Overview

overview

10

Static

static

10

malware.ps1

windows7-x64

10

malware.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 00:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    malware.ps1

  • Size

    222KB

  • MD5

    8eea2778505dda470dfe222fa260a7b7

  • SHA1

    11f42aa29d576220e9fe69366a7c7f99498eda8c

  • SHA256

    f306f36cedd08d9e83056f41564a96142611cce5a38882edd13046c402b628d8

  • SHA512

    a8451d8dd52198290a30d348c1520e740249de8bbb29fa1b2f39829436e0985b5810c323fe0ce7394dc1f00dcd9ea6a0e89651e5b81a92dff17aeab4fa2581e5

  • SSDEEP

    6144:cUTXaH4di1kb6FFGaKMkWfjkY/9jZDEXNf+jCNUi:cqakbCFFRBbrlEXcCGi

Score
10/10
cobaltstrike666backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

666

C2

http://bellebobas.com:443/gifs/

Attributes
  • access_type

    512

  • beacon_type

    2048

  • dns_idle

    6.7373064e+07

  • dns_sleep

    8.1297408e+08

  • host

    bellebobas.com,/gifs/

  • http_header1

    AAAACgAAAB9BY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41AAAACgAAAFJBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsKi8qO3E9MC44AAAACgAAAB5BY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUAAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAADQAAAAEAAAALL2tpdHRlbi5naWYAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAB5Db250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAAPAAAACAAAAAYAAAAOQXV0aGVudGljYXRpb24AAAAHAAAAAQAAAAMAAAACAAAAc3siaW1hZ2VfdXJsIiA6ICJodHRwczovL3N1bjktMjMudXNlcmFwaS5jb20vRzRKdmRaREVmTGRJUGxOTjEtSmtNR1EydW5mMktFSVY1NE9tNWcvYWJKNzBqR0hmVmsuanBnIiwgIm1ldGFkYXRhIiA6ICIAAAABAAAAAiJ9AAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • jitter

    5120

  • maxdns

    235

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\dfrgui.exe

  • sc_process64

    %windir%\sysnative\dfrgui.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaxb4IJ+cn+nbIo0UAWhsGngA5uQImWmV45RX6fH8ISCN93+Rh63Z4Vh2MyxHCoAqJ2pWtyptAbDAxkZQp66O9gDUJSfnJ+LZffG3m66EstIkvj0dPIO0Aiox4KN37itYFtraVXy5B0MVcPLqpkagnmsxuJBWCVQrW/ObJDqw2kwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    3.2384e+09

  • unknown2

    AAAABAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAABAAAAAAgAAAEAAAAACAAAAQAAAAAIAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /temp/

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

  • watermark

    666

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\malware.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2864
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l2kn4ueu.tsg.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/728-20-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-26-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-27-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-28-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-29-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-30-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-31-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-32-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-22-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-21-0x0000022EB75E0000-0x0000022EB75E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2864-13-0x000001FFF6F10000-0x000001FFF6F8D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2864-19-0x000001FFF6ED0000-0x000001FFF6F10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2864-18-0x000001FFF6510000-0x000001FFF6520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-17-0x000001FFF6510000-0x000001FFF6520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-16-0x00007FFBB33A0000-0x00007FFBB3E61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2864-15-0x000001FFF6F10000-0x000001FFF6F8D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/2864-14-0x000001FFF6ED0000-0x000001FFF6F10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2864-0-0x000001FFF5F40000-0x000001FFF5F62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2864-12-0x000001FFF6510000-0x000001FFF6520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-11-0x000001FFF6510000-0x000001FFF6520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2864-10-0x00007FFBB33A0000-0x00007FFBB3E61000-memory.dmp

    Filesize

    10.8MB

    Download