Overview

overview

10

Static

static

10

malware.ps1

windows10-2004-x64

10

Resubmissions

17-04-2024 17:37

240417-v7gqvaab8z 10

17-04-2024 17:20

240417-vwmgysge39 10

Analysis

  • max time kernel
    458s
  • max time network
    451s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    malware.ps1

  • Size

    222KB

  • MD5

    8eea2778505dda470dfe222fa260a7b7

  • SHA1

    11f42aa29d576220e9fe69366a7c7f99498eda8c

  • SHA256

    f306f36cedd08d9e83056f41564a96142611cce5a38882edd13046c402b628d8

  • SHA512

    a8451d8dd52198290a30d348c1520e740249de8bbb29fa1b2f39829436e0985b5810c323fe0ce7394dc1f00dcd9ea6a0e89651e5b81a92dff17aeab4fa2581e5

  • SSDEEP

    6144:cUTXaH4di1kb6FFGaKMkWfjkY/9jZDEXNf+jCNUi:cqakbCFFRBbrlEXcCGi

Score
10/10
cobaltstrike666backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666

C2

http://bellebobas.com:443/gifs/

Attributes
  • access_type

    512

  • beacon_type

    2048

  • dns_idle

    6.7373064e+07

  • dns_sleep

    8.1297408e+08

  • host

    bellebobas.com,/gifs/

  • http_header1

    AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    5120

  • maxdns

    235

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dfrgui.exe

  • sc_process64

    %windir%\sysnative\dfrgui.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaxb4IJ+cn+nbIo0UAWhsGngA5uQImWmV45RX6fH8ISCN93+Rh63Z4Vh2MyxHCoAqJ2pWtyptAbDAxkZQp66O9gDUJSfnJ+LZffG3m66EstIkvj0dPIO0Aiox4KN37itYFtraVXy5B0MVcPLqpkagnmsxuJBWCVQrW/ObJDqw2kwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.2384e+09

  • unknown2

    AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /temp/

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

  • watermark

    666

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\malware.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3680
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3604
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1236
    • C:\Windows\System32\12t9_p.exe
      "C:\Windows\System32\12t9_p.exe"
      1⤵
        PID:2704
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SDRSVC
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2992

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ookljb0.giw.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • memory/3604-21-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3604-43-0x0000025F55A10000-0x0000025F55A20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3604-33-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3604-32-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3604-31-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3604-30-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3604-29-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3604-27-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3604-28-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3604-23-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3604-22-0x0000025F55BA0000-0x0000025F55BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3680-14-0x0000014620BA0000-0x0000014620C1D000-memory.dmp
        Filesize

        500KB

        Download
      • memory/3680-20-0x0000014620B60000-0x0000014620BA0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/3680-19-0x00000146081C0000-0x00000146081D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3680-18-0x00000146081C0000-0x00000146081D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3680-17-0x00007FF9BF2C0000-0x00007FF9BFD81000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3680-16-0x0000014620BA0000-0x0000014620C1D000-memory.dmp
        Filesize

        500KB

        Download
      • memory/3680-15-0x0000014620B60000-0x0000014620BA0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/3680-13-0x00000146081C0000-0x00000146081D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3680-12-0x00000146081C0000-0x00000146081D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3680-11-0x00000146081C0000-0x00000146081D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3680-10-0x00007FF9BF2C0000-0x00007FF9BFD81000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3680-9-0x00000146208C0000-0x00000146208E2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3680-51-0x00007FF9BF2C0000-0x00007FF9BFD81000-memory.dmp
        Filesize

        10.8MB

        Download