Analysis
-
max time kernel
105s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2023 00:34
Static task
static1
Behavioral task
behavioral1
Sample
ANQUAN.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ANQUAN.ps1
Resource
win10v2004-20230220-en
General
-
Target
ANQUAN.ps1
-
Size
26KB
-
MD5
d223ac403e9ac14ae07b6edfeb018deb
-
SHA1
9be80a8babb8d08d07a68d5b1d0018992fe402fe
-
SHA256
7cf3379bd4c558c88f9a6e7b5aa6cda3aa9ba4289148e8ca6b0b55f378cd612e
-
SHA512
badab4bde445dd7231dc8995509c57cf4afc28d70627b1d199897f37ef59966e05f9c43d10750a439a842a463c4180d23a600fba3d6002ab77da5ca23d0b521e
-
SSDEEP
384:/IAUl9V5xJCdNz6etOzzodsGeE3WdbSU0jRArxJDZF6boFUUC7+v6fCUqqgCENqn:gAUjKz6r5GeW+bOoCvK/imC6YEaxP
Malware Config
Extracted
cobaltstrike
http://43.136.14.33:50001/GSmV
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 10 3656 powershell.exe 27 3656 powershell.exe 28 3656 powershell.exe 29 3656 powershell.exe 30 3656 powershell.exe 32 3656 powershell.exe 34 3656 powershell.exe 35 3656 powershell.exe 39 3656 powershell.exe 40 3656 powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5064 3656 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3656 powershell.exe 3656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3656 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ANQUAN.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3656 -s 15522⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 3656 -ip 36561⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3r0sucm.05t.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3656-138-0x000001E6F6C00000-0x000001E6F6C22000-memory.dmpFilesize
136KB
-
memory/3656-143-0x000001E6F7110000-0x000001E6F7120000-memory.dmpFilesize
64KB
-
memory/3656-144-0x000001E6F7110000-0x000001E6F7120000-memory.dmpFilesize
64KB
-
memory/3656-145-0x000001E6F53A0000-0x000001E6F53A1000-memory.dmpFilesize
4KB
-
memory/3656-146-0x000001E6F7110000-0x000001E6F7120000-memory.dmpFilesize
64KB
-
memory/3656-147-0x000001E6F7110000-0x000001E6F7120000-memory.dmpFilesize
64KB
-
memory/3656-148-0x000001E6F7110000-0x000001E6F7120000-memory.dmpFilesize
64KB