Resubmissions

05/04/2024, 11:46

240405-nxk7ysah91 10

Analysis

  • max time kernel
    126s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/04/2024, 11:46

General

  • Target

    xxs.ps1

  • Size

    5KB

  • MD5

    40f1e274dadb4c2c3679660e751d2012

  • SHA1

    f367de9a3d326a009a0984ff8cc82cc9ae102055

  • SHA256

    19c21eef3cf7bccd23adba2f70d99d434a0a74b29d26c1ece6cbd0dedcd3774b

  • SHA512

    0df82043636b9d26cedae955e93ae8524f5dacecd76bcfccb4ff539a23786ea43808caab2f520962ccf218efb9d05831ecbb4958a753e292fd565431497f351e

  • SSDEEP

    96:3gvqgrvOJwIb36PigjAv8BbKxsqlMOdjH1xzdLldZFaqF80liM0lCa:ovOtKagw8wfjH1xrdZUqFBI7

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://66.135.4.59:8010/3ziF

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Extracted

Family

cobaltstrike

Botnet

1234567890

C2

http://66.135.4.59:8010/ptj

Attributes
  • access_type

    512

  • host

    66.135.4.59,/ptj

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

  • http_method1

    GET

  • http_method2

    POST

  • polling_time

    60000

  • port_number

    8010

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvYRrBhypXoyEO+BJhO2dLJE/6d4e1MIa/77tBoi6L5cRsYFvs31fZVPRgXDM6IWYUle9iqvcp2Ft5IVMQobju6KI6eAPwb1uuy28szzVvCRpUsdqvjUBoISt014wcoAPe2OLdt1TQd8YYfLldD43X54YBS8TqTMh3z5fUyTF1SwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath.2)

  • watermark

    1234567890

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Blocklisted process makes network request 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xxs.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BQTBMFBN6WGCA44BT9ND.temp

          Filesize

          7KB

          MD5

          bed7cea48215a7f2375c402a71823316

          SHA1

          10e6c95f93824caa21c7fe74244cecdbc52f1a5a

          SHA256

          6f2409b04e4782d3d23556c5d20c7bd11ccb7501807682ca8f52191240c865c0

          SHA512

          99a2969717175aece895313baa756d8ddbb3a14f0f757c89a49042ebda759eb546c2ae61ea6e0bc9576e143e292bbc5d765fda3f78ffab7c487674085791af4f

        • memory/2412-23-0x0000000002BF0000-0x0000000002C70000-memory.dmp

          Filesize

          512KB

        • memory/2412-25-0x0000000002BF0000-0x0000000002C70000-memory.dmp

          Filesize

          512KB

        • memory/2412-8-0x0000000002A70000-0x0000000002AA2000-memory.dmp

          Filesize

          200KB

        • memory/2412-7-0x0000000002BF0000-0x0000000002C70000-memory.dmp

          Filesize

          512KB

        • memory/2412-10-0x0000000002A70000-0x0000000002AA2000-memory.dmp

          Filesize

          200KB

        • memory/2412-11-0x0000000002BF0000-0x0000000002C70000-memory.dmp

          Filesize

          512KB

        • memory/2412-9-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

          Filesize

          9.6MB

        • memory/2412-12-0x0000000002BF0000-0x0000000002C70000-memory.dmp

          Filesize

          512KB

        • memory/2412-5-0x00000000026F0000-0x00000000026F8000-memory.dmp

          Filesize

          32KB

        • memory/2412-26-0x0000000002BF0000-0x0000000002C70000-memory.dmp

          Filesize

          512KB

        • memory/2412-4-0x000000001B620000-0x000000001B902000-memory.dmp

          Filesize

          2.9MB

        • memory/2412-22-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

          Filesize

          9.6MB

        • memory/2412-6-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

          Filesize

          9.6MB

        • memory/2412-24-0x0000000002BF0000-0x0000000002C70000-memory.dmp

          Filesize

          512KB

        • memory/2724-28-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

          Filesize

          256KB

        • memory/2724-21-0x0000000005790000-0x00000000057CE000-memory.dmp

          Filesize

          248KB

        • memory/2724-17-0x00000000739D0000-0x0000000073F7B000-memory.dmp

          Filesize

          5.7MB

        • memory/2724-16-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

          Filesize

          256KB

        • memory/2724-20-0x00000000061F0000-0x00000000065F0000-memory.dmp

          Filesize

          4.0MB

        • memory/2724-18-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

          Filesize

          256KB

        • memory/2724-15-0x00000000739D0000-0x0000000073F7B000-memory.dmp

          Filesize

          5.7MB

        • memory/2724-27-0x00000000739D0000-0x0000000073F7B000-memory.dmp

          Filesize

          5.7MB

        • memory/2724-19-0x0000000005380000-0x0000000005381000-memory.dmp

          Filesize

          4KB

        • memory/2724-29-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

          Filesize

          256KB

        • memory/2724-30-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

          Filesize

          256KB

        • memory/2724-31-0x0000000005790000-0x00000000057CE000-memory.dmp

          Filesize

          248KB