Overview

overview

10

Static

static

1

3c2d4318fb...be.ps1

windows7-x64

10

3c2d4318fb...be.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    04/08/2023, 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c2d4318fbd93cb361d2f1553e6d8f6ff731211bdd18a9edd1ae1e165530bbbe.ps1

  • Size

    5KB

  • MD5

    6250ecde862528d5f12788e076043c30

  • SHA1

    7c3beadfe2557c8e97ff76c27ca4c7368deddb6b

  • SHA256

    3c2d4318fbd93cb361d2f1553e6d8f6ff731211bdd18a9edd1ae1e165530bbbe

  • SHA512

    ba01edc3969ffd3c88f64f3919e6fa683bf8ba580b7aa1c600eb9d0080ecfa14c180e79db19c34d4b38e16eb0499d59c9155593ff29f035015caa5f751efaa4a

  • SSDEEP

    96:lg5EvvvOmVeLxigxAlaTTlXP9rZBS0BEB6qaxA0l8cV0l8:OyvOPLxfxsIFrZBS0BEB6nrP6a

Score
10/10
cobaltstrikebackdoortrojan

Malware Config

Extracted

Family

cobaltstrike

C2

http://192.168.25.139:80/jquery-3.3.2.slim.min.js

Attributes
  • user_agent

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://code.jquery.com/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3c2d4318fbd93cb361d2f1553e6d8f6ff731211bdd18a9edd1ae1e165530bbbe.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2312-58-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2312-59-0x0000000002210000-0x0000000002218000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2312-60-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2312-61-0x0000000002340000-0x00000000023C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2312-62-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2312-63-0x0000000002340000-0x00000000023C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2312-64-0x0000000002340000-0x00000000023C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2312-65-0x00000000025A0000-0x00000000025A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2312-66-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2312-67-0x0000000002340000-0x00000000023C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2312-68-0x0000000002340000-0x00000000023C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2312-69-0x0000000002340000-0x00000000023C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2312-70-0x0000000002340000-0x00000000023C0000-memory.dmp

    Filesize

    512KB

    Download