Overview

overview

10

Static

static

10

forceupdate.ps1

windows7-x64

10

forceupdate.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    forceupdate.ps1

  • Size

    362KB

  • MD5

    d5f97080d18501e8ff17c66abf8c861e

  • SHA1

    1ffd3d939051e102da6607fc01dd994ce87e1125

  • SHA256

    dcc481b5bdd6f0d48d0e8d36d50404628f905b7ccb15ad844658669747c02bfa

  • SHA512

    83ef8622d5b4d02a602acc327b840b56366efc5002f9ab810dd0c01ff9e5ce1602bfdc5a55e206afb85361fd027a31e4b3f6d419a72e2ddd4f2e29383aa0e8c9

  • SSDEEP

    6144:vRnnz2AHVD16Sn+KlopY07hFo8jcNHKCd1re83NXsalyKq6LAd:Bn6KPoKATzaK7KNXT06LAd

Score
10/10
cobaltstrike674054486backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

674054486

C2

http://voiceinfosys.net:80/es

Attributes
  • access_type

    512

  • host

    voiceinfosys.net,/es

  • http_header1

    AAAAEAAAABZIb3N0OiB2b2ljZWluZm9zeXMubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAASQWNjZXB0OiBpbWFnZS9qcGVnAAAABwAAAAAAAAALAAAAAwAAAAIAAAAUd29yZHByZXNzX2xvZ2dlZF9pbj0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAAEAAAABZIb3N0OiB2b2ljZWluZm9zeXMubmV0AAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAYQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluAAAABwAAAAEAAAANAAAAAwAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    11008

  • polling_time

    58716

  • port_number

    80

  • sc_process32

    %windir%\syswow64\runonce.exe

  • sc_process64

    %windir%\sysnative\runonce.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaznbxNcZ0dXD4A3zagH1WOETphSlB8n6ESc9JXFKJjJnRMNtkv3xmhMwY6UC1e51klf5h1MjpT3aRKsd+6wWYNcS+RpVjqVf50rpkGmDnEAXl7WiRM7dtdSNqIGPfEoM8fQRYu5BGqQS65JvmOxEZ078DO4X/qez/F+XGq/kkwwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4.272630272e+09

  • unknown2

    AAAABAAAAAIAAAFSAAAAAwAAAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /af

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246

  • watermark

    674054486

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\forceupdate.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0wbbkfa.dv3.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/3372-133-0x0000026670340000-0x0000026670350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3372-134-0x0000026670340000-0x0000026670350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3372-140-0x0000026654F00000-0x0000026654F22000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3372-145-0x0000026670340000-0x0000026670350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3372-146-0x0000026673390000-0x0000026673414000-memory.dmp
    Filesize

    528KB

    Download
  • memory/3372-147-0x0000026673340000-0x0000026673384000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3372-148-0x0000026673350000-0x0000026673352000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3372-149-0x0000026670340000-0x0000026670350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3372-150-0x0000026670340000-0x0000026670350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3372-151-0x0000026670340000-0x0000026670350000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3372-152-0x0000026673340000-0x0000026673384000-memory.dmp
    Filesize

    272KB

    Download