Overview

overview

10

Static

static

1

ANQUAN.ps1

windows7-x64

10

ANQUAN.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-03-2023 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ANQUAN.ps1

  • Size

    26KB

  • MD5

    d223ac403e9ac14ae07b6edfeb018deb

  • SHA1

    9be80a8babb8d08d07a68d5b1d0018992fe402fe

  • SHA256

    7cf3379bd4c558c88f9a6e7b5aa6cda3aa9ba4289148e8ca6b0b55f378cd612e

  • SHA512

    badab4bde445dd7231dc8995509c57cf4afc28d70627b1d199897f37ef59966e05f9c43d10750a439a842a463c4180d23a600fba3d6002ab77da5ca23d0b521e

  • SSDEEP

    384:/IAUl9V5xJCdNz6etOzzodsGeE3WdbSU0jRArxJDZF6boFUUC7+v6fCUqqgCENqn:gAUjKz6r5GeW+bOoCvK/imC6YEaxP

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://43.136.14.33:50001/GSmV

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 10 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ANQUAN.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3656
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3656 -s 1552
      2⤵
      • Program crash
      PID:5064
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 480 -p 3656 -ip 3656
    1⤵
      PID:3716

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3r0sucm.05t.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/3656-138-0x000001E6F6C00000-0x000001E6F6C22000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3656-143-0x000001E6F7110000-0x000001E6F7120000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3656-144-0x000001E6F7110000-0x000001E6F7120000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3656-145-0x000001E6F53A0000-0x000001E6F53A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3656-146-0x000001E6F7110000-0x000001E6F7120000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3656-147-0x000001E6F7110000-0x000001E6F7120000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3656-148-0x000001E6F7110000-0x000001E6F7120000-memory.dmp
      Filesize

      64KB

      Download