Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2023 22:01
Behavioral task
behavioral1
Sample
cs.ps1
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cs.ps1
Resource
win10v2004-20230220-en
General
-
Target
cs.ps1
-
Size
224KB
-
MD5
fe23dd4aca8501992dc0bf752173fec5
-
SHA1
0b89835536671fd7c983e88547dedca313aff065
-
SHA256
5c3fc55388967216e5eda977151f0f85c5456124c4e98b08b0bafd83f4d023ff
-
SHA512
0e0324217e479f6c0373575ac3695e4aa083b87bef4eb3003ba41f03ec076ccf68b047788162c268ff3bcf74f4b027ce97df4ccd56a20cf5a0748eb2754255a0
-
SSDEEP
6144:qQKKwu8nhXHwYc7QgPj1LSaF1Pl+qtT4i8z9Bv2E0T:qKwdFS7QEX1d+q94PsEi
Malware Config
Extracted
cobaltstrike
100000
http://159.65.62.10:443/rs.js
-
access_type
512
-
beacon_type
2048
-
host
159.65.62.10,/rs.js
-
http_header1
AAAAEAAAABBIb3N0OiBnb29nbGUuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAASQWNjZXB0OiBpbWFnZS9qcGVnAAAACgAAABZBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTAAAABwAAAAAAAAALAAAAAwAAAAIAAAAMcmVnX2ZiX2dhdGU9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABBIb3N0OiBnb29nbGUuY29tAAAACgAAABFDb25uZWN0aW9uOiBjbG9zZQAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBlbi1VUwAAAAoAAAAvQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQAAAAHAAAAAQAAAAMAAAADAAAAAgAAAAhpbnZvaWNlPQAAAAQAAAAHAAAAAAAAAAMAAAACAAAADl9fc2Vzc2lvbl9faWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
10496
-
polling_time
60964
-
port_number
443
-
sc_process32
%windir%\syswow64\regsvr32.exe
-
sc_process64
%windir%\sysnative\regsvr32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCA8mnkk8UmUDunpetKUKs43ZhEnX4qr4SaxEMjNs6lBAJtrtkRAO5++OvmT0XevR2LTRQVlkEtqxxrx5GYrEgEg4Vejhv8ys8UuoxA2U4pt1OQdzB+VSg9RVgYiaZ0PVZ8KEPrTBohxRIRZRZvo2/TSo1lZGdaAKB36IfG/jMuXQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.445101824e+09
-
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/link
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246
-
watermark
100000
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 3 4920 powershell.exe 34 4920 powershell.exe 47 4920 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4920 powershell.exe 4920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4920 powershell.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmawtr0z.mnv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4920-142-0x00000250F77E0000-0x00000250F7802000-memory.dmpFilesize
136KB
-
memory/4920-144-0x00000250F6BF0000-0x00000250F6C00000-memory.dmpFilesize
64KB
-
memory/4920-143-0x00000250F6BF0000-0x00000250F6C00000-memory.dmpFilesize
64KB
-
memory/4920-145-0x00000250F6BF0000-0x00000250F6C00000-memory.dmpFilesize
64KB
-
memory/4920-146-0x00000250F83D0000-0x00000250F8453000-memory.dmpFilesize
524KB
-
memory/4920-147-0x00000250F8380000-0x00000250F83C1000-memory.dmpFilesize
260KB
-
memory/4920-148-0x00000250F6BF0000-0x00000250F6C00000-memory.dmpFilesize
64KB
-
memory/4920-149-0x00000250F6BF0000-0x00000250F6C00000-memory.dmpFilesize
64KB
-
memory/4920-150-0x00000250F6BF0000-0x00000250F6C00000-memory.dmpFilesize
64KB
-
memory/4920-151-0x00000250F8380000-0x00000250F83C1000-memory.dmpFilesize
260KB