Malware Analysis Report

2025-06-16 03:32

Sample ID 240405-nxk7ysah91
Target xxs.ps1
SHA256 19c21eef3cf7bccd23adba2f70d99d434a0a74b29d26c1ece6cbd0dedcd3774b
Tags
cobaltstrike metasploit 1234567890 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19c21eef3cf7bccd23adba2f70d99d434a0a74b29d26c1ece6cbd0dedcd3774b

Threat Level: Known bad

The file xxs.ps1 was found to be: Known bad.

Malicious Activity Summary

cobaltstrike metasploit 1234567890 backdoor trojan

Cobaltstrike

MetaSploit

Blocklisted process makes network request

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-05 11:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 11:46

Reported

2024-04-05 11:49

Platform

win7-20240221-en

Max time kernel

126s

Max time network

127s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xxs.ps1

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

MetaSploit

trojan backdoor metasploit

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xxs.ps1

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe

"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile

Network

Country Destination Domain Proto
US 66.135.4.59:8010 66.135.4.59 tcp
US 66.135.4.59:8010 66.135.4.59 tcp
US 66.135.4.59:8010 66.135.4.59 tcp
US 66.135.4.59:8010 66.135.4.59 tcp

Files

memory/2412-4-0x000000001B620000-0x000000001B902000-memory.dmp

memory/2412-5-0x00000000026F0000-0x00000000026F8000-memory.dmp

memory/2412-6-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

memory/2412-8-0x0000000002A70000-0x0000000002AA2000-memory.dmp

memory/2412-7-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/2412-10-0x0000000002A70000-0x0000000002AA2000-memory.dmp

memory/2412-11-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/2412-9-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

memory/2412-12-0x0000000002BF0000-0x0000000002C70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BQTBMFBN6WGCA44BT9ND.temp

MD5 bed7cea48215a7f2375c402a71823316
SHA1 10e6c95f93824caa21c7fe74244cecdbc52f1a5a
SHA256 6f2409b04e4782d3d23556c5d20c7bd11ccb7501807682ca8f52191240c865c0
SHA512 99a2969717175aece895313baa756d8ddbb3a14f0f757c89a49042ebda759eb546c2ae61ea6e0bc9576e143e292bbc5d765fda3f78ffab7c487674085791af4f

memory/2724-15-0x00000000739D0000-0x0000000073F7B000-memory.dmp

memory/2724-16-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

memory/2724-17-0x00000000739D0000-0x0000000073F7B000-memory.dmp

memory/2724-18-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

memory/2724-19-0x0000000005380000-0x0000000005381000-memory.dmp

memory/2724-20-0x00000000061F0000-0x00000000065F0000-memory.dmp

memory/2724-21-0x0000000005790000-0x00000000057CE000-memory.dmp

memory/2412-22-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

memory/2412-23-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/2412-24-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/2412-25-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/2412-26-0x0000000002BF0000-0x0000000002C70000-memory.dmp

memory/2724-27-0x00000000739D0000-0x0000000073F7B000-memory.dmp

memory/2724-28-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

memory/2724-29-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

memory/2724-30-0x0000000002CA0000-0x0000000002CE0000-memory.dmp

memory/2724-31-0x0000000005790000-0x00000000057CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 11:46

Reported

2024-04-05 11:49

Platform

win10v2004-20240226-en

Max time kernel

125s

Max time network

126s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xxs.ps1

Signatures

Cobaltstrike

trojan backdoor cobaltstrike

MetaSploit

trojan backdoor metasploit

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xxs.ps1

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe

"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 144.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 66.135.4.59:8010 66.135.4.59 tcp
US 8.8.8.8:53 59.4.135.66.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 66.135.4.59:8010 66.135.4.59 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 146.136.73.23.in-addr.arpa udp
US 66.135.4.59:8010 66.135.4.59 tcp
US 8.8.8.8:53 137.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 66.135.4.59:8010 66.135.4.59 tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_shsitt0k.tjw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3992-9-0x000001B2DFBD0000-0x000001B2DFBF2000-memory.dmp

memory/3992-10-0x00007FF918FF0000-0x00007FF919AB1000-memory.dmp

memory/3992-11-0x000001B2C6B50000-0x000001B2C6B60000-memory.dmp

memory/3992-12-0x000001B2C6B50000-0x000001B2C6B60000-memory.dmp

memory/3992-13-0x000001B2E0000000-0x000001B2E0176000-memory.dmp

memory/3992-14-0x000001B2E0390000-0x000001B2E059A000-memory.dmp

memory/2340-15-0x0000000005260000-0x0000000005296000-memory.dmp

memory/2340-17-0x0000000005360000-0x0000000005370000-memory.dmp

memory/2340-18-0x00000000059A0000-0x0000000005FC8000-memory.dmp

memory/2340-16-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/2340-19-0x0000000005360000-0x0000000005370000-memory.dmp

memory/2340-20-0x0000000005870000-0x0000000005892000-memory.dmp

memory/2340-21-0x0000000006140000-0x00000000061A6000-memory.dmp

memory/2340-22-0x0000000006220000-0x0000000006286000-memory.dmp

memory/2340-32-0x0000000006390000-0x00000000066E4000-memory.dmp

memory/2340-33-0x0000000006920000-0x000000000693E000-memory.dmp

memory/2340-34-0x0000000006A30000-0x0000000006A7C000-memory.dmp

memory/2340-35-0x0000000007700000-0x0000000007D7A000-memory.dmp

memory/2340-36-0x0000000006E90000-0x0000000006EAA000-memory.dmp

memory/2340-37-0x0000000006F90000-0x0000000006F91000-memory.dmp

memory/2340-38-0x0000000007D80000-0x0000000008180000-memory.dmp

memory/2340-39-0x0000000005540000-0x000000000557E000-memory.dmp

memory/3992-41-0x00007FF918FF0000-0x00007FF919AB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 93678e82d776686aa54c42b8a98e6cbc
SHA1 802939dfed99ac74814c4371388b204c5810241d
SHA256 da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841
SHA512 0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

memory/3992-44-0x000001B2C6B50000-0x000001B2C6B60000-memory.dmp

memory/3992-45-0x000001B2C6B50000-0x000001B2C6B60000-memory.dmp

memory/2340-46-0x0000000074B40000-0x00000000752F0000-memory.dmp

memory/2340-47-0x0000000005360000-0x0000000005370000-memory.dmp

memory/2340-48-0x0000000005360000-0x0000000005370000-memory.dmp

memory/2340-49-0x0000000005540000-0x000000000557E000-memory.dmp