Overview

overview

10

Static

static

10

cobalt2.ps1

windows7-x64

3

cobalt2.ps1

windows10-2004-x64

3

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cobalt2.ps1

  • Size

    3KB

  • MD5

    5816bf8947b292fd5837d340fae832d0

  • SHA1

    030b8d8abf08be5d099d8a522d3011963fd84246

  • SHA256

    b9dc6cb759631733b4911dff24e61a73d56e47e01d218c7f219b2811cb93e249

  • SHA512

    3968e37b2156ffa1f02681d117719670084bf1444dd09e65d2da62ae8740b1c3d040cbbf0c05c6596e281d564ebb0d392e64b644482ef49764abd7b85fd87370

Score
3/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cobalt2.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WWQY057Y9LHOZGJC5IMH.temp
    Filesize

    7KB

    MD5

    fb407d14d590bb90fe5b78babcfbd1ba

    SHA1

    d6fc1fbdd1223230ead01e581873db6fff01a264

    SHA256

    74f865186d1de47684abc93e3b22387e77ae2b6d6e4c3020841d8a99488cba5b

    SHA512

    e517d0c62790b83169271b6c3532d0d56991057f1c16d4e6add14297f3d22fb24510a896ac4c0a2a5b031204d3a2c5f8ed1213b7fe1517f5145f8a6b2a0e532e

    Download Submit

  • memory/1908-9-0x00000000029E0000-0x0000000002A12000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1908-4-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1908-7-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1908-8-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1908-10-0x00000000029E0000-0x0000000002A12000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1908-6-0x000007FEF67FE000-0x000007FEF67FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1908-11-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1908-5-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1908-14-0x000007FEF67FE000-0x000007FEF67FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1908-15-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1908-16-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1908-18-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

    Filesize

    9.6MB

    Download