Analysis Overview
SHA256
19c21eef3cf7bccd23adba2f70d99d434a0a74b29d26c1ece6cbd0dedcd3774b
Threat Level: Known bad
The file xxs.ps1 was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
MetaSploit
Blocklisted process makes network request
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-05 11:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 11:46
Reported
2024-04-05 11:49
Platform
win7-20240221-en
Max time kernel
126s
Max time network
127s
Command Line
Signatures
Cobaltstrike
MetaSploit
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2412 wrote to memory of 2724 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| PID 2412 wrote to memory of 2724 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| PID 2412 wrote to memory of 2724 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| PID 2412 wrote to memory of 2724 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xxs.ps1
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
Network
| Country | Destination | Domain | Proto |
| US | 66.135.4.59:8010 | 66.135.4.59 | tcp |
| US | 66.135.4.59:8010 | 66.135.4.59 | tcp |
| US | 66.135.4.59:8010 | 66.135.4.59 | tcp |
| US | 66.135.4.59:8010 | 66.135.4.59 | tcp |
Files
memory/2412-4-0x000000001B620000-0x000000001B902000-memory.dmp
memory/2412-5-0x00000000026F0000-0x00000000026F8000-memory.dmp
memory/2412-6-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp
memory/2412-8-0x0000000002A70000-0x0000000002AA2000-memory.dmp
memory/2412-7-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/2412-10-0x0000000002A70000-0x0000000002AA2000-memory.dmp
memory/2412-11-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/2412-9-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp
memory/2412-12-0x0000000002BF0000-0x0000000002C70000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BQTBMFBN6WGCA44BT9ND.temp
| MD5 | bed7cea48215a7f2375c402a71823316 |
| SHA1 | 10e6c95f93824caa21c7fe74244cecdbc52f1a5a |
| SHA256 | 6f2409b04e4782d3d23556c5d20c7bd11ccb7501807682ca8f52191240c865c0 |
| SHA512 | 99a2969717175aece895313baa756d8ddbb3a14f0f757c89a49042ebda759eb546c2ae61ea6e0bc9576e143e292bbc5d765fda3f78ffab7c487674085791af4f |
memory/2724-15-0x00000000739D0000-0x0000000073F7B000-memory.dmp
memory/2724-16-0x0000000002CA0000-0x0000000002CE0000-memory.dmp
memory/2724-17-0x00000000739D0000-0x0000000073F7B000-memory.dmp
memory/2724-18-0x0000000002CA0000-0x0000000002CE0000-memory.dmp
memory/2724-19-0x0000000005380000-0x0000000005381000-memory.dmp
memory/2724-20-0x00000000061F0000-0x00000000065F0000-memory.dmp
memory/2724-21-0x0000000005790000-0x00000000057CE000-memory.dmp
memory/2412-22-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp
memory/2412-23-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/2412-24-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/2412-25-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/2412-26-0x0000000002BF0000-0x0000000002C70000-memory.dmp
memory/2724-27-0x00000000739D0000-0x0000000073F7B000-memory.dmp
memory/2724-28-0x0000000002CA0000-0x0000000002CE0000-memory.dmp
memory/2724-29-0x0000000002CA0000-0x0000000002CE0000-memory.dmp
memory/2724-30-0x0000000002CA0000-0x0000000002CE0000-memory.dmp
memory/2724-31-0x0000000005790000-0x00000000057CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-05 11:46
Reported
2024-04-05 11:49
Platform
win10v2004-20240226-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Cobaltstrike
MetaSploit
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
| N/A | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3992 wrote to memory of 2340 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| PID 3992 wrote to memory of 2340 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| PID 3992 wrote to memory of 2340 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xxs.ps1
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 66.135.4.59:8010 | 66.135.4.59 | tcp |
| US | 8.8.8.8:53 | 59.4.135.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 66.135.4.59:8010 | 66.135.4.59 | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.136.73.23.in-addr.arpa | udp |
| US | 66.135.4.59:8010 | 66.135.4.59 | tcp |
| US | 8.8.8.8:53 | 137.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 66.135.4.59:8010 | 66.135.4.59 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_shsitt0k.tjw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3992-9-0x000001B2DFBD0000-0x000001B2DFBF2000-memory.dmp
memory/3992-10-0x00007FF918FF0000-0x00007FF919AB1000-memory.dmp
memory/3992-11-0x000001B2C6B50000-0x000001B2C6B60000-memory.dmp
memory/3992-12-0x000001B2C6B50000-0x000001B2C6B60000-memory.dmp
memory/3992-13-0x000001B2E0000000-0x000001B2E0176000-memory.dmp
memory/3992-14-0x000001B2E0390000-0x000001B2E059A000-memory.dmp
memory/2340-15-0x0000000005260000-0x0000000005296000-memory.dmp
memory/2340-17-0x0000000005360000-0x0000000005370000-memory.dmp
memory/2340-18-0x00000000059A0000-0x0000000005FC8000-memory.dmp
memory/2340-16-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/2340-19-0x0000000005360000-0x0000000005370000-memory.dmp
memory/2340-20-0x0000000005870000-0x0000000005892000-memory.dmp
memory/2340-21-0x0000000006140000-0x00000000061A6000-memory.dmp
memory/2340-22-0x0000000006220000-0x0000000006286000-memory.dmp
memory/2340-32-0x0000000006390000-0x00000000066E4000-memory.dmp
memory/2340-33-0x0000000006920000-0x000000000693E000-memory.dmp
memory/2340-34-0x0000000006A30000-0x0000000006A7C000-memory.dmp
memory/2340-35-0x0000000007700000-0x0000000007D7A000-memory.dmp
memory/2340-36-0x0000000006E90000-0x0000000006EAA000-memory.dmp
memory/2340-37-0x0000000006F90000-0x0000000006F91000-memory.dmp
memory/2340-38-0x0000000007D80000-0x0000000008180000-memory.dmp
memory/2340-39-0x0000000005540000-0x000000000557E000-memory.dmp
memory/3992-41-0x00007FF918FF0000-0x00007FF919AB1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 93678e82d776686aa54c42b8a98e6cbc |
| SHA1 | 802939dfed99ac74814c4371388b204c5810241d |
| SHA256 | da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841 |
| SHA512 | 0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520 |
memory/3992-44-0x000001B2C6B50000-0x000001B2C6B60000-memory.dmp
memory/3992-45-0x000001B2C6B50000-0x000001B2C6B60000-memory.dmp
memory/2340-46-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/2340-47-0x0000000005360000-0x0000000005370000-memory.dmp
memory/2340-48-0x0000000005360000-0x0000000005370000-memory.dmp
memory/2340-49-0x0000000005540000-0x000000000557E000-memory.dmp