cobaltstrike | 1541b647ed27bf303b484186f9c7eeea232129f3dfa1588a594fefec0eff383a

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff7e2095db12b529ddadeac322b24e1.ps1
Size

226KB
MD5

2ff7e2095db12b529ddadeac322b24e1
SHA1

c3268da74b314bb7c8d409e9a20de59743d08072
SHA256

1541b647ed27bf303b484186f9c7eeea232129f3dfa1588a594fefec0eff383a
SHA512

720fd709595be6e8646ebfc4684c3a482a89ce1c3ad50d0282486b32998b5bf9e26b19ae71fb0193c3806f551d69776055cad3b6f9057937c3fb87aa545bb9a8
SSDEEP

6144:v/n5fJKv7L6SzT9qQqtZg6VkOhTRWXtoIVX+e:vf5fJKDOJVhNPIZ+e

Score

10^/10

cobaltstrike 674054486 backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

674054486

http://91.238.181.238:1443/Validate/v10.6/W2GE3SC8

Attributes

access_type
512
beacon_type
2048
host
91.238.181.238,/Validate/v10.6/W2GE3SC8
http_header1
AAAACgAAADpBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvaHRtbCwgYXBwbGljYXRpb24veGh0bWwreG1sAAAACgAAABNBY2NlcHQtTGFuZ3VhZ2U6IHhoAAAACgAAAB9BY2NlcHQtRW5jb2Rpbmc6IGNvbXByZXNzLCBnemlwAAAABwAAAAAAAAAPAAAADQAAAAIAAAAVc2VjdXJlX2lkX05DU1E0WkhPNVM9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAADJBY2NlcHQ6IGFwcGxpY2F0aW9uL3htbCwgYXBwbGljYXRpb24vanNvbiwgaW1hZ2UvKgAAAAoAAAAWQWNjZXB0LUxhbmd1YWdlOiBhci1lZwAAAAoAAAAZQWNjZXB0LUVuY29kaW5nOiBnemlwLCBicgAAAAcAAAAAAAAADwAAAAsAAAAFAAAACV9BQ1VHQURGRgAAAAcAAAABAAAADwAAAA0AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
10752
polling_time
93951
port_number
1443
sc_process32
%windir%\syswow64\systray.exe
sc_process64
%windir%\sysnative\DevicePairingWizard.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDU59ubetiY+LhOdd2F8C7vXLkVybNh6QaoPJk+VKmF/XO4EC9ac/zQUTWxzea8pBym/dgVAYJe1lZYQxBtHWkfCagWuxXxmc2GtqePiIkf5ObAy1rgRfumNilh3iA+t5X758wXqhLDQXRfTIFzzM5dVF4RwKydstaCNmbL/+C+FwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
2.602442752e+09
unknown2
AAAABAAAAAEAAAscAAAAAgAAE3cAAAAIAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/Study/names/85S6BPFEU7F
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
watermark
674054486
year
512

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	3148	powershell.exe
28	3148	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3148	powershell.exe
3148	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3148	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2ff7e2095db12b529ddadeac322b24e1.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdjq51v2.2ui.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3148-0-0x000001E8FCCD0000-0x000001E8FCCF2000-memory.dmp

Filesize
136KB

Download
memory/3148-10-0x00007FFF2DA80000-0x00007FFF2E541000-memory.dmp

Filesize
10.8MB

Download
memory/3148-11-0x000001E8FCD20000-0x000001E8FCD30000-memory.dmp

Filesize
64KB

Download
memory/3148-12-0x000001E8FCD20000-0x000001E8FCD30000-memory.dmp

Filesize
64KB

Download
memory/3148-13-0x000001E8FCD20000-0x000001E8FCD30000-memory.dmp

Filesize
64KB

Download
memory/3148-14-0x000001E8FF180000-0x000001E8FF205000-memory.dmp

Filesize
532KB

Download
memory/3148-15-0x000001E8FF130000-0x000001E8FF174000-memory.dmp

Filesize
272KB

Download
memory/3148-16-0x000001E8FF210000-0x000001E8FF212000-memory.dmp

Filesize
8KB

Download
memory/3148-17-0x00007FFF2DA80000-0x00007FFF2E541000-memory.dmp

Filesize
10.8MB

Download
memory/3148-18-0x000001E8FF130000-0x000001E8FF174000-memory.dmp

Filesize
272KB

Download