Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 14:33
Behavioral task
behavioral1
Sample
f404d26706ef08f01e7d08bd24e572c523085f2c07601390c42e64261bc6df98.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f404d26706ef08f01e7d08bd24e572c523085f2c07601390c42e64261bc6df98.ps1
Resource
win10v2004-20230220-en
General
-
Target
f404d26706ef08f01e7d08bd24e572c523085f2c07601390c42e64261bc6df98.ps1
-
Size
279KB
-
MD5
8f96176279d6d78c3e40044939e028e6
-
SHA1
92b67e98138f65bbb6469afafb71cd49cde7a321
-
SHA256
f404d26706ef08f01e7d08bd24e572c523085f2c07601390c42e64261bc6df98
-
SHA512
252bbfa9101662d59101d0599665cb3d41b7138742987b4ed3d1ee7a611e91b172a45c0a41ad0ee7d3514be08b0a83e827717e300df71a9e35535cb9219418e4
-
SSDEEP
6144:oxzX5tk9wGd8b6JDuwgCNx88x/4eVU68RgRXswQqn:+/kp8b6JDzxoqg8xRXQu
Malware Config
Extracted
cobaltstrike
100000
http://152.89.196.245:6789/match
-
access_type
512
-
host
152.89.196.245,/match
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
6789
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGFu6deNj54GwQLP/gvk2IXPhruZshiQwL+BaZCmm7xzfvvedCsNPTMAP+e3/zIeWtvCIby0zsYFDuKnF38h/iLsx3/vugYI9OQgXer0XD6u2mw0uO2bTdGz17fVzT4rJwxJo5PcF3qf/SXprY5GtDWKYffr6NCSrsLFDS2oLpbwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUSMSCOM)
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 26 2024 powershell.exe 67 2024 powershell.exe 68 2024 powershell.exe 69 2024 powershell.exe 70 2024 powershell.exe 71 2024 powershell.exe 72 2024 powershell.exe 73 2024 powershell.exe 74 2024 powershell.exe 75 2024 powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 3768 powershell.exe 3768 powershell.exe 2024 powershell.exe 2024 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3768 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 3768 wrote to memory of 2024 3768 powershell.exe powershell.exe PID 3768 wrote to memory of 2024 3768 powershell.exe powershell.exe PID 3768 wrote to memory of 2024 3768 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f404d26706ef08f01e7d08bd24e572c523085f2c07601390c42e64261bc6df98.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD593678e82d776686aa54c42b8a98e6cbc
SHA1802939dfed99ac74814c4371388b204c5810241d
SHA256da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841
SHA5120b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebfbvcqq.053.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2024-168-0x0000000006990000-0x000000000700A000-memory.dmpFilesize
6.5MB
-
memory/2024-172-0x0000000006420000-0x000000000645E000-memory.dmpFilesize
248KB
-
memory/2024-177-0x00000000021A0000-0x00000000021B0000-memory.dmpFilesize
64KB
-
memory/2024-174-0x00000000021A0000-0x00000000021B0000-memory.dmpFilesize
64KB
-
memory/2024-173-0x00000000021A0000-0x00000000021B0000-memory.dmpFilesize
64KB
-
memory/2024-148-0x0000000002130000-0x0000000002166000-memory.dmpFilesize
216KB
-
memory/2024-149-0x0000000004BF0000-0x0000000005218000-memory.dmpFilesize
6.2MB
-
memory/2024-167-0x0000000005B70000-0x0000000005B8E000-memory.dmpFilesize
120KB
-
memory/2024-151-0x00000000021A0000-0x00000000021B0000-memory.dmpFilesize
64KB
-
memory/2024-152-0x0000000004B80000-0x0000000004BA2000-memory.dmpFilesize
136KB
-
memory/2024-153-0x0000000005290000-0x00000000052F6000-memory.dmpFilesize
408KB
-
memory/2024-154-0x0000000005300000-0x0000000005366000-memory.dmpFilesize
408KB
-
memory/2024-171-0x00000000063E0000-0x0000000006414000-memory.dmpFilesize
208KB
-
memory/2024-169-0x00000000060B0000-0x00000000060CA000-memory.dmpFilesize
104KB
-
memory/2024-150-0x00000000021A0000-0x00000000021B0000-memory.dmpFilesize
64KB
-
memory/3768-165-0x0000026FA3430000-0x0000026FA3440000-memory.dmpFilesize
64KB
-
memory/3768-139-0x0000026FA3430000-0x0000026FA3440000-memory.dmpFilesize
64KB
-
memory/3768-147-0x0000026FA4990000-0x0000026FA4B9A000-memory.dmpFilesize
2.0MB
-
memory/3768-170-0x0000026FA3430000-0x0000026FA3440000-memory.dmpFilesize
64KB
-
memory/3768-145-0x0000026FA3430000-0x0000026FA3440000-memory.dmpFilesize
64KB
-
memory/3768-140-0x0000026FA3430000-0x0000026FA3440000-memory.dmpFilesize
64KB
-
memory/3768-166-0x0000026FA3430000-0x0000026FA3440000-memory.dmpFilesize
64KB
-
memory/3768-146-0x0000026FA4600000-0x0000026FA4776000-memory.dmpFilesize
1.5MB
-
memory/3768-160-0x0000026FA3F30000-0x0000026FA414C000-memory.dmpFilesize
2.1MB
-
memory/3768-133-0x0000026F8AE10000-0x0000026F8AE32000-memory.dmpFilesize
136KB