Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 00:43
Behavioral task
behavioral1
Sample
forceupdate.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
forceupdate.ps1
Resource
win10v2004-20230220-en
General
-
Target
forceupdate.ps1
-
Size
362KB
-
MD5
d5f97080d18501e8ff17c66abf8c861e
-
SHA1
1ffd3d939051e102da6607fc01dd994ce87e1125
-
SHA256
dcc481b5bdd6f0d48d0e8d36d50404628f905b7ccb15ad844658669747c02bfa
-
SHA512
83ef8622d5b4d02a602acc327b840b56366efc5002f9ab810dd0c01ff9e5ce1602bfdc5a55e206afb85361fd027a31e4b3f6d419a72e2ddd4f2e29383aa0e8c9
-
SSDEEP
6144:vRnnz2AHVD16Sn+KlopY07hFo8jcNHKCd1re83NXsalyKq6LAd:Bn6KPoKATzaK7KNXT06LAd
Malware Config
Extracted
cobaltstrike
674054486
http://voiceinfosys.net:80/es
-
access_type
512
-
host
voiceinfosys.net,/es
-
http_header1
AAAAEAAAABZIb3N0OiB2b2ljZWluZm9zeXMubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAASQWNjZXB0OiBpbWFnZS9qcGVnAAAABwAAAAAAAAALAAAAAwAAAAIAAAAUd29yZHByZXNzX2xvZ2dlZF9pbj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABZIb3N0OiB2b2ljZWluZm9zeXMubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAANAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
11008
-
polling_time
58716
-
port_number
80
-
sc_process32
%windir%\syswow64\runonce.exe
-
sc_process64
%windir%\sysnative\runonce.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaznbxNcZ0dXD4A3zagH1WOETphSlB8n6ESc9JXFKJjJnRMNtkv3xmhMwY6UC1e51klf5h1MjpT3aRKsd+6wWYNcS+RpVjqVf50rpkGmDnEAXl7WiRM7dtdSNqIGPfEoM8fQRYu5BGqQS65JvmOxEZ078DO4X/qez/F+XGq/kkwwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.272630272e+09
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/af
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
-
watermark
674054486
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 13 3372 powershell.exe 26 3372 powershell.exe 46 3372 powershell.exe 47 3372 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3372 powershell.exe 3372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3372 powershell.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0wbbkfa.dv3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3372-133-0x0000026670340000-0x0000026670350000-memory.dmpFilesize
64KB
-
memory/3372-134-0x0000026670340000-0x0000026670350000-memory.dmpFilesize
64KB
-
memory/3372-140-0x0000026654F00000-0x0000026654F22000-memory.dmpFilesize
136KB
-
memory/3372-145-0x0000026670340000-0x0000026670350000-memory.dmpFilesize
64KB
-
memory/3372-146-0x0000026673390000-0x0000026673414000-memory.dmpFilesize
528KB
-
memory/3372-147-0x0000026673340000-0x0000026673384000-memory.dmpFilesize
272KB
-
memory/3372-148-0x0000026673350000-0x0000026673352000-memory.dmpFilesize
8KB
-
memory/3372-149-0x0000026670340000-0x0000026670350000-memory.dmpFilesize
64KB
-
memory/3372-150-0x0000026670340000-0x0000026670350000-memory.dmpFilesize
64KB
-
memory/3372-151-0x0000026670340000-0x0000026670350000-memory.dmpFilesize
64KB
-
memory/3372-152-0x0000026673340000-0x0000026673384000-memory.dmpFilesize
272KB