Analysis
-
max time kernel
125s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 00:18
Behavioral task
behavioral1
Sample
malware.ps1
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
malware.ps1
Resource
win10v2004-20240419-en
General
-
Target
malware.ps1
-
Size
222KB
-
MD5
8eea2778505dda470dfe222fa260a7b7
-
SHA1
11f42aa29d576220e9fe69366a7c7f99498eda8c
-
SHA256
f306f36cedd08d9e83056f41564a96142611cce5a38882edd13046c402b628d8
-
SHA512
a8451d8dd52198290a30d348c1520e740249de8bbb29fa1b2f39829436e0985b5810c323fe0ce7394dc1f00dcd9ea6a0e89651e5b81a92dff17aeab4fa2581e5
-
SSDEEP
6144:cUTXaH4di1kb6FFGaKMkWfjkY/9jZDEXNf+jCNUi:cqakbCFFRBbrlEXcCGi
Malware Config
Extracted
cobaltstrike
666
http://bellebobas.com:443/gifs/
-
access_type
512
-
beacon_type
2048
-
dns_idle
6.7373064e+07
-
dns_sleep
8.1297408e+08
-
host
bellebobas.com,/gifs/
-
http_header1
AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
5120
-
maxdns
235
-
polling_time
60000
-
port_number
443
-
sc_process32
%windir%\syswow64\dfrgui.exe
-
sc_process64
%windir%\sysnative\dfrgui.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaxb4IJ+cn+nbIo0UAWhsGngA5uQImWmV45RX6fH8ISCN93+Rh63Z4Vh2MyxHCoAqJ2pWtyptAbDAxkZQp66O9gDUJSfnJ+LZffG3m66EstIkvj0dPIO0Aiox4KN37itYFtraVXy5B0MVcPLqpkagnmsxuJBWCVQrW/ObJDqw2kwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
3.2384e+09
-
unknown2
AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/temp/
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36
-
watermark
666
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Blocklisted process makes network request 12 IoCs
Processes:
powershell.exeflow pid process 4 2152 powershell.exe 6 2152 powershell.exe 7 2152 powershell.exe 8 2152 powershell.exe 9 2152 powershell.exe 10 2152 powershell.exe 11 2152 powershell.exe 12 2152 powershell.exe 13 2152 powershell.exe 14 2152 powershell.exe 15 2152 powershell.exe 16 2152 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2152 powershell.exe