Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

26570ab9f4...ad.ps1

windows7-x64

10

26570ab9f4...ad.ps1

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21/03/2023, 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26570ab9f442065765270e47672f1c486173fced5d1a4b32d4e4997fec9e58ad.ps1

  • Size

    293KB

  • MD5

    049cfba6fd3c0b5b4552916969d1dbec

  • SHA1

    ab3fbce5743b8ce24be1639a8cb802ffc217e8e9

  • SHA256

    26570ab9f442065765270e47672f1c486173fced5d1a4b32d4e4997fec9e58ad

  • SHA512

    55684784efa5eb21eca358f7603c223927d938da4bcc14270108ec9b1d0e71bdfb99c570097e2a27ba79fb843d164c3d2b3b6f2f9b0bd3832cf8e2e4a42d774e

  • SSDEEP

    6144:2ER6mHX+TmLD4eyg16i3RJ3rFI8kHMSTpbJN4aXsxGQZ0:2sr4ey7ihFFI3HTr/Xw0

Score
10/10
cobaltstrike391144938backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

391144938

C2

http://b7r.duckdns.org:443/g.pixel

Attributes
  • access_type

    512

  • beacon_type

    2048

  • host

    b7r.duckdns.org,/g.pixel

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVW56XGpbj8qtiqp+9VElpMZo7uTvjGtVF8u4N//Lu2iiPRjAGAh/TRtYH8DN5YTHi04jD+vdqhPt5OiT+T4cqtbpydJD3GU6qXAZfHQ1GkXCTIpaqbQ1TYj4J7Rgmc8kHJq1aiFMuYpT/ewweAnBob2/lyeMEGoG1Ymo671/pqQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MASAJS)

  • watermark

    391144938

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\26570ab9f442065765270e47672f1c486173fced5d1a4b32d4e4997fec9e58ad.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7YHCV59T8BKX4UHHLL2U.temp
    Filesize

    7KB

    MD5

    b3a119c5e3ddd85b03312a9ad266a0bc

    SHA1

    bc3b671e7d0762e7523e16fd2d8a329dffe3172f

    SHA256

    fa786311df4d018d1a654bde74aaf1b77470142e5d75bf07fea3f7c8fbb08242

    SHA512

    6452fdc1a41f03a087eda6073d6263e6a451a53d3c289da000284000ae77e9a5fd101504a5627894ba29adce09c5a5db13f04d4bde88e47c07e0bfe446263d65

    Download Submit

  • memory/696-71-0x0000000005230000-0x0000000005271000-memory.dmp

    Filesize

    260KB

    Download

  • memory/696-70-0x0000000004D50000-0x0000000004D87000-memory.dmp

    Filesize

    220KB

    Download

  • memory/696-77-0x0000000005230000-0x0000000005271000-memory.dmp

    Filesize

    260KB

    Download

  • memory/696-76-0x00000000055D0000-0x00000000055D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/696-69-0x00000000023A0000-0x00000000023E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/696-68-0x00000000023A0000-0x00000000023E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2004-64-0x0000000002850000-0x00000000028D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2004-59-0x0000000002290000-0x0000000002298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2004-60-0x000000001B0C0000-0x000000001B0F2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2004-65-0x0000000002850000-0x00000000028D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2004-63-0x0000000002850000-0x00000000028D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2004-58-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2004-72-0x0000000002850000-0x00000000028D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2004-73-0x0000000002850000-0x00000000028D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2004-74-0x0000000002850000-0x00000000028D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2004-75-0x0000000002850000-0x00000000028D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2004-62-0x0000000002850000-0x00000000028D0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2004-61-0x000000001B0C0000-0x000000001B0F2000-memory.dmp

    Filesize

    200KB

    Download