Analysis
-
max time kernel
458s -
max time network
451s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 17:37
Behavioral task
behavioral1
Sample
malware.ps1
Resource
win10v2004-20240412-en
General
-
Target
malware.ps1
-
Size
222KB
-
MD5
8eea2778505dda470dfe222fa260a7b7
-
SHA1
11f42aa29d576220e9fe69366a7c7f99498eda8c
-
SHA256
f306f36cedd08d9e83056f41564a96142611cce5a38882edd13046c402b628d8
-
SHA512
a8451d8dd52198290a30d348c1520e740249de8bbb29fa1b2f39829436e0985b5810c323fe0ce7394dc1f00dcd9ea6a0e89651e5b81a92dff17aeab4fa2581e5
-
SSDEEP
6144:cUTXaH4di1kb6FFGaKMkWfjkY/9jZDEXNf+jCNUi:cqakbCFFRBbrlEXcCGi
Malware Config
Extracted
cobaltstrike
666
http://bellebobas.com:443/gifs/
-
access_type
512
-
beacon_type
2048
-
dns_idle
6.7373064e+07
-
dns_sleep
8.1297408e+08
-
host
bellebobas.com,/gifs/
-
http_header1
AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
maxdns
235
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dfrgui.exe
-
sc_process64
%windir%\sysnative\dfrgui.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaxb4IJ+cn+nbIo0UAWhsGngA5uQImWmV45RX6fH8ISCN93+Rh63Z4Vh2MyxHCoAqJ2pWtyptAbDAxkZQp66O9gDUJSfnJ+LZffG3m66EstIkvj0dPIO0Aiox4KN37itYFtraVXy5B0MVcPLqpkagnmsxuJBWCVQrW/ObJDqw2kwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.2384e+09
-
unknown2
AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/temp/
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
-
watermark
666
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 6 3680 powershell.exe 47 3680 powershell.exe 61 3680 powershell.exe 62 3680 powershell.exe 63 3680 powershell.exe 64 3680 powershell.exe 68 3680 powershell.exe 69 3680 powershell.exe 70 3680 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exetaskmgr.exepid process 3680 powershell.exe 3680 powershell.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3604 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
powershell.exetaskmgr.exesvchost.exedescription pid process Token: SeDebugPrivilege 3680 powershell.exe Token: SeDebugPrivilege 3604 taskmgr.exe Token: SeSystemProfilePrivilege 3604 taskmgr.exe Token: SeCreateGlobalPrivilege 3604 taskmgr.exe Token: SeSecurityPrivilege 3604 taskmgr.exe Token: SeTakeOwnershipPrivilege 3604 taskmgr.exe Token: SeSecurityPrivilege 3604 taskmgr.exe Token: SeTakeOwnershipPrivilege 3604 taskmgr.exe Token: SeSecurityPrivilege 3604 taskmgr.exe Token: SeTakeOwnershipPrivilege 3604 taskmgr.exe Token: SeBackupPrivilege 2992 svchost.exe Token: SeRestorePrivilege 2992 svchost.exe Token: SeSecurityPrivilege 2992 svchost.exe Token: SeTakeOwnershipPrivilege 2992 svchost.exe Token: 35 2992 svchost.exe Token: 33 3604 taskmgr.exe Token: SeIncBasePriorityPrivilege 3604 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe 3604 taskmgr.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\malware.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\12t9_p.exe"C:\Windows\System32\12t9_p.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ookljb0.giw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3604-21-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3604-43-0x0000025F55A10000-0x0000025F55A20000-memory.dmpFilesize
64KB
-
memory/3604-33-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3604-32-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3604-31-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3604-30-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3604-29-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3604-27-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3604-28-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3604-23-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3604-22-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmpFilesize
4KB
-
memory/3680-14-0x0000014620BA0000-0x0000014620C1D000-memory.dmpFilesize
500KB
-
memory/3680-20-0x0000014620B60000-0x0000014620BA0000-memory.dmpFilesize
256KB
-
memory/3680-19-0x00000146081C0000-0x00000146081D0000-memory.dmpFilesize
64KB
-
memory/3680-18-0x00000146081C0000-0x00000146081D0000-memory.dmpFilesize
64KB
-
memory/3680-17-0x00007FF9BF2C0000-0x00007FF9BFD81000-memory.dmpFilesize
10.8MB
-
memory/3680-16-0x0000014620BA0000-0x0000014620C1D000-memory.dmpFilesize
500KB
-
memory/3680-15-0x0000014620B60000-0x0000014620BA0000-memory.dmpFilesize
256KB
-
memory/3680-13-0x00000146081C0000-0x00000146081D0000-memory.dmpFilesize
64KB
-
memory/3680-12-0x00000146081C0000-0x00000146081D0000-memory.dmpFilesize
64KB
-
memory/3680-11-0x00000146081C0000-0x00000146081D0000-memory.dmpFilesize
64KB
-
memory/3680-10-0x00007FF9BF2C0000-0x00007FF9BFD81000-memory.dmpFilesize
10.8MB
-
memory/3680-9-0x00000146208C0000-0x00000146208E2000-memory.dmpFilesize
136KB
-
memory/3680-51-0x00007FF9BF2C0000-0x00007FF9BFD81000-memory.dmpFilesize
10.8MB