Overview

overview

10

Static

static

1

ANQUAN.ps1

windows7-x64

10

ANQUAN.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    69s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30-03-2023 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ANQUAN.ps1

  • Size

    26KB

  • MD5

    d223ac403e9ac14ae07b6edfeb018deb

  • SHA1

    9be80a8babb8d08d07a68d5b1d0018992fe402fe

  • SHA256

    7cf3379bd4c558c88f9a6e7b5aa6cda3aa9ba4289148e8ca6b0b55f378cd612e

  • SHA512

    badab4bde445dd7231dc8995509c57cf4afc28d70627b1d199897f37ef59966e05f9c43d10750a439a842a463c4180d23a600fba3d6002ab77da5ca23d0b521e

  • SSDEEP

    384:/IAUl9V5xJCdNz6etOzzodsGeE3WdbSU0jRArxJDZF6boFUUC7+v6fCUqqgCENqn:gAUjKz6r5GeW+bOoCvK/imC6YEaxP

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://43.136.14.33:50001/GSmV

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; UHS)

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ANQUAN.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1992-58-0x000000001B280000-0x000000001B562000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1992-59-0x0000000002310000-0x0000000002318000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1992-60-0x0000000002500000-0x0000000002580000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1992-61-0x0000000002500000-0x0000000002580000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1992-62-0x0000000002500000-0x0000000002580000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1992-63-0x0000000002500000-0x0000000002580000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1992-64-0x00000000028D0000-0x00000000028D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-65-0x0000000002500000-0x0000000002580000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1992-66-0x0000000002500000-0x0000000002580000-memory.dmp
    Filesize

    512KB

    Download