 4 2008 powershell.exe 5 2008 powershell.exe 6 2008 powershell.exe 9 2008 powershell.exe 10 2008 powershell.exe 11 2008 powershell.exe 13 2008 powershell.exe 14 2008 powershell.exe 15 2008 powershell.exe 17 2008 powershell.exe 18 2008 powershell.exe 19 2008 powershell.exe 21 2008 powershell.exe 22 2008 powershell.exe 23 2008 powershell.exe 25 2008 powershell.exe 26 2008 powershell.exe 27 2008 powershell.exe 29 2008 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2008 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\09094ed7deb2b722d47c888b47bc8d71b33355e5052b6e42621e4e98642e7ea9.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2008-58-0x000000001B470000-0x000000001B752000-memory.dmpFilesize
2.9MB
-
memory/2008-60-0x0000000001F90000-0x0000000001F98000-memory.dmpFilesize
32KB
-
memory/2008-61-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2008-59-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2008-62-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2008-63-0x0000000002AE0000-0x0000000002B68000-memory.dmpFilesize
544KB
-
memory/2008-64-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2008-65-0x0000000002A00000-0x0000000002A02000-memory.dmpFilesize
8KB
-
memory/2008-66-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2008-68-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2008-67-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2008-69-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB